Once inside the perimeter, attackers run automated scripts to map the network, find domain admins, and identify file shares. Traditional defenses are passive; deception technology (honeypots, canaries) actively lures and detects the attacker's reconnaissance.
A honeypot is a decoy system designed to look like a vulnerable server or database. Since no legitimate user should ever access it, any connection attempt is an immediate, high-fidelity alert of malicious intent.
💡 Pro-tip: Deploy 'Honeytokens' (fake AWS keys, fake database rows) alongside honeypots. If a fake AWS key is used in an API call, you instantly know the attacker has compromised your CI/CD pipeline or code repository.
This command deploys a low-interaction honeypot that will automatically capture any malware binaries dropped via SMB or FTP exploits, providing threat intelligence.
Canary tokens are embedded in files (PDFs, Word docs) or folders. If the file is opened, moved, or uploaded to an external service, it 'phones home' to the canary server, alerting you to data exfiltration or unauthorized access.
⚠️ Ensure honeypots are strictly isolated. A poorly configured honeypot can be used as a pivot point by the attacker to launch further attacks against the real production network.
| Deception | Trigger | Alert Type |
|---|---|---|
| Honeypot | Network Connection | Recon / Exploit Attempt |
| Honeytoken | API Usage / Git Clone | Credential Theft |
| Canary File | File Open / Read | Data Exfiltration |
Verify exercises to earn ★ 250 XP and unlock next lab level.