cybersecuritySkill
Deploys deception-based honeytokens in Active Directory including fake privileged accounts with AdminCount=1, fake SPNs for Kerberoasting detection (honeyroasting), decoy GPOs with cpassword traps, and fake BloodHound paths. Monitors Windows Security Event IDs 4769, 4625, 4662, 5136 for honeytoken interaction. Use when implementing AD deception defenses for detecting lateral movement, credential theft, and reconnaissance.
Deception Technology
active-directorybloodhounddeceptiondetection+3
ATT&CK6, 6 mappingsNIST CSF3, 3 mappings
cybersecuritySkill
Deploy cloud-native deception across AWS, Azure, and GCP using decoy (honey) resources whose only purpose is to generate a high-fidelity alert the instant an attacker touches them: canary IAM access keys, permission-less decoy users/roles/service principals, honey object-storage buckets, and decoy secrets in Secrets Manager / Key Vault / Secret Manager. Wires detection through CloudTrail + EventBridge, Azure Sentinel honeytoken watchlists + Defender, and GCP Cloud Audit Logs, so any use of a decoy is routed to the SOC with near-zero false positives. Use when protecting cloud accounts and data stores, when an org has only on-prem honeypots and needs cloud coverage, when seeding fake AWS keys to catch credential theft and code-leak exposure, or when detecting cloud reconnaissance and lateral movement. Keywords: cloud deception, canary token AWS, honey S3 bucket, decoy IAM credentials, CloudTrail alert, GuardDuty, Sentinel honeytoken, decoy secret, honey service account, cloud honeypot, breach detection.
Deception Technology
awsazurebreach-detectioncanary-token+4
ATT&CK7, 7 mappingsNIST CSF5, 5 mappings
cybersecuritySkill
Plant canarytokens and honey credentials and alert on breach.
Deception Technology
breach-detectioncanarytokensd3fenddeception-technology+4
ATT&CK1, 1 mappingNIST CSF1, 1 mapping
cybersecuritySkill
Plan, run, and measure an adversary engagement operation using the MITRE Engage framework so that deployed deception is driven by strategy instead of deployed ad hoc. Covers the Engage Matrix (Prepare, Expose, Affect, Elicit, Understand), the 10-Step Operational Process, mapping engagement Activities to the ATT&CK techniques they expose, and defining measurable Goals and Operational Objectives. Use when a team has honeypots, honeytokens, or canary tokens but no coordinating strategy, when leadership asks "should we engage attackers and how", when building a deception/denial program, when writing an adversary engagement operation plan, or when deciding which deception Activities to deploy against a specific threat actor. Keywords: MITRE Engage, adversary engagement, cyber deception strategy, denial and deception, Engage Matrix, EAC, EGO, Expose Affect Elicit, deception program, honeypot strategy, engagement operation.
Deception Technology
adversary-engagementcyber-deceptiondeceptiondenial-and-deception+4
ATT&CK5, 5 mappingsNIST CSF5, 5 mappings
cybersecuritySkill
Deploy and monitor Canary Tokens via the Thinkst Canary API for deception-based breach detection using web bug tokens, DNS tokens, document tokens, and AWS key tokens.
Deception Technology
breach-detectioncanarytokendeceptionearly-warning+3
ATT&CK5, 5 mappingsNIST CSF3, 3 mappings
cybersecuritySkill
Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance.
Deception Technology
cowriedeceptiondetectionhoneypot+4
ATT&CK5, 5 mappingsNIST CSF3, 3 mappings