Awesome Deception

An awesome list of resources on deception-based security with honeypots and honeytokens

Contents

• Articles
• Communities
• Frameworks
• Guides
• Related Lists
• Research
• Podcasts
• Presentations
• Videos

Articles

• Dripping a Little Honey in your Environment
• Trapdoor - The serverless HTTP honeypot
• yesman--Scanner Honeypot with scapy
• Deploy and monitor Azure Key Vault honeytokens with Azure Sentinel (Public preview)
• Honeypot Journals: Credential Attacks and Lessons from Recent Honeynet Incursions
• Honeypot Journals Part II: Attacks on Residential Endpoints
• Deception Engineering: exploring the use of Windows Service Canaries against ransomware
• Ensnare Attack Detection Tool Hopes to Frustrate Hackers, Too
• Honeypots: Good servers in dark alleys can be an enterprise asset
• Extending a Thinkst Canary to become an interactive honeypot
• HoneyPoC: The fallout data after I trolled the Internet...
• Experiments in Extending Thinkst Canary – Part 1
• Using Canaries for Input Detection and Response
• Explain Like I’m Five: Poison Records (Honeypots for Database Tables)
• Not so IDLE hands: FBI program offers companies data protection via deception
• The SunDEW project: learning to pose scalability barriers to attackers
• Honeysploit: Exploiting the Exploiters
• A Tale of Two PoCs or: How I Learned to Stop Worrying and Love the Honeypot
• Honeyroasting. How to detect Kerberoast breaches with honeypots
• Deceiving blue teams using anti-forensic techniques
• Endlessh: an SSH Tarpit
• A Practical Guide to Honeypots
• Learn how to deploy a Honeypot and visualise its data step by step
• Bypassing LLMNR/NBT-NS honeypot
• RDP Honeypotting
• High Interaction Honeypots with Sysdig and Falco
• Detecting Mimikatz Use On Your Network
• Implementing Honeytokens, Honeynets, and Honeytraps With Zero Budget
• Creating and Deploying Honeypots in Kubernetes
• Honeypot deployment on Linux - OpenCanary
• Setting HoneyTraps with ModSecurity: Adding Fake robots.txt Disallow Entries
• Setting HoneyTraps with ModSecurity: Adding Fake HTML Comments
• Detecting Malice with ModSecurity: HoneyTraps
• How Google set a trap for Pwn2Own exploit team
• Build an easy RDP Honeypot with Raspberry PI 3 and observe the infamous attacks as (BlueKeep) CVE-2019–0708
• Building a real-world web honeypot for CVE-2019–6340 (RCE in Drupal core)
• SSH Honey Keys
• Deception as a {Free} Post-Breach Detection Tool
• DevSecOps: Deception in Depth
• How You Can Set up Honeytokens Using Canarytokens to Detect Intrusions
• Gene Spafford: Challenging the Maxim, “No Security Through Obscurity”
• Introduction to HoneyPy & HoneyDB
• Getting Started With HoneyPy — Part 1
• Getting Started With HoneyPy — Part 2
• Getting Started With HoneyPy — Part 3
• Reflections Upon Deception-Based Security Tactics
• Running A SSH Honeypot With Kippo: Let’s Catch Some Script Kiddies
• Cowrie Honeypot Analysis - 24 hours after installing a fresh Cowrie Honeypot on a Digital Ocean node in Singapore. I have data.
• Early Warning Detectors Using AWS Access Keys as Honeytokens
• Introduction to T-Pot - The all in one honeypot
• Unveiling Patchwork – a targeted attack caught with cyber deception
• “Deception as Detection” or Give Deception a Chance?
• Deploy a fake Bitcoin wallet to save your own
• To Honey or not to Honey

Communities

• /r/cyber_deception
• /r/honeypot
• The Honeynet Project

Frameworks

• MITRE Engage™
• MITRE D3FEND™
• Deception-as-Detection

Guides

• Birding Guide - Detect attackers without breaking the bank
• OWASP AppSensor Guide - Application-Specific Real Time Attack Detection & Response
• A Practical Guide to Honeypots

Related Lists

• awesome-honeypots

Research

Groups and Laboratories

• UK National Cyber Deception Laboratory
• Purdue University - Deception Group

Workshops

• Active Defense & Deception (AD&D)

