Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Security Operations Glossary

Deception Technology (Honeypot / Honeynet)

An umbrella term for all deception-based security controls: honeypots (individual systems), honeynets (entire fake networks), and honeytokens (fake credentials, fake files). Difference from the honeypot entry: Deception Technology describes the overall concept and enterprise platforms; for implementation details, see honeypot-deception.

Deception Technology turns the tables: Instead of merely blocking attacks, attackers are actively deceived and monitored. Every interaction with a honeypot serves as a highly reliable warning signal—because legitimate users have no reason to access fake assets.

The Basic Concept

  • Real Network: Server A, Server B, Workstation C (production)
  • With Deception: additionally Honeypot X, Honeytoken Y, Fake Credential Z

Behavior:

  • Legitimate user: accesses Server A/B and Workstation C → no alert
  • Attacker (internal): searches the network → finds Honeypot X → immediate alert

The key advantage: Zero false positives. No production employee ever has reason to interact with a honeypot.

Types of Deception Assets

Honeypots (Single Systems)

Low-Interaction Honeypots:

  • Simulate services (SSH, RDP, SMB, HTTP)
  • Highly scalable, low risk
  • Examples: Cowrie (SSH), Dionaea (malware samples)

High-Interaction Honeypots:

  • Full VMs that simulate real systems
  • Collect detailed attack data
  • More dangerous—attacker could break out

Context Honeypots:

  • Fake domain controllers: Detect attackers attempting Kerberoasting or DCSync
  • Fake database servers: Detect SQL injection attempts and credential misuse
  • Fake SharePoint/file shares: Detect ransomware distribution and data exfiltration

Honeytokens (Digital Bait)

Honeytokens are fake digital assets that trigger an alert when used:

  • Fake Credentials: [admin_backup] with a password hidden in a password file on the server—doesn’t work, but every login attempt immediately triggers an alert
  • Fake AWS Keys: AWS_ACCESS_KEY_ID=AKIAIOSFODNN7HONEYTK in Git repo or AWS Config – use triggers a CloudTrail alert (AWS detects fake keys)
  • Fake API tokens in code: As a commented-out key in old code – if someone uses this key, an intruder is in the repo/system
  • Microsoft Word documents: Q4_Confidential_Budget.docx sends an HTTP request when opened – if an attacker opens the file, the IP and timestamp are logged

Honeynets

Entirely fake network segments:

  • Multiple honeypots that together form a realistic network
  • Attackers spend time in the honeynet – real systems remain secure
  • High-quality attack data for threat intelligence

Enterprise Deception Platforms

VendorApproachKey Feature
Attivo Networks (now SentinelOne)AD Deception, EndpointIntegration with EDR
Illusive NetworksCredential DeceptionFake credentials everywhere
Thinkst CanarySimple honeytokensVery affordable, simple
CymmetriaHoneypot farmsAutomatic deployment
AcalvioAI-driven deceptionAdaptive decoys

Easy Start: Canarytokens

canarytokens.org offers free honeytokens:

Available token types:

  • Web bug (URL): Embedded in a document—opening it triggers an alert
  • DNS token: Alert upon DNS query
  • AWS API key: Alert if someone uses the keys
  • MS Word document: Opening it sends a notification
  • QR code: Alert if scanned

Corporate use cases:

  • Fake AWS keys in .env files (which are never actually used)
  • Confidential_Report.docx on file server as a trap
  • Fake SSH keys in authorized_keys on critical servers

Deception in Active Directory

AD is the most common target. Specific AD honeytokens:

# Create a fake admin account (Kerberoasting trap)
New-ADUser -Name "svc_backup_legacy" `
           -Description "Legacy backup service account" `
           -PasswordNeverExpires $true
# NEVER use this account for production purposes
# Login attempts on this account → immediate alert

# Set a fake SPN (Kerberoasting bait)
Set-ADUser svc_backup_legacy -ServicePrincipalNames @{Add="cifs/dc01-legacy.corp.local"}
# Kerberoasting against this SPN → Alert

Operational Value

Early Detection: Attackers engaging in lateral movement almost always encounter honeytokens before reaching their target.

Threat Intelligence: Which credentials is the attacker trying? Which domains? Which tools? → Valuable IoCs.

Low Maintenance: Unlike SIEM rules, honeytokens require little maintenance—once deployed, they remain active.

Compliance Argument: NIS2 Art. 21 requires "detection and monitoring"—deception technology fulfills this with minimal false positives.

AWARE7 Services on This Topic

Penetrationstest ISO 27001 Beratung
Back to Glossary Book a free consultation