What are the best practices for deploying public-facing honeypots - which could be scanned very frequently?

Our public-facing decoys are pure web application decoys that only respond when they are called out by hostname. This tells us that the adversary took the effort to configure their toolset and tailored their recon efforts towards the customer as these hostnames are only discoverable in DNS and certificate transparency lists.

  • Decoys are strategically placed so that legitimate users do not get access to them
  • Decoys are recommended based on attacker-psychology - things that would be of interest to an adversary but not to legitimate users
  • Decoys aren’t indexed so they’re only triggered by targeted recon activity or when someone is categorically scoping out your infra.
  • Decoys ignore IP-based scans as they are the source of all the noise.
  • We do not recommend exposing other services to the internet though it is possible to do this with the platform.

Examples of deception strategy for public-facing decoys

  • Under attack - If you’re currently a target of a concerted attack campaign, space out planting the decoy over a couple of days so as not arouse suspicion – Sudden addition of 10 new web app (decoys) can tip off the attackers.
  • New product/business launch - Create an entirely fake company patterned on the product/business you’re launching to build a threat model of what you can expect when you launch.
  • Unpatched applications - Create decoys of unpatched applications to detect threat actors actively exploiting public-facing assets with known vulnerabilities.
2 Likes

I’d never really considered this one:

  • New product/business launch - Create an entirely fake company patterned on the product/business you’re launching to build a threat model of what you can expect when you launch.