Performing Deception Technology Deployment
When to Use
Use this skill when:
- SOC teams need high-fidelity detection of post-compromise lateral movement with near-zero false positives
- Existing detection tools miss advanced attackers who avoid triggering threshold-based alerts
- The organization wants to detect credential abuse by planting fake credentials as honeytokens
- Network segmentation gaps need compensating detection controls
Do not use as a replacement for fundamental security controls (patching, EDR, network segmentation) — deception is a detection layer, not a prevention mechanism.
Prerequisites
- Network segments identified for honeypot/decoy deployment (server VLANs, DMZ, OT networks)
- Deception platform (Thinkst Canary, Attivo/SentinelOne Hologram, or open-source alternatives)
- SIEM integration for deception alerts (any interaction with deception assets is suspicious)
- Active Directory access for honeytoken account and credential creation
- Network team coordination for IP allocation and traffic routing
Workflow
Step 1: Map Attack Surface for Deception Placement
Identify high-value network segments where attackers would traverse:
DECEPTION DEPLOYMENT MAP
━━━━━━━━━━━━━━━━━━━━━━━━
Segment Decoy Type Rationale
Server VLAN Fake file server Attackers enumerate SMB shares during recon
Database VLAN Fake DB server SQL scanning detected in past incidents
AD/DC Segment Honeytoken account Credential theft detection
Executive Subnet Fake workstation Targeted attacks pivot through exec systems
DMZ Honeypot web app External attacker detection
OT Network Fake PLC/HMI Industrial threat detection
Cloud (AWS VPC) Canary EC2 + S3 Cloud lateral movement detection
Step 2: Deploy Thinkst Canary Devices
Configure Canary devices mimicking real infrastructure:
Windows File Server Canary:
{
"device_name": "FILESERVER-BK04",
"personality": "windows-server-2019",
"services": {
"smb": {
"enabled": true,
"shares": ["Finance_Backup", "HR_Archive", "IT_Docs"],
"files": [
{"name": "Q4_Revenue_2024.xlsx", "alert_on": "read"},
{"name": "employee_ssn_export.csv", "alert_on": "read"},
{"name": "admin_passwords.kdbx", "alert_on": "read"}
]
},
"rdp": {"enabled": true},
"http": {"enabled": false}
},
"network": {
"ip": "10.0.5.200",
"hostname": "FILESERVER-BK04",
"domain": "company.local"
},
"alert_webhook": "https://soar.company.com/api/webhook/canary"
}
Database Server Canary:
{
"device_name": "DB-ARCHIVE-02",
"personality": "linux-mysql",
"services": {
"mysql": {
"enabled": true,
"port": 3306,
"databases": ["customer_pii", "payment_archive"],
"alert_on_login_attempt": true
},
"ssh": {
"enabled": true,
"port": 22,
"alert_on_login_attempt": true
}
},
"network": {
"ip": "10.0.10.50",
"hostname": "db-archive-02"
}
}
Step 3: Deploy Honeytokens in Active Directory
Create fake privileged accounts that should never be used:
# Create honeytoken service account
New-ADUser -Name "svc_sql_backup" `
-SamAccountName "svc_sql_backup" `
-UserPrincipalName "svc_sql_backup@company.local" `
-Description "SQL Backup Service Account - DO NOT DELETE" `
-AccountPassword (ConvertTo-SecureString "FakeP@ssw0rd2024!" -AsPlainText -Force) `
-Enabled $true `
-PasswordNeverExpires $true `
-CannotChangePassword $true
# Add to a group that looks attractive (but monitor for any use)
Add-ADGroupMember -Identity "Domain Admins" -Members "svc_sql_backup"
# Place cached credentials on decoy workstation
# (Mimikatz/credential dumping will find these)
cmdkey /add:fileserver-bk04.company.local /user:company\svc_sql_backup /pass:FakeP@ssw0rd2024!
