What is a honeypot, what types exist, and what value does it give a blue team?
Short answer
A honeypot is a decoy system or service with no legitimate business use, deliberately exposed to attract attackers. Because nothing benign should ever touch it, any interaction is a high-confidence alert. Low-interaction honeypots emulate services cheaply; high-interaction ones are real systems that yield richer intel but carry more risk. Honeytokens are the same idea applied to fake credentials, files, or records. Value: early detection, low false positives, and threat intelligence.
A honeypot flips detection on its head. Instead of trying to pick attacks out of mountains of legitimate traffic, you stand up something no legitimate user should ever touch — so any contact is, by definition, suspicious. Interviewers ask this to see whether you understand deception as a detection strategy and its trade-offs.
What it is
A honeypot is a decoy system, service, or account with no production purpose, placed where an attacker is likely to probe. Because it has no real users, it generates almost no false positives: a hit means scanning, lateral movement, or active intrusion. Beyond alerting, it captures the attacker's tools, techniques, and infrastructure — valuable threat intelligence.
Types
- Low-interaction — emulates services (a fake SSH banner, an open "RDP") to log connection attempts. Cheap, safe, but limited; a careful attacker may notice it is fake.
- High-interaction — a real, fully functional system. It yields rich behavioral data but is dangerous: if compromised, it could be used to pivot, so it must be heavily isolated and monitored.
- Honeytokens / canaries — the concept applied to fake data: bogus credentials, a decoy "passwords.xlsx," a fake AD account, or a tripwire API key. The moment anyone uses them, you know you have an intruder, often deep in the environment.
- A network of honeypots is a honeynet.
Value and risk
Strengths: early, high-confidence detection and intel. Risks: a poorly isolated high-interaction honeypot can become a launchpad; and a honeypot only sees attackers who interact with it, so it complements — never replaces — your primary monitoring.
Why this matters
A strong answer defines the decoy concept, stresses the low false-positive property, distinguishes low- vs high-interaction, and mentions honeytokens for in-network detection plus the isolation risk. That shows you grasp deception as a deliberate, low-noise layer of defense.
Likely follow-ups
- Why does a honeypot produce so few false positives compared to a normal IDS?
- What extra risk does a high-interaction honeypot introduce, and how do you mitigate it?
- How would you deploy a honeytoken inside Active Directory?