Lecture Slides

• University of New Haven - Deception in Defense of Information Systems

Papers and Theses

• 2021
  • Lamboozling Attackers: A New Generation of Deception
  • Click This, Not That: Extending Web Authentication with Deception
  • Angry Birding: Evaluating Application Exceptions as Attack Canaries
  • Three Decades of Deception Techniques in Active Cyber Defense - Retrospect and Outlook
  • A Comparative Analysis of Honeypots on Different Cloud Platforms
• 2020
  • Honeypots in the age of universal attacks and the Internet of Things
  • The Moonraker Study: An Experimental Evaluation of Host-Based Deception
  • An Empirical Assessment of the Effectiveness of Deception for Cyber Defense
  • An Intelligent Deployment Policy for Deception Resources Based on Reinforcement Learning
  • HoneyDetails: A prototype for ensuring patient’s information privacy and thwarting electronic health record threats based on decoys
  • Towards systematic honeytoken fingerprinting
  • Role-Based Deception in Enterprise Networks
  • DodgeTron: Towards Autonomous Cyber Deception Using Dynamic Hybrid Analysis of Malware
  • Cyber Deception for Computer and Network Security: Survey and Challenges
  • HoneyBug: Personalized Cyber Deception for Web Applications
  • Towards Reconstructing Multi-Step Cyber Attacks in Modern Cloud Environments with Tripwires
  • HoPLA: a Honeypot Platform to Lure Attackers
  • Towards Identifying Human Actions, Intent, and Severity of APT Attacks Applying Deception Techniques - An Experiment
  • Lessons Learned from SunDEW: A Self Defense Environment for Web Applications
• 2019
  • Honware: A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days
  • Deploying a University Honeypot: A case study
  • The Art of The Scam: Demystifying Honeypots in Ethereum Smart Contracts
  • General-Sum Cyber Deception Games under Partial AttackerValuation Information
  • HackIT: A Human-in-the-loop Simulation Tool for Realistic Cyber Deception Experiments
  • Deception-As-Defense Framework for Cyber-Physical Systems
  • Learning and Planning in Feature Deception Games
  • HoneyDOC: An Efficient Honeypot Architecture Enabling All-Round Design
  • Using Camouflaged Cyber Simulationsas a Model to Ensure Validity in Cybersecurity Experimentation
  • A Survey On Honeypots, Honeynets And Their Applications On Smart Grid
  • Analysis of threats on a VoIP Based PBX Honeypot
  • Prevalence of IoT Protocols in Telescope and Honeypot Measurements
  • Counting Outdated Honeypots: Legal and Useful
  • Game Theory for Adaptive Defensive Cyber Deception
  • DorkPot: A Honeypot-based Analysis of GoogleDorks
  • Buckler:Intrusion Detection and Prevention using Honeypot
  • Detect Me If You... Oh Wait.An Internet-Wide View of Self-Revealing Honeypots
  • From Cyber-Security Deception To Manipulation and Gratification Through Gamification
  • Honeypot boulevard: understanding malicious activity via decoy accounts
  • The Tularosa Study: An Experimental Design and Implementation to Quantify the Effectiveness of Cyber Deception
  • How deception can change cyber security defences
  • VIRTUALIZED INTELLIGENT HONEYPOT AGENT
  • Game Theory for Cyber Deception: A Tutorial
• 2018
  • Adaptive Containerised Honeypots for Cyber-Incident Monitoring
  • Towards an Automatic Generation of Low-Interaction Web Application Honeypots
  • Cloxy: A Context-aware Deception-as-a-ServiceReverse Proxy for Web Services
  • Deception Techniques in Computer Security: A Research Perspective
  • Demystifying Deception Technology:A Survey
  • Defending Web Servers with Feints, Distraction and Obfuscation
  • Strategic Defense and Attack in Deception Based Network Security
  • Bitter Harvest: Systematically Fingerprinting Low- and Medium-interaction Honeypots at Internet Scale
  • A SPL Framework for Adaptive Deception-based Defense
  • Chaff Bugs: Deterring Attackers by Making Software Buggier
  • U-PoT: A Honeypot Framework for UPnP-Based IoT Devices
  • HoneyThing: A New Honeypot Design for CPE Devices
  • Efficiency and Security of Docker Based Honeypot Systems
  • An Application of Jeeves for Honeypot Sanitization
  • Cloud security using self-acting spontaneous honeypots
  • HONEY POT AS A SERVICE IN CLOUD
  • A Survey of Game-Theoretic Approaches to Modeling Honeypots
  • Web Deception towards Moving Target Defense
  • Mitigating Computer Attacks in a Corporate Network using Honeypots: A Case Study of Ghana Education Service
  • Using Reinforcement Learning to Conceal Honeypot Functionality
• 2017
  • Lure Box Using Honeytokens for Detecting Cyberattacks
  • Adapting Honeypot Configurations to Detect Evolving Exploits
  • A New Approach to Detecting Ransomware with Deception
  • Active defence through deceptive IPS
  • Deception strategies for web application security: application-layer approaches and a testing platform
  • Evaluation of Deception-Based Web Attacks Detection
  • HoneyIo4: the construction of a virtual, low-interaction IoT Honeypot
  • Honey-Copy-A Concept and Prototype of a Generic Honeypot System
  • Deception using an SSH honeypot
  • Picky Attackers: Quantifying the Role of System Properties on Intruder Behavior
  • Weems: An extensible HTTP honeypot
  • Understanding Security Flaws of IoT Protocols through Honeypot Technologies
  • HONEYPHY: A PHYSICS-AWARE CPS HONEYPOT FRAMEWORK
  • Designing a smartphone honeypot system using performance counters
  • Enhancing Honeypot Deception Capability Through Network Service Fingerprinting
  • Enabling an Anatomic View to Investigate Honeypot Systems: A Survey
  • Review on Honeypot Security
  • A Virtual Honeypot Framework for Server Configuration Using IDS For Login Authentications
  • Automating the Generation of Enticing Text Content for High-Interaction Honeyfiles
  • Towards Deployment Strategies for Deception Systems
  • Outlier Detection in Secure Shell Honeypot using Particle Swarm Optimization Technique
  • Evaluation of Low-Interaction Honeypots on the University Network
  • Poster: HoneyBot - A Honeypot for Robotic Systems
  • A security approach based on honeypots: Protecting Online Social network from malicious profiles
• 2016
  • SSH Honeypot: Building, Deploying and Analysis
  • Designing Adaptive Deception Strategies
  • Design and Implementation of a Real-Time Honeypot System for the Detection and Prevention of Systems Attacks
  • Active defence using an operational technology honeypot
  • SIMULATION OF INDUSTRIAL CONTROL SYSTEM FIELD DEVICES FOR CYBER SECURITY
  • Deception-Based Game Theoretical Approach to Mitigate DoS Attacks
  • MobiPot: Understanding Mobile Telephony Threats with Honeycards
  • Gathering threat intelligence through computer network deception
  • An improved tarpit for network deception
  • Bandits for Cybersecurity: Adaptive Intrusion Detection Using Honeypots
  • Honeypot Architectures for IPv6 Networks
  • Deceptive Cyber Defense for IIoT
  • A Survey on Honeypot Software and Data Analysis
  • Goal-driven deception tactics design
  • SCADA Honeypots – An In-depth Analysis of Conpot
  • Graph-based Forensic Analysis of Web Honeypot
  • Poster: Re-thinking the Honeypot for Cyber-Physical Systems
  • Characterizing Honeypot-Captured Cyber Attacks: Statistical Framework and Case Study
• 2015
  • Deception by Design: Evidence-Based Signaling Games for Network Defense
  • Experiences with Honey-Patching in Active Cyber Security Education
  • Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses
  • Toward an Insider Threat Detection Framework Using Honey Permissions
  • Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace
  • Denial and Deception in Cyber Defense
  • Fox in the Trap: Thwarting Masqueraders via Automated Decoy Document Deployment
