Honeypots, Fake Credentials, and Cyber Traps: The Role of Deception in Defence
“All warfare is based on deception.”
Hackers thrive on certainty — they want to know where your defences are weak, what credentials are real, and how they can slip through undetected but what if everything they saw was a lie?
The greatest victories aren’t always won through brute force — they’re won through deception. In warfare, misleading the enemy can cause them to waste resources, expose their weaknesses, or walk into an ambush. In cybersecurity, deception technologies serve the same purpose: misdirecting attackers, wasting their time, and revealing their presence before they can cause real damage.
“All warfare is based on deception.” — Sun Tzu
Sun Tzu’s Wisdom
Sun Tzu understood that misleading the enemy is a fundamental part of strategy. Generals throughout history have used feints, false retreats, and misinformation to gain the upper hand. In cybersecurity, deception techniques can trick attackers into revealing themselves while protecting real assets.
Cybersecurity Interpretation
Defenders often assume a purely reactive stance — detecting and responding to intrusions after they happen. But deception flips the script, putting attackers on the defensive. Instead of waiting for a breach, defenders deploy fake assets designed to lure and track attackers, turning an intrusion attempt into an intelligence-gathering opportunity.
Common deception techniques include:
- Honeypots — Fake systems designed to attract attackers and log their activities.
- Honeytokens — Fake credentials, API keys, or database entries that alert defenders when accessed.
- Decoy Active Directory Accounts — Fake privileged accounts designed to detect lateral movement.
- Deceptive Network Paths — Bogus file shares, fake SMB drives, and misconfigured-looking services that waste an attacker’s time.
Real-World Example
One of the most famous uses of deception in cybersecurity was the Honeytokens used to detect insider threats at a major financial institution. The company created fake employee login credentials and planted them in internal documentation. If an attacker or insider attempted to use them, an alert would trigger, instantly revealing unauthorised access.
Similarly, Microsoft’s Active Directory Deception techniques involve planting decoy domain administrator accounts and fake credentials in memory. If an attacker dumps credentials using tools like Mimikatz, they unknowingly steal fake ones, leading defenders straight to their presence.
Defensive Takeaways
- Deploy Honeypots — Set up decoy systems that mimic real services and track attacker behaviour.
- Use Honeytokens — Embed fake credentials in repositories, logs, and files to detect unauthorised access.
- Implement Active Directory Deception — Place fake admin accounts to lure attackers attempting privilege escalation.
- Set Traps for Credential Theft — Monitor for the use of decoy credentials in logs and alert on unauthorised use.
- Continuously Improve Deception Tactics — Rotate and refresh deceptive assets to keep attackers guessing.
Conclusion
Sun Tzu’s lesson on deception applies directly to cybersecurity: by misleading adversaries, we force them into making mistakes. Attackers rely on stealth and speed — but deception disrupts their tactics, making every step risky and uncertain.
The best fight is the one where the enemy never realises they’ve already lost.
