Chapter 8 Β· Glossary

Key Terms: Deception & Disruption

Search and review 16 essential terms for honeypots, honeynets, honeyfiles, and honeytokens.

Honeypot
A decoy system intentionally designed to appear as a legitimate, valuable target in order to attract attackers and allow security teams to observe their behavior, tools, and techniques without risk to real systems.
Honeynet
A network of multiple honeypots combined with supporting infrastructure (routers, switches, firewalls) to simulate a complete operational environment. Provides richer intelligence than a single honeypot by enabling observation of multi-stage attack behavior.
Honeyfile
A decoy file placed within a system or network share that appears to contain sensitive information. Because no legitimate user should access it, any interaction immediately triggers a security alert. Classic example: a file named passwords.txt placed in a network share.
Honeytoken
A traceable piece of fake data embedded in a system to detect unauthorized access or data theft. Unlike honeypots or honeyfiles, a honeytoken is a small data artifact β€” an API key, an email address, a database record β€” that alerts security teams if it appears outside its expected environment.
Deception Technology
A category of proactive security tools and techniques that use decoys, traps, and fake data to mislead attackers, detect unauthorized activity, and gather threat intelligence. Includes honeypots, honeynets, honeyfiles, and honeytokens.
Disruption
In the context of cybersecurity deception, disruption refers to interfering with attacker operations β€” causing attackers to waste time, resources, and effort on fake systems and data rather than real targets.
Reconnaissance
The early phase of a cyberattack in which an attacker (or automated bot) gathers information about target systems β€” scanning for open ports, identifying services, testing default credentials. Honeypots are particularly effective at detecting and studying reconnaissance activity.
API Credentials (Honeytoken)
Fake API access keys and secret keys formatted to look legitimate but not registered with any real service. When an attacker attempts to use them, an alert fires. One of the most common types of honeytokens because API keys are highly attractive to attackers.
Canary Token
A specific type of honeytoken β€” a trap resource (URL, file, email address, API key) that "sings" (triggers an alert) when accessed or used. The term "canary" refers to the historical practice of using canaries in mines to detect danger. Canary tokens alert defenders the moment a breach occurs.
Threat Intelligence
Actionable knowledge about attack techniques, tools, threat actors, and vulnerabilities gathered from monitoring attacker behavior. Honeypots and honeynets are valuable sources of threat intelligence because they expose real attack methods in a controlled environment.
Credential Stuffing
An automated attack technique where large lists of stolen username/password combinations are systematically tested against login pages. Honeypots frequently detect and log credential stuffing attempts, revealing which credentials attackers are trying and how their tools operate.
Lateral Movement
An attacker technique where, after gaining initial access, the attacker moves through a network to reach additional systems. Honeynets are valuable for studying lateral movement because they let attackers "move" through fake systems while analysts observe each step.
Decoy
Any fake system, file, credential, or data artifact designed to mislead an attacker. All honeyXX techniques (honeypots, honeynets, honeyfiles, honeytokens) are forms of decoys.
Detection Evasion
Techniques used by attackers (or attack automation) to determine whether a system is a genuine target or a honeypot. This creates an arms race: as attackers improve evasion, defenders must make honeypots more realistic.
Alert / Alarm
A notification sent to a management station or security team when a honeyXX resource is accessed. Honeyfiles, honeytokens, and honeypots all rely on alert mechanisms to notify defenders the moment suspicious activity occurs.
Project Honeypot
A collaborative, open-source honeypot research project (projecthoneypot.org) that aggregates data from distributed honeypots around the internet. Provides a community-wide view of scanning activity, spam sources, and attacker behavior patterns.