  • Hyhoneydv6: A hybrid Honeypot Architecture for IPv6 Networks
  • Deception in Dynamic Web Application Honeypots: Case of Glastopf
  • IoTPOT: Analysing the Rise of IoT Compromises
  • Survey on Security Using Honeypot
• 2014
  • Aggressive Web Application Honeypot for Exposing Attacker‟s Identity
  • From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation
  • Changing the game: The art of deceiving sophisticated attackers
  • Implementing a CBR Recommender for Honeypot Configuration using jCOLIBRI
  • INTERCEPT: High-interaction Server-type Honeypot basedon Live Migration
  • Building a Honeypot to Research Cyber-Attack Techniques
• 2013
  • Detecting Targeted Attacks by Multilayer Deception
  • Improving Security Using Deception
  • Bait and Snitch: Defending Computer Systems with Decoys
  • Canary Files: Generating Fake Files to Detect Critical Data Loss from Complex Computer Networks
  • Honeywords: Making Password-Cracking Detectable
  • A Technique for Presenting a Deceptive Dynamic Network Topology
  • Self-adaptive SSH Honeypot Model Capable of Reasoning
  • Design and Implementation of a Medium Interaction Honeypot
  • A Framework for Intrusion Deception on Web Servers
  • Patterns and Patter - An Investigation into SSH Activity Using Kippo Honeypots
  • A review of dynamic and intelligent honeypots
• 2012
  • A Deception Framework for Survivability Against Next Generation Cyber Attacks
  • A Security Mechanism for Web Servers Based on Deception
  • A Survey: Recent Advances and Future Trends in Honeypot Research
  • CAMPUS SECURITY USING HONEYPOT
  • Set-up and deployment of a high-interaction honeypot:experiment and lessons learned
• 2011
  • DarkNOC: Dashboard for Honeypot Management
  • Heat-seeking honeypots: design and experience
  • Time-traveling Forensic Analysis of VM-basedHigh-interaction Honeypots
  • SCADA Honeynets: The attractiveness of honeypots as critical infrastructure security tools for the detection and analysis of advanced threats
• 2010
  • AHA - Adaptive Honeypot Alternative
  • Honeyware: a web-based low interaction client honeypot
• 2009
  • Using Honeypots to Analyse Anomalous Internet Activities
  • Deception used for Cyber Defense of Control Systems
  • ADVANCED HONEYPOT ARCHITECTURE FOR NETWORK THREATS QUANTIFICATION
• 2008
  • Virtual honeynet with simulated user activity
  • An Integrated Honeypot Framework for Proactive Detection, Characterization and Redirection of DDoS Attacks at ISP level
• 2007
  • Intrusion deception in defense of computer systems
  • Collecting Autonomous Spreading Malware Using High-Interaction Honeypots
• 2006
  • Defensive Computer-Security Deception Operations: Processes, Principles and Techniques
  • Using deception to hide things from hackers: Processes, principles, and techniques
  • Testing and validation of a dynamic honeypot system
  • Advanced Honeypot-based Intrusion Detection
  • Honeypots: How do you know when you are inside one?
  • Lessons learned from the deployment of a high-interaction honeypot
• 2005
  • Detecting Targeted Attacks Using Shadow Honeypots
  • A Honeypot Architecture for Detecting and Analyzing Unknown Network Attacks
• 2004
  • Honeyfiles: Deceptive files for intrusion detection
  • Honeynets: An Educational Resource for IT Security
  • A Dynamic Honeypot Design for Intrusion Detection
• 2003
  • How intrusion detection can improve software decoy applications
  • Honeytokens: The Other Honeypot
  • Honeypots: Catching the Insider Threat
  • Deception Techniques Using Honeypots
  • Honeypot: a Supplemented Active Defense System for Network Security
• 2002
  • Delaying-type responses for use by software decoys
  • Software Decoys: Intrusion Detection and Countermeasures
• 2001
  • A Framework for Deception
• 1994
  • Experiences with Tripwire: Using Integrity Checkers for Intrusion Detection

Podcasts

• Origins of Deception Technology with Haroon Meer
• Active Deception as a Methodology for Cybersecurity

Presentations

• Modelling and Generating Fake Websites for Cyber Deception
• Detecting Reverse Engineering with Canaries
• Lure Box Using Honeytokens for Detecting Cyberattacks
• The smartest way to protect Websites and Web Apps from Attacks

Videos

• Advanced Deception Technology Through Behavioral Biometrics
• Applied Deception Beyond the Honeypot: Moving Past 101
• Honeypots, Deception, and Frankenstein
• Honeypots 2.0: A New ‘Twist’ on Defending Enterprise Networks with Dynamic Deception at Scale
• SANS Webcast: Opening a can of Active Defense and Cyber Deception to confuse and frustrate attackers
• Deceptive Defense: Beyond Honeypots
• Honeypots for Active Defense A Practical Guide to Deploying Honeynets Within the Enterprise
• The matrix has you: Protecting Linux using deception
• Using Honeypots for Network Security Monitoring
• Remote detection of low & medium interaction honeypots
• honeyHoax - A Centralised Honeypot
• Deception for the Cyber Defender: To Err is Human; to Deceive, Divine
• Paravirtualized Honeypot Deployment for the Analysis of Malicious Activity
• Deploying Honeypots To Gather Actionable Threat Intelligence
• Honeypot Your Database
• Forging Trusts for Deception in Active Directory
• HoneyPy & HoneyDB
• Leveraging Deception Techniques for Strong Detection
• Breaking Honeypots for Fun & Profit
• Honeywords - Detectable Password Theft
• IoT Honeypots
• IoTCandyJar: Towards an Intelligent-Interaction Honeypot for IoT Devices
• The KGB, the Computer, and Me (Complete)
• No Budget Threat Intelligence - Tracking Malware Campaigns on the Cheap
• Running a SCADA honeypot
• Visibility, Control, and Containment: Hunting Maturity through Cyber Deception
• Drawing the Foul: Operation of a DDoS Honeypot
• GlastopfNG - A web attack honeypot
• A Framework For Fingerprinting ICS Honeypot
• Building a Better Honeypot Network
• Global Honeypot Trends - Adventures with Kippo!
• Learning How To Smurf With Honeypots
• Powergrid Honeypot
• Stories from a 15 days SMB Honeypot
• Medical Devices: Pwnage and Honeypots
• Honeypots and tokens in modern networks
• Honey(pot) flavored hunt for cyber enemy
• Hey, You Got Your SQL In My Honeypot!
• AT&T ThreatTraq: Passwords in the Honeypot
• Low-Interaction Virtual Honeypot Fingerprinting
• Smart Contract Honeypots for Profit (and probably fun)
• Deceptacon: Wi-Fi Deception < $5
• Application Honeypot Threat Intelligence
• Deploying ICS Honeypots to Deceive and Thwart Adversaries
• Where Do The Phishers Live:Collecting Phishers' Geographic Locations from Honeypots
• PLC for Home Automation and How It Is as Hackable as a Honeypot
• How to Build SPAM Honeypots
• Bring Back the Honeypots
• Vaccination - An Anti-Honeypot Approach
• T-Pot: Automated Honeypot Deployment
• Running a Honeypot | AT&T ThreatTraq Bits
• Ghetto IDS and Honeypots for the Home User
• Honeypot That Can Bite: Reverse Penetration
• Thug: a new low-interaction honeyclient
• Hacking Back: Proactive Threat Intelligence With Honeypots For Active Defense
• Honey Haven: Creating Research HoneyPots In the Cloud
• Lessons Learned from Building and Running MHN the Worlds Largest Crowdsourced Honeynet
• Would You Like Some Honey With That?
• Honey In The Age Of Cyber
• Wolves amongst Sheep - Defeating Targeted Attacks with Deception
• Bringing PWNED To You Interesting Honeypot Trends
• ICS Honeypot Deployment Strategies and Technologies
• Security Onions and Honey Potz
• Cyber Counter Intelligence: An attacker-based approach
• Real Eyes, Realize, Real Lies: Beating Deception Technologies
• Whiteboard Wednesday: Attacker Deception - Honeypots
• The Devil Does Not Exist - The Role of Deception in Cyber
• Bitcoin Honeypots
• Your Active Directory Active Defense ADAD Primer
• Tangled Web: Defense in Deception
• BHIS Webcast: Tracking attackers. Why attribution matters and how to do it
• Active Cyber Network Defense with Denial and Deception
• Traps of Gold
• Live Coding: Python Honeypot
• Building a Web Attacker Dashboard with ModSecurity and BeEF
• OpenCanary: a new Python-based honeypot
• Randori, a low interaction honeypot with a vengeance
• Canarytokens - Honeypots Made Easy
• Coding Live Stream 2: Let's Deploy an SSH Honeypot
• Coding Live Stream 5: Let's Analyze Our Honeypot Traffic With PacketTotal
• Building Honeypots to Monitor DDoS
• Cymmetria: Writing honeypots
• Honeypot project - Kippo Setup and walk-through
• Game of Hacks: The Mother of All Honeypots
• Effortless, Agentless Breach Detection in the Enterprise: Token all the Things!
• Watching the attackers with a web honeypot
• Drupot - A drupal honeypot solution by Glasswall
• HoneyJax (AKA Web Security Monitoring and Intelligence 2.0)
• Honeypots and the evolution of botnets
• Improve DDoS Botnet Tracking With Honeypots
• Ghast04 You Got Your SQL Attacks In My Honeypot
• The Future of Honeypots
• sshesame is an easy to setup fake SSH server / HoneyPot
• Countering the removable device threat with USB honeypots
• Hack Yeah - Simple PHP Honeypot
• Trapping Hacks with Ensnare
• Continuous Security: Monitoring & Active Defense in the Cloud
• DECEPTICON OPSEC to Slow the OSINT
• Getting Started in Cyber Deception
• Messing with Portscans with Honeyports (Cyber Deception)
• Deception Fundamentals
• Deception Modeling Language (DML): Tutorial - Part I
• Deception Modeling Language (DML): Tutorial - Part II
• ShellCon 2018 Keynote - DIY Blue Teaming
• Black Hat USA 1999 - Burglar alarms and Booby Traps
• When the Tables Turn
• Hackers Want Passwords
• Honeytokens: Detecting Attacks to Your Web Apps Using Decoys and Deception
• Web Application Honeypot Threat Intelligence
• Faking a Factory: Creating and Operating a Realistic Honeypot
• Active Defense Web Edition: Web Apps Dripping with Honey!