Honeypots Aren't Just for Enterprises Anymore
Honeypots Aren’t Just for Enterprises Anymore
A honey credential deployed in Active Directory costs nothing. It catches attackers that EDR misses. And it has a zero false positive rate.
So why aren’t more small businesses using deception?
Because the security industry has spent a decade telling SMBs that deception technology is an enterprise capability. That it requires a dedicated team to manage. That it’s a “nice to have” after you’ve deployed EDR, SIEM, SOAR, vulnerability management, and everything else on the vendor’s product roadmap.
That’s backwards. For resource constrained organizations, deception should be one of the first things you deploy, not the last.
Why Deception Works (Especially for Small Businesses)
The Signal to Noise Problem
The fundamental challenge in security operations is separating real threats from noise. Your SIEM generates thousands of events per day. Most of them are benign. The attacker’s activity is buried in legitimate traffic, scheduled tasks, software updates, and users doing weird but harmless things.
Enterprise SOCs solve this with headcount. Throw 20 analysts at the alert queue and eventually someone finds the real threat.
Small businesses don’t have 20 analysts. They might not have any analysts. So the alert queue grows, nobody investigates, and the attacker operates undetected.
Deception sidesteps this entirely.
A honey credential in Active Directory is not a probabilistic detection. It’s a binary signal. Either someone tried to authenticate with it or they didn’t. If they did, you have an intruder. Period. No false positive analysis required. No correlation with other events needed. No analyst expertise required to determine “is this real?”
The signal is the signal.
The Math Favors the Defender
Traditional detection puts the burden on the defender. You need to anticipate every possible attack technique, write detection rules for each one, tune those rules to reduce false positives, and staff analysts to investigate what remains.
Deception puts the burden on the attacker. They need to determine which credentials are real and which are traps. Which network shares contain actual data and which are canaries. Which services are legitimate and which are honeypots.
They can’t tell the difference. And they can’t skip enumeration - they need to scan the network, enumerate Active Directory, and explore file shares to find what they’re looking for. Every time they do, they risk triggering a deception.
The more deception you deploy, the harder it becomes for an attacker to operate without detection. And unlike traditional detection rules, deception doesn’t generate false positives from normal business operations.
What You Can Deploy Today
1. Honey Credentials in Active Directory
What it is: Fake user accounts in Active Directory that look like valuable targets (admin accounts, service accounts, backup operators).
Why attackers find them: Every attacker who compromises a domain joined machine runs Active Directory enumeration. Tools like BloodHound, SharpHound, and even native net user /domain will enumerate all accounts. Attackers look for accounts with admin privileges, service accounts with SPNs (for Kerberoasting), and accounts with interesting names.
What you deploy:
| Fake Account | Why It Attracts Attackers |
|---|---|
svc_backup_admin |
Looks like a privileged service account |
admin_legacy |
Looks like a forgotten admin account |
sql_readonly |
Looks like database access |
DomainAdmin_old |
Looks like a renamed domain admin |
Cost: Free. These are standard Active Directory accounts.
Monitoring: Set up an alert for any authentication attempt against these accounts. If you’re running a SIEM, this is a rule watching Windows Event ID 4625 (failed login) or 4624 (successful login) where the target account matches your honey credential list. If you don’t have a SIEM, the built in Windows Event Viewer can trigger a scheduled task on these events, which can send an email or run a script. Even the free tier of most log management tools can handle this.
Detection value: If anyone tries to authenticate as svc_backup_admin, you know:
- Someone is inside your network
- They’ve enumerated Active Directory
- They’re attempting lateral movement or privilege escalation
- This is not a false positive
Real world result: In our lab, we deployed honey credentials and ran a simulated attack from a compromised workstation. The attacker enumerated AD, found the fake service account, and attempted Kerberoasting against it. Time from deployment to detection: 47 minutes. The attack was caught before any real credential was compromised.
2. Canary Files on File Shares
What it is: Documents planted on network shares that generate alerts when opened.
Why attackers find them: Ransomware operators and data thieves browse file shares looking for valuable documents. They search for keywords like “passwords,” “financial,” “confidential,” and “backup.” Canary files are named to attract this attention.
What you deploy:
\\FileServer\IT_Archive\
passwords_master_list.xlsx ← Canary
network-diagram-2025.pdf ← Canary
vpn-credentials-backup.docx ← Canary
\\FileServer\Finance_Backup\
Q4-2025-financial-statements.xlsx ← Canary
banking-credentials.pdf ← Canary
Cost: Free. These are regular files on your existing file shares.
Monitoring: If you have auditing infrastructure, enable file access auditing (Windows Event 4663) on these specific files and alert on any access. If you don’t, use a document beacon service like Thinkst Canary or canarytokens.org. These generate a unique URL embedded in the document that phones home when opened, no SIEM required. You get an email. That’s the whole setup.
Detection value: Normal users don’t open files named “passwords_master_list.xlsx” in the IT Archive. If this file gets accessed, someone is browsing file shares looking for credentials - which is either an attacker or a policy violation you want to know about.
3. Decoy Network Shares
What it is: Fake shared folders that appear alongside legitimate shares during network enumeration.
What you deploy:
| Decoy Share | Why It Attracts Attackers |
|---|---|
\\FS01\HR_Confidential |
Employee records, PII |
\\FS01\IT_Archive |
Old configs, possible credentials |
\\FS01\Finance_Backup |
Financial data, wire transfer info |
\\FS01\Executive_Docs |
Strategic plans, board materials |
Cost: Free. Create empty shares or shares with canary files on an existing file server.
Monitoring: Alert on any access to these shares. If you have log collection, monitor SMB connection logs (Windows Event 5140). If not, populate the decoy shares with canary token documents instead. The share itself becomes the lure, and the beacon documents handle the alerting without any log infrastructure.
