implementing-network-deception-with-honeypots

star 3

Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance.

oyi77 By oyi77 schedule Updated 6/8/2026
play_arrow Run Skill in Manus View GitHub

name: implementing-network-deception-with-honeypots description: Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance. domain: cybersecurity tags:

  • deception
  • honeypot
  • opencanary
  • cowrie
  • t-pot
  • detection
  • lateral-movement
  • network-security subdomain: deception-technology version: '1.0' author: mahipal license: Apache-2.0 nist_csf:
  • DE.CM-01
  • DE.AE-06
  • PR.IR-01

Implementing Network Deception With Honeypots

Overview

Cybersecurity skill for implementing network deception with honeypots. Follows industry best practices and security standards.

When to Use

  • When deploying deception technology to detect lateral movement
  • To create early warning indicators for network intrusion
  • During security architecture design to add detection depth
  • When monitoring for unauthorized internal scanning or credential theft
  • To gather threat intelligence on attacker techniques and tools

When NOT to Use

  • When you lack proper authorization for testing
  • For production systems without change management
  • When the task requires legal or compliance expertise beyond technical scope

Prerequisites

  • Linux server or VM for honeypot deployment (Ubuntu 22.04+ recommended)
  • Python 3.8+ with pip for OpenCanary installation
  • Docker for T-Pot or containerized deployment
  • Network segment with appropriate VLAN configuration
  • SIEM integration for alert forwarding (syslog, webhook, or file-based)
  • Firewall rules allowing inbound connections to honeypot services

Workflow

# Example: IOC detection
import re

IOC_PATTERNS = {
    "ip": r"\b(?:\d{1,3}\.){3}\d{1,3}\b",
    "domain": r"\b[a-z0-9-]+\.[a-z]{2,}\b",
    "hash_md5": r"\b[a-f0-9]{32}\b",
    "hash_sha256": r"\b[a-f0-9]{64}\b",
}

def extract_iocs(text: str) -> dict:
    return {k: re.findall(v, text) for k, v in IOC_PATTERNS.items()}
  1. Assess Requirements — Evaluate current environment and define network deception implementation requirements.
  2. Design Architecture — Plan the network deception architecture, including components, integrations, and data flows.
  3. Configure Components — Set up honeypots for network deception according to vendor best practices and security guidelines.
  4. Test Integration — Validate that all components work together. Run functional and security tests.
  5. Deploy to Production — Roll out the implementation with monitoring and rollback capabilities.
  6. Validate and Document — Verify the implementation meets requirements. Document configuration and runbooks.

Tools

  • honeypots — Primary tool for this skill
  • Configuration Management — Infrastructure as code and automation
  • Monitoring Stack — Observability and alerting
  • Documentation Platform — Runbooks and architecture docs

Verification

  • All network deception procedures executed completely and documented
  • Findings validated against multiple data sources
  • False positives identified and filtered
  • Results documented with evidence and timestamps
  • Recommendations provided with risk-based prioritization

Anti-Rationalization

Rationalization Reality
"We are too small to be targeted" Automated attacks target everyone. Size does not matter.
"Security slows us down" A breach slows you down 100x more. Build security in from the start.
"We will fix it after launch" Vulnerabilities in production are exploited within hours. Fix before deploy.
Install via CLI
npx skills add https://github.com/oyi77/1ai-skills --skill implementing-network-deception-with-honeypots
Repository Details
star Stars 3
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
oyi77
oyi77 Explore all skills →