Implementing Honeytokens for Breach Detection
When to Use
- When deploying or configuring implementing honeytokens for breach detection capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Instructions
Deploy honeytokens across critical systems to detect unauthorized access. Each token
type alerts via webhook when triggered by an attacker.
import requests
# Create a DNS canary token via Canarytokens
resp = requests.post("https://canarytokens.org/generate", data={
"type": "dns",
"email": "soc@company.com",
"memo": "Production DB server honeytoken",
})
token = resp.json()
print(f"DNS token: {token['hostname']}")
Token types to deploy:
- AWS credential files (~/.aws/credentials) with canary keys
- DNS tokens embedded in configuration files
- Document beacons (Word/PDF) in sensitive file shares
- Database honeytoken records in user tables
- Web bugs in internal wiki/documentation pages
Examples
# Generate a fake AWS credentials file with canary token
aws_creds = f"[default]\naws_access_key_id = {canary_key_id}\naws_secret_access_key = {canary_secret}\n"
with open("/opt/backup/.aws/credentials", "w") as f:
f.write(aws_creds)
