Chapter 8 Β· Quiz

Deception & Disruption Quiz

8 questions: multiple choice, matching, analysis, and evaluation. Grade when done.

1. What is the PRIMARY purpose of a honeypot?
Correct answer: B β€” A honeypot's purpose is to attract attackers (or automated bots) and let security teams observe their behavior, tools, and techniques β€” not to block them or protect data directly.
2. What distinguishes a honeynet from a honeypot?
Correct answer: C β€” A honeynet combines multiple honeypots with supporting infrastructure (routers, switches, firewalls) to simulate a complete, believable network environment.
3. A file named passwords.txt is placed in a shared network folder. It contains only fake credentials. An alert fires whenever anyone opens it. This is an example of:
Correct answer: C β€” A honeyfile is a decoy file placed to detect unauthorized access. Any interaction triggers an alert, because no legitimate user should open it.
4. An organization places fake AWS API credentials in a configuration file inside a decoy system. When those credentials are used, an alert fires. What type of deception is this?
Correct answer: D β€” Fake API credentials are a classic honeytoken β€” a small, traceable piece of fake data that triggers detection when used. They do not provide actual access; they exist solely to detect unauthorized activity.
5. What ongoing challenge do honeypot administrators face that Prof. Messer specifically highlights?
Correct answer: C β€” The constant battle to make decoys realistic is the core challenge. As defenders improve honeypot realism, attackers improve detection evasion β€” creating an ongoing arms race.
6. Matching β€” Select the correct description for each deception technique.

TECHNIQUE

Honeypot
Honeynet
Honeyfile
Honeytoken

DESCRIPTION

Network of multiple decoy systems simulating a full infrastructure
Traceable piece of fake data (API key, email, database record)
Single decoy system designed to attract and trap attackers
Decoy file that triggers an alert when accessed
7. Analysis: A security team deploys only a single honeypot server. What is the primary limitation of this approach compared to deploying a honeynet?
Model Answer: A single honeypot provides limited intelligence β€” it can only show how an attacker interacts with one isolated system. It cannot reveal lateral movement patterns, privilege escalation paths, or multi-stage attack sequences that span multiple systems.

A honeynet simulates a complete network (servers, routers, workstations, firewalls), making it appear far more realistic and keeping attackers engaged much longer. This reveals their full tradecraft β€” how they move between systems, where they escalate privileges, what data they stage for exfiltration, and how they communicate with command-and-control servers.

Key exam point: More infrastructure = more realism = more time spent = more intelligence gathered.
8. Evaluation: A CISO argues that honeypots are unnecessary because the company already has a firewall and an IDS. Evaluate this position. Are deception techniques redundant with traditional controls?
Model Answer: The CISO's position is incorrect. Deception techniques are complementary to β€” not redundant with β€” traditional controls. A firewall blocks known-bad traffic, and an IDS alerts on known attack signatures. But neither provides threat intelligence about attacker tools, techniques, and behavior.

Honeypots and honeynets add a fundamentally different capability: the ability to observe and learn from attackers in real time. They reveal zero-day exploits, novel credential-stuffing wordlists, C2 communication patterns, and lateral movement techniques β€” all before those methods are used against real systems.

Additionally, if an attacker bypasses the firewall and IDS (which sophisticated attackers often do), honeypots provide a last-resort detection layer. Traditional controls say "block and alert." Deception says "let them in here, watch what they do."

Verdict: Deception adds detection and intelligence capability that no blocking control can provide.