Domain 1 · 1.2 Fundamental Security Concepts

1.2.7 Deception & Disruption Technology

Honeypot, Honeynet, Honeyfile, Honeytoken.

9 min

Deception & Disruption Technology → fake resources that look real, designed to deceive and detect attackers and gather TTPs.

The four "honey" assets

  • Honeypot → a single fake system / server / service
  • Any access = suspicious → logged
  • Honeynet → an entire fake network of honeypots
  • Studies lateral movement and attacker behavior
  • Honeyfile → a fake file with a tempting name
  • Examples: *Passwords.xlsx*, *Payroll.pdf*, *Confidential.docx*
  • Opening / copying it → alert
  • Honeytokenfake data / credentials (API keys, cookies, fake CC numbers)
  • Should never be used → if seen in logs → stolen data

Purpose

Not to block — to detect, monitor, and gather threat intel on attacks that would otherwise go unnoticed.

Exam shortcut

  • Honeypot → fake system
  • Honeynet → fake network
  • Honeyfile → fake file (alert on access)
  • Honeytoken → fake credential / record (alert on use)

Typical question cues

  • "Admin places *CEO Salaries.xlsx*" → Honeyfile
  • "Fake SSH server to analyze hackers" → Honeypot