2.2.6. Deception and Disruption Technology

💡 First Principle: Instead of just defending, deception technologies create fake targets that waste attacker time, reveal their techniques, and provide early warning with near-zero false positives. If an attacker touches something no legitimate user should touch, you've detected them.

Imagine a house with a fake safe in the living room. A burglar cracking the fake safe is time not spent finding the real one — and the moment it's touched, you know someone broke in.

Honeypot — a single decoy system designed to look like a real server or workstation. Interactions are logged and studied. Low-interaction honeypots simulate services; high-interaction ones run full operating systems.

Honeynet — a network of honeypots simulating an entire environment. More convincing than a single honeypot, it reveals lateral movement techniques.

Honeyfile — a fake document (e.g., "passwords.xlsx") placed where attackers look. If accessed or exfiltrated, it triggers an alert. Particularly effective against insider threats.

Honeytoken — a fake credential, API key, or database record that serves as a tripwire. If the token appears in use anywhere, it signals compromise. Lightweight and scattered throughout real systems without infrastructure overhead.

DNS sinkhole — redirects malicious domain requests to a controlled server. When malware tries to contact its command-and-control server, the DNS sinkhole intercepts the request and redirects it, simultaneously blocking the communication and alerting security teams. Unlike honeypots that wait passively, sinkholes actively disrupt ongoing attacks.

Practical deployment: Organizations typically start with honeytokens (easiest to deploy — just plant fake credentials in config files or databases) and honeyfiles, then scale to honeypots in high-value network segments. The key advantage of all deception technology is the extremely low false positive rate: no legitimate user should ever interact with a decoy. Any interaction is suspicious by definition.

⚠️ Exam Trap: Know the scope progression: honeytoken (single credential) → honeyfile (single document) → honeypot (single system) → honeynet (entire network). Match the right deception tool to the scenario's scale.