Monitor honeytoken usage in Splunk:
index=wineventlog sourcetype="WinEventLog:Security"
(EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4768 OR EventCode=4769)
TargetUserName="svc_sql_backup"
| eval alert_severity = "CRITICAL"
| eval alert_message = "HONEYTOKEN ACCOUNT USED — Likely credential theft detected"
| table _time, EventCode, src_ip, ComputerName, TargetUserName, Logon_Type, alert_message
Step 4: Deploy Canary Files and Documents
Plant tracked documents that beacon when opened:
Canary Document (Word doc with tracking):
# Using Thinkst Canary API to create a canary token document
import requests
response = requests.post(
"https://YOURCOMPANY.canary.tools/api/v1/canarytoken/create",
data={
"auth_token": "YOUR_API_TOKEN",
"kind": "doc-msword",
"memo": "Finance backup folder canary document",
"flock_id": "flock:default"
}
)
token = response.json()
download_url = token["canarytoken"]["canarytoken_url"]
print(f"Download canary doc: {download_url}")
# Place this document in honeypot SMB shares and sensitive directories
AWS Canary Token (S3 access key):
# Create AWS canary token — alerts when access key is used
response = requests.post(
"https://YOURCOMPANY.canary.tools/api/v1/canarytoken/create",
data={
"auth_token": "YOUR_API_TOKEN",
"kind": "aws-id",
"memo": "Canary AWS key in developer laptop .aws/credentials"
}
)
aws_keys = response.json()
print(f"Access Key: {aws_keys['canarytoken']['access_key_id']}")
print(f"Secret Key: {aws_keys['canarytoken']['secret_access_key']}")
# Plant in .aws/credentials on developer workstations
Step 5: Integrate Deception Alerts with SIEM/SOAR
All deception alerts are high-fidelity — any interaction is suspicious:
Splunk Alert for Canary Triggers:
index=canary sourcetype="canary:alerts"
| eval severity = "CRITICAL"
| eval confidence = "HIGH — Deception asset triggered, zero false positive expected"
| table _time, canary_name, alert_type, source_ip, service, details
| sendalert create_notable param.rule_title="Deception Alert — Canary Triggered"
param.severity="critical" param.drilldown_search="index=canary source_ip=$source_ip$"
SOAR Automated Response:
def canary_triggered(container):
"""Auto-response for deception alerts — high confidence, no approval needed"""
source_ip = container["artifacts"][0]["cef"]["sourceAddress"]
# Immediately isolate the source
phantom.act("quarantine device",
parameters=[{"ip_hostname": source_ip}],
assets=["crowdstrike_prod"],
name="isolate_attacker_host")
# Block at firewall
phantom.act("block ip",
parameters=[{"ip": source_ip, "direction": "both"}],
assets=["palo_alto_prod"],
name="block_attacker_ip")
# Create high-priority incident
phantom.act("create ticket",
parameters=[{
"short_description": f"DECEPTION ALERT: Canary triggered from {source_ip}",
"urgency": "1",
"impact": "1"
}],
assets=["servicenow_prod"])
phantom.set_severity(container, "critical")
Step 6: Maintain Deception Realism
Regularly update decoys to maintain believability:
- Rotate honeytoken passwords quarterly (update cached credentials on decoy workstations)
- Update canary file modification dates to appear recently accessed
- Add realistic network traffic to honeypots (scheduled SMB enumeration, DNS lookups)
- Register honeypot hostnames in DNS and Active Directory to appear in network scans
- Update canary document contents to match current business context
Key Concepts
| Term | Definition | |------|-----------| | Honeypot | Decoy system mimicking real infrastructure to attract and detect attackers in the network | | Honeytoken | Fake credential, file, or data record that triggers an alert when accessed or used | | Canary | Lightweight deception device or token that alerts on any interaction (Thinkst Canary platform) | | Breadcrumb | Planted artifact (cached credential, bookmark, config file) leading attackers to deception assets | | High-Fidelity Alert | Detection signal with near-zero false positive rate because no legitimate user should interact with deception assets | | Decoy Network | Set of interconnected honeypots simulating a realistic network segment to observe attacker TTPs |
Tools & Systems
- Thinkst Canary: Commercial deception platform offering hardware/virtual canaries and canary tokens
- Canarytokens.org: Free honeytoken generation service (DNS, HTTP, AWS keys, Word docs, SQL queries)
- Attivo Networks (SentinelOne): Enterprise deception platform with AD decoys and endpoint breadcrumbs
- HoneyDB: Community honeypot data aggregation platform for threat intelligence sharing
- T-Pot: Open-source multi-honeypot platform combining 20+ honeypot types in a Docker deployment
Common Scenarios
- Lateral Movement Detection: Attacker enumerates SMB shares and accesses honeypot file server — immediate high-fidelity alert
- Credential Theft Discovery: Mimikatz dumps honeytoken cached credentials — usage of fake account triggers alert
- Cloud Key Compromise: Stolen AWS canary token used from external IP — detects supply chain or insider compromise
- Ransomware Early Warning: Ransomware encrypts canary files on honeypot shares — early detection before production systems affected
- Insider Threat Signal: Employee accesses honeypot "salary database" — indicates unauthorized data exploration
Output Format
DECEPTION ALERT — CRITICAL
━━━━━━━━━━━━━━━━━━━━━━━━━━
Time: 2024-03-15 14:23:07 UTC
Canary: FILESERVER-BK04 (10.0.5.200)
Service: SMB — File share "Finance_Backup" accessed
Source: 192.168.1.105 (WORKSTATION-042, Finance Dept)
User: company\jsmith
File Accessed: Q4_Revenue_2024.xlsx (canary document)
Alert Confidence: HIGH — No legitimate reason to access deception asset
False Positive Likelihood: <1%
Automated Response:
[DONE] WORKSTATION-042 isolated via CrowdStrike
[DONE] 192.168.1.105 blocked at firewall (bidirectional)
[DONE] Incident INC0012567 created (P1 — Critical)
[PENDING] Tier 2 investigation — determine if workstation compromised or insider threat