What Are Honeypots and Honeytokens in Cybersecurity?

By: Charles Brandt
May 24, 2024

Companies these days are setting up multiple levels of defense in their cybersecurity programs, from advanced firewalls and multi-factor authentication (MFA) to next-generation anti-virus software on all devices. All of these safeguards are designed to prevent attackers from successfully getting into their systems.

But what additional steps can companies take to identify when they are actively being targeted, or worse, to detect when a malicious hacker has broken their first-line defenses and is now snooping around their environment? One choice is to begin exploring “deceptive defense” tactics, such as honeypots and honeytokens. In this blog, I’ll explore what these terms mean, how they’re commonly used, and the precautions you should take before trying them out. 

What Are Honeypots in Security?

In cybersecurity, a honeypot is essentially a decoy designed to lure potential attackers away from your valuable systems and data. It’s configured to look like a normal part of a network or system, but it has absolutely zero production value and is completely isolated from your actual network. 

Honeypots can serve multiple purposes: 

  1. Identifying that malicious hackers are targeting your systems or have even made their way into your environment.
  2. Detecting the tactics, techniques, and motivations of an attacker
  3. Diverting attackers from critical systems and infrastructure
  4. Analyzing attack vectors, vulnerabilities, and hacker behavior 

Some honeypots — referred to as production honeypots — mimic things like web servers, databases, or network devices, while others — known as research honeypots — specialize in advanced data collection and analysis. 

 What Are Honeytokens in Security?

Uniqiue keys dangle by a thread, representing how careless many employees are with their login credentials.

Honeytokens are fake credentials, such as usernames, passwords, and API keys, designed to be indistinguishable from legitimate credentials or other sensitive data. 

A little background info…

Malicious hackers try thousands of common passwords against unprotected user accounts, steal hashed passwords, and review command history to try to increase their access privileges. So it makes sense to plant a few accounts and passwords there ahead of time and watch them for any activity that would indicate this type of intrusion was occurring.

The main purposes of honeytokens include:

  1. Warning you that a security event has occurred
  2. Identifying the source of the event
  3. Gathering insights around the tactics the attackers used
  4. Giving you the ability to contain more sensitive data and critical systems before an attacker makes it that far into your network

What’s the Difference Between Honeypots and Honeytokens?

Think of a honeypot as a fake treasure chest with fake gems inside and a honeytoken like a fake key. The very second that key is used, your entire security system is alerted. 

But there are other differences between the two beyond just how they operate. 

A comparison of honeypots vs honeytokens in cybersecurity, and how they're both part of a robust deceptive defense strategy.

As honeypots have to look like they contain something of value to hackers, they take longer to set up and require more maintenance. But still, over time, the information they collect about cybercriminals can help you fine-tune your defenses. You can also use the information you collect to help law enforcement prosecute cybercriminals, as long as you haven’t violated any privacy laws. Honeytokens, when properly deployed, can provide a highly accurate early warning system. Considering that, on average, it still takes 327 days for the average company to identify a data breach, spreading a few honeytokens throughout your system can be a huge cybersecurity leap forward.  

What Are the Dangers of Using Honeypots and Honeytokens?

If not configured correctly, a honeypot could fail to capture the information you need, and a skilled hacker could use any weakness against you. For example, if a sophisticated hacker sees your honeypot for what it is, they could potentially load malicious files onto your servers and direct traffic there. If your honeypot is used to harm others, you may also be partially liable for any damage it causes. 

Honeytokens have fewer risks associated with their use, but they need to be thoughtfully chosen. Not only are hackers starting to learn how to detect many forms of honeytokens, but if you’ve been careless, they could potentially use one to steal data or grant themselves additional access to your systems. 

In many cases, non-strategic deployment of honeypots and honeytokens can result in a lot of false positives. That is, if they are not properly set aside for normal use on your IT systems, regular users may wind up frequently interacting with them on accident. This can trigger alarms for your team when there is no legitimate threat. Best case, this can consume team resources that would be better spent somewhere else. Worst case, these frequent false alarms will desensitize your team and they may disregard or put off reacting to actual alerts until it’s too late.

It’s also important to understand that while honeypots and honeytokens can be an effective addition to your overall cybersecurity strategy, neither of these solutions is designed to work alone. These techniques aren’t an excuse to skip out on the basics. Of course…those basics keep changing. If you haven’t updated your cybersecurity posture in the last few years, or you’re not sure if your current protection is sufficient, we’ve created a helpful online checklist

Do You Need Deceptive Defense? 

You might want to look into adding deceptive defense strategies if any of these are true: 

  • You store large amounts of customer data
  • Your industry is heavily regulated
  • You provide critical infrastructure 
  • Your cyber defense is heavy on prevention but not detection

Deceptive defense is an investment, and it may be a very wise one. But other investments in your cybersecurity posture or infrastructure might bring you more bang for your buck. A Chief Information Officer (CIO) or Chief Information Security Officer (CISO) would be the person to ask, but many companies don’t have access to one. These specialists are highly sought after, and there aren’t enough to go around…which means they can also command a high price. 

Enterprise-scale companies and national technology providers are far more likely to have room in the budget to attract and retain top CIO and CISO talent. But as small to midsize companies are bearing the brunt of cybercriminals’ attacks over the past few years, the very same organizations that need these skills most are least likely to be able to afford them. 

At Marco, we recently added specialized IT consulting services to help companies fill these critical skill gaps at an affordable price. Click the link below to explore our fractional CIO and CISO services!

Explore IT Consulting Services Learn More

Topics: Security