Detection value: An attacker running net share or a tool like nxc smb --shares will enumerate every share on the network. They can’t distinguish real shares from decoys without accessing them. When they access a decoy, you catch them.
4. DNS Canaries
What it is: DNS records for fake internal services. When resolved, generate alerts.
What you deploy:
vpn-backup.internal → Canary (no real service)
sql-prod-dr.internal → Canary (no real service)
exchange-legacy.internal → Canary (no real service)
Cost: Free. Add DNS records pointing to a monitored IP.
Monitoring: Monitor DNS queries for these names. If Zeek or Sysmon DNS logging is enabled, alert on any resolution of canary domain names.
Detection value: Attackers enumerate DNS to find internal services. When they resolve a canary hostname, you know someone is performing internal reconnaissance.
5. SSH/Service Honeypots
What it is: A fake service (SSH, web server, database) listening on your network that appears real.
What you deploy: A lightweight honeypot like Cowrie (SSH) or a simple web server on an unused IP address.
Cost: One VM or container. Can run on existing infrastructure.
Monitoring: Any connection to the honeypot is suspicious. No legitimate user or service should connect to it.
Detection value: Network scanners, worms, and lateral movement tools will find and probe the honeypot. Internal connections to the honeypot indicate either an attacker or a misconfigured system, both worth investigating.
6. Cloud Deception (If You’re in AWS, Azure, or M365)
Everything above assumes on prem infrastructure. The same principles work in the cloud, just different tooling.
| Cloud Trap | How It Works |
|---|---|
| Honey IAM user in AWS | Create an IAM user with an access key. Never use the key. CloudTrail logs any API call made with it. |
| Canary S3 bucket | Create a bucket named something like prod-db-backups-2025. Enable CloudTrail data events. Any ListObjects or GetObject is a red flag. |
| Azure AD honey account | Same concept as on prem AD. Create a user with a tempting name, monitor sign in logs. |
| Git repo with fake tokens | Create a private repo containing a file with fake AWS keys or API tokens. If those credentials get used anywhere, you know someone cloned the repo. |
If you’re a cloud native shop with no domain controllers, start here instead of the AD section. The logic is identical: create something that looks valuable, make sure nobody legitimate touches it, alert when something does.
Deployment Priority for SMBs
If you’re starting from zero, deploy in this order:
| Priority | Deception Type | Effort | Detection Value |
|---|---|---|---|
| 1 | Honey credentials in AD | 30 minutes | Catches credential theft, Kerberoasting, lateral movement |
| 2 | Canary files on shares | 1 hour | Catches data browsing, ransomware recon |
| 3 | Decoy shares | 30 minutes | Catches network enumeration |
| 4 | DNS canaries | 30 minutes | Catches internal reconnaissance |
| 5 | SSH honeypot | 2-3 hours | Catches network scanning, lateral movement |
Total deployment time for priorities 1-4: about 2.5 hours. No software to purchase. No agents to deploy. No ongoing tuning required.
Compare that to deploying an EDR platform (days to weeks of planning, rollout, and tuning) and the return on investment for deception is clear.
Common Objections
“What if attackers learn to avoid honeypots?”
They do. Sophisticated attackers check for common honeypot indicators. This is a feature, not a bug.
If an attacker is spending time trying to distinguish real accounts from fake ones, they’re moving slower. Slower attackers are easier to detect through other means. Deception doesn’t need to catch every attacker - it needs to change the economics of the attack.
Also: you control the deception. You can make it as realistic as you want. A honey credential that has a login history, group memberships, and a realistic description is nearly indistinguishable from a real account. The attacker can’t afford to skip it.
“We don’t have anyone to watch the alerts.”
Binary signal doesn’t help if nobody sees it. Fair point. But deception alerts are the easiest category to automate because there’s no judgment call required.
Route them to wherever your team already pays attention: email, Slack, Teams, a phone call from PagerDuty. If you’re running a SOAR platform, a three step playbook handles it: receive deception alert, isolate the source host from the network, notify the on call contact. That’s a fully automated response to a confirmed intrusion with zero analyst involvement.
Even without SOAR, most SIEM tools and even Windows Task Scheduler can send an email when a specific event fires. The monitoring overhead for deception is “can you receive an email and act on it,” not “can you staff a 24/7 SOC.”
“Isn’t this just security through obscurity?”
No. Security through obscurity means hiding your defenses and hoping attackers don’t find them. Deception means placing traps that attackers can’t avoid without changing their methodology. It’s the difference between hiding the lock on your door (obscurity) and adding a silent alarm (deception).
What This Looks Like in Practice
We run a full deception layer in our lab and client environments:
- Active Directory: Honeytoken users, decoy SPNs, fake admin groups, DNS canaries
- File Servers: Decoy shares, canary files, honeyfiles that beacon when opened
- Network: Cowrie SSH honeypot, fake services on unused IPs
- Wazuh Rules: Custom detection rules (100700-100704) for all deception triggers
When we run red team exercises against this environment, the deception layer typically fires before the EDR detects the attack. In our last campaign, the honey credential was triggered 12 minutes before any Sigma rule alerted on the actual attack technique.
Deception caught the attacker. Everything else confirmed it.
Start This Week
You don’t need budget approval. You don’t need new software. You don’t need a security team.
- Create two honey credentials in AD today
- Drop three canary files on your file server
- Set up alerts for authentication to the fake accounts and access to the fake files
- Wait
If nobody triggers the traps, you’ve confirmed your network isn’t currently under active compromise. If something does trigger, you just caught an intruder that your EDR, SIEM, and firewall all missed, using tools that cost nothing and took an afternoon to deploy.