Definition
Deception Technology involves deploying decoys (traps) within a network to trick adversaries into revealing their presence. These decoys—known as Honeypots—mimic legitimate assets (servers, files, databases) but have no real business value.
Purpose and Core Idea
The core idea is to increase the cost for the attacker and lower the "Dwell Time" (time to detection). Since no legitimate user should ever interact with a honeypot, any alert generated by it is, by definition, a high-fidelity positive.
Types of Deception
1. Low-Interaction Honeypots
- Description: Simulates only open ports and basic services (e.g., a fake Telnet port).
- Use Case: Detecting automated scanners and worms.
- Example: Dionaea or T-Pot.
2. High-Interaction Honeypots
- Description: A fully functional operating system designed to be compromised.
- Use Case: Observing the attacker's behavior, TTPs, and keystrokes in real-time.
3. Canary Tokens (Honeytokens)
- Description: A fake file (e.g.,
passwords.xlsx) or AWS key placed on a real workstation. - Mechanism: When the attacker opens the file, it silently alerts the SOC.
Mini Case Study: BlueKeep Watch
When the critical BlueKeep (RDP) vulnerability was announced, researchers deployed thousands of RDP honeypots globally.
- The Intelligence: These honeypots captured the very first exploitation attempts, allowing CTI teams to extract the exploit code and generate YARA Rules before the attacks spread to corporate networks.
Usage in Real CTI Workflows Deception is a key part of "Active Defense." It forces the adversary to move slowly and question every target, slowing down their Cyber Kill Chain.