Deception Technology
Honeypots, honeynets, decoys, and deception-based detection.
Overview
Deception technology lures attackers into traps.
Deception Types
| Type | Description |
|---|---|
| Honeypot | Fake system/service |
| Honeynet | Network of honeypots |
| Honeyfile | Decoy files |
| Honeytoken | Fake credentials |
Honeypot Implementation
# Simple SSH honeypot
from twisted.conch import ssh, avatar
from twisted.conch.ssh import factory
class HoneypotSSH(avatar.ConchUser):
def __init__(self, username):
avatar.ConchUser.__init__(self)
self.username = username
def login(self, credentials):
# Log credentials
log_attempt(self.username, credentials.password)
# Fake response
return {"success": True, "shell": FakeShell()}
Honeynet Architecture
Architecture Diagram
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā Honeynet ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Web Server ā Database ā Mail ā
ā (honeypot) ā (honeypot) ā(honeypot)ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Monitoring ā
ā (IDS, logging, alerting) ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Honeytokens
# Create honeytoken
def create_honeytoken():
return {
"username": "admin_backup",
"password": generate_weak_password(),
"email": "admin_backup@example.com"
}
# Monitor for use
def monitor_honeytoken(token):
if check_login_attempt(token.username):
alert("Honeypot triggered!")
capture_attacker_info()
Detection Value
| Metric | Impact |
|---|---|
| Early detection | Before real assets |
| High fidelity | Low false positives |
| Attacker insight | TTPs discovery |
| Dwell time | Immediate detection |
Best Practices
- Realistic decoys ā Match environment
- Strategic placement ā High-value locations
- Comprehensive monitoring ā All interactions
- Quick response ā Immediate alerting
- Regular updates ā Keep decoys fresh
Practice
Deploy a honeypot network to detect unauthorized access.