Chapter 8 Β· Tricks & Performance

Trick Questions & Performance Tasks

Classic exam traps, subtle distinctions, and performance tasks for Deception & Disruption. Think before you reveal.

Trick 1: "A honeypot blocks attackers from accessing real systems."
True or False β€” and why?
FALSE β€” and this is a major exam trap.

A honeypot does not block attackers. It attracts them. The goal is to keep attackers occupied in a fake environment, not to deny them access.

Blocking is the job of firewalls, IDS/IPS, and access controls. A honeypot's value is detection and intelligence gathering, not prevention. If you see "honeypot" paired with "blocks" or "prevents" on the exam β€” that's wrong.

Memory hook: Honey attracts; it doesn't repel. A "NO TRESPASSING" sign blocks. A honeypot is a sticky trap β€” it lets the attacker in and keeps them busy.
Trick 2: "The 'attacker' trying to access a honeypot is usually a human hacker."
True or False β€” and why?
FALSE β€” in most cases, it's an automated bot.

Prof. Messer explicitly states that "the attacker is probably a machine." Automated bots perform reconnaissance across the internet 24/7, scanning millions of IP addresses per day. Most honeypot interactions come from these automated systems, not human threat actors sitting at a keyboard.

This doesn't make honeypots less valuable β€” studying bot behavior tells you what tools, exploits, and credential lists attackers are using. But don't assume honeypots only catch human attackers.

Exam implication: If a question asks what honeypots detect, "automated reconnaissance" is always a valid answer.
Trick 3: "A honeytoken is just a smaller version of a honeyfile."
How are they actually different?
They are fundamentally different in what they detect.

A honeyfile detects access β€” someone opened a file they shouldn't have. It alerts when touched.

A honeytoken detects exfiltration and use β€” someone stole data and then used it elsewhere. A honeytoken API key triggers only when someone tries to authenticate with it. A fake email address triggers only when it appears on the internet. The honeytoken travels with the stolen data.

Key distinction: Honeyfiles alert at the point of access (inside your network). Honeytokens can alert from anywhere β€” including when stolen data is used on the internet weeks later. Honeytokens are the only deception technique that can confirm external data distribution.
Trick 4: "If an attacker uses the fake API credentials found in a honeynet, they will gain access to the real cloud account."
True or False?
FALSE β€” honeytoken credentials do not provide actual access.

This is a critical point from Prof. Messer: API credential honeytokens look real but are completely fake. They have the correct format and length, but they are not registered with any real service. When an attacker tries to use them, the authentication fails β€” but the attempt triggers an alert that reveals the attacker's location and tooling.

This is what makes honeytokens safe to deploy. There is no risk that an attacker who steals a honeytoken gains actual capability β€” they gain only false confidence that they have working credentials.

Exam version: "Honeytoken API credentials provide access when used" β†’ False. They provide detection.
Trick 5: What happens if a legitimate employee accidentally opens a honeyfile?
Does this mean honeyfiles generate false positives?
It depends on how the honeyfile is deployed β€” but properly designed, they should generate almost no legitimate false positives.

The entire premise of a honeyfile is that no legitimate user has any reason to open it. If a honeyfile is placed in a path no employee accesses, and named something an employee would not accidentally stumble on in the course of legitimate work, false positives are extremely rare.

If employees are accidentally triggering honeyfile alerts, it's a sign of poor honeyfile placement (too accessible, too ambiguously named) β€” not a fundamental flaw in the concept.

Best practice: Place honeyfiles in locations and with names that are attractive to attackers doing reconnaissance but would never come up in normal workflows. "passwords.txt" in an admin share fits; "readme.txt" in a shared documents folder does not.
Performance Task: You are a security analyst at a healthcare organization. Management wants to improve threat detection without purchasing additional blocking tools. Design a deception strategy using all four techniques (honeypot, honeynet, honeyfile, honeytoken). Describe what each component does and how they complement each other.
Model Answer:

1. Honeypot β€” First contact detection: Deploy a single decoy server on the network segment with the same IP range as production systems. Configure it to simulate a patient records application. Any scan or connection attempt fires an alert. This catches early-stage reconnaissance before an attacker finds anything real.

2. Honeynet β€” Deep intelligence gathering: Build a full fake network segment β€” decoy EHR server, fake Active Directory controller, fake workstations. Place it adjacent to where attackers would look after initial access. When an attacker moves into the honeynet, let them explore for days. Log every command, every lateral move, every credential attempt. This reveals attack techniques specific to healthcare environments (targeting EHR systems, DICOM servers, etc.).

3. Honeyfiles β€” File system detection: In the honeynet's file server, place honeyfiles named "patient_SSN_master.xlsx," "admin_passwords.txt," and "backup_credentials.csv." Alert fires the moment any file is touched. This identifies exactly when the attacker reaches the data layer.

4. Honeytokens β€” Exfiltration detection: Embed fake API credentials for the (fake) EHR API throughout the honeynet config files. Add twenty fake patient email addresses to the honeynet's patient directory. Monitor both externally. If the credentials are used, or the emails appear in a phishing campaign, the organization learns the attacker exfiltrated data β€” even if the breach was not caught in real time.

How they complement: Honeypot catches early entry. Honeynet generates deep intelligence. Honeyfiles detect lateral exploration of the file system. Honeytokens detect exfiltration and confirm breaches after the fact. Together, they provide detection at every stage of the attack lifecycle β€” without modifying or risking any real system.