performing-deception-technology-deployment

# Performing Deception Technology Deployment ## When to Use Use this skill when: - SOC teams need high-fidelity detection of post-compromise lateral movement with near-zero false positives - Existing detection tools miss advanced attackers who avoid triggering threshold-based alerts - The organization wants to detect credential abuse by planting fake credentials as honeytokens - Network segmentation gaps need compensating detection controls **Do not use** as a replacement for fundamental security controls (patching, EDR, network segmentation) — deception is a detection layer, not a prevention mechanism. ## Prerequisites - Network segments identified for honeypot/decoy deployment (server VLANs, DMZ, OT networks) - Deception platform (Thinkst Canary, Attivo/SentinelOne Hologram, or open-source alternatives) - SIEM integration for deception alerts (any interaction with deception assets is suspicious) - Active Directory access for honeytoken account and credential creation - Network team coordination for IP allocation and traffic routing ## Workflow ### Step 1: Map Attack Surface for Deception Placement Identify high-value network segments where attackers would traverse: ``` DECEPTION DEPLOYMENT MAP ━━━━━━━━━━━━━━━━━━━━━━━━ Segment Decoy Type Rationale Server VLAN Fake file server Attackers enumerate SMB shