What is a honeypot?
A decoy system intentionally designed to appear as a legitimate, valuable target in order to attract attackers and allow security teams to observe their behavior without risk to real systems.
What is a honeynet?
A network of multiple honeypots combined with supporting fake infrastructure (servers, workstations, routers, switches, firewalls) to simulate a complete operational environment and study complex attacks.
What is a honeyfile?
A decoy file placed in a system or network share that appears sensitive or valuable. Because no legitimate user should access it, any interaction immediately triggers a security alert. Example: passwords.txt in a shared folder.
What is a honeytoken?
A traceable piece of fake data embedded in a system to detect breaches. Can be an API key, email address, database record, cookie, or web pixel. If it appears outside its expected environment, a breach is confirmed.
In most honeypot deployments, who is the "attacker"?
Usually an automated system β a bot or malware performing reconnaissance. Honeypots are valuable for studying these automated attack patterns, even when no human attacker is directly involved.
What is the key ongoing challenge with honeypots?
The arms race between defenders and attackers: attackers develop methods to detect whether a system is a honeypot (checking for virtualization artifacts, timing anomalies, etc.), so defenders must constantly make honeypots more realistic.
Why place a file named passwords.txt in a network share?
It's a classic honeyfile. The name makes it irresistible to attackers exploring a network. No legitimate user should ever open it β so any access is an automatic red flag that triggers an alert.
What happens when a honeyfile is accessed?
An alert or alarm is sent to a management station, notifying administrators that someone is accessing the decoy file. This signals unauthorized activity in the file system β the "virtual bear trap" has been triggered.
How do API credential honeytokens work?
Fake API keys formatted like real credentials are embedded in decoy systems. They do not provide actual access β but if anyone tries to use them, a notification fires. This reveals that an attacker found and attempted to use the credentials.
How do fake email honeytokens work?
Decoy email addresses are embedded in internal directories or contact lists and monitored on the internet. If they appear in spam campaigns, breach dumps, or external systems, it confirms the internal data was stolen and reveals when and how it was distributed.
Name five types of honeytokens.
1. API credentials (fake keys)
2. Email addresses (decoy accounts)
3. Database records (fake rows with traceable values)
4. Browser cookies (tracking identifiers)
5. Web page pixels (invisible tracking images)
What is Project Honeypot?
A collaborative, open-source honeypot research project at projecthoneypot.org that aggregates data from distributed honeypots around the internet, providing community-wide visibility into scanning activity and attacker behavior patterns.
Why is a honeynet more valuable than a single honeypot?
A honeynet simulates a complete network β attackers spend more time exploring it and reveal more of their tradecraft. Security teams can observe lateral movement, privilege escalation, and multi-stage attack patterns that are invisible in a single-system honeypot.
What intelligence can honeypots and honeynets provide?
Attack techniques and tools used, credential lists being tested, exploit methods, lateral movement paths, command-and-control (C2) server locations, timing patterns, and identification of threat actor groups β all gathered without risking real systems.
What is the difference between deception and disruption in cybersecurity?
Deception = misleading attackers with fake systems and data (honeypots, honeyfiles, honeytokens). Disruption = interfering with attacker operations, causing them to waste time and resources. Both are proactive strategies that complement traditional blocking controls.
What does it mean that honeyfiles are "no one's business"?
In a properly configured environment, no legitimate user has any reason to open a honeyfile. This is what makes them such precise detectors β there are no false positives from authorized users. Any access is 100% suspicious by definition.