Honeytokens & deception
Decoys nothing legitimate ever touches.
Most detections wrestle with the signal-to-noise problem: telling malicious activity apart from a flood of legitimate activity. Deception flips that problem on its head — you plant things that only an attacker would ever touch, so any interaction is, by construction, high-confidence evidence.
Honeytokens and canaries
A honeytoken (or canary) is a decoy — a fake credential, a bait resource, a tripwire — that has no legitimate use, so nothing benign ever touches it. Because normal activity never interacts with it, an interaction is near-certain evidence of an intruder, giving you an alert with an extraordinarily low false-positive rate. Effective placements include a fake AWS access key in a config file or environment, a decoy admin account, a canary document or URL that phones home when opened, a bait database row, or a honeypot service. Place them where an attacker rummaging for credentials or data would naturally find them — exactly the spots your real detections struggle to distinguish from normal use.
# Planted in a config an attacker would read. It grants NOTHING, but any# attempt to use it fires a high-confidence alert (nothing legitimate does).[default]aws_access_key_id = AKIACANARY0000EXAMPLE # decoy — monitoredaws_secret_access_key = ...decoy...# Detection: alert on ANY API call using this key id in CloudTrail.# eventName = * AND userIdentity.accessKeyId = "AKIACANARY0000EXAMPLE"# ⇒ someone found and tried the bait → investigate immediately.
Why deception is high-value
Deception is cheap to deploy and produces some of the highest-signal alerts in your whole program, which is why it complements rule- and behavior-based detection so well: those fight noise, deception has almost none. A triggered canary tells you an attacker is present and actively hunting for credentials or data — often early in the intrusion, before they have done real damage. Spread canaries across the environment (cloud credentials, cluster secrets, file shares, databases) so wherever an attacker looks, they risk tripping one. Route canary hits as critical, page immediately, and treat any interaction as an incident until proven otherwise — a canary firing is almost never a false alarm.