Abstract

A canary honeypot is a system that mimics a production system and is deployed to serve as an early detection mechanism in the event of a network breach. These honeypots can operate in two different formats; either as an exploitable or non-exploitable honeypot. In this chapter we discuss the difference between these types of honeypots, and discuss considerations for the practical deployment of honeypots for NSM detection. This includes discussion of several popular honeypot applications, such as Honeyd, Kippo, and Tom’s Honeypot, along with examples of their use. This chapter also briefly introduces the concept of Honeydocs, and how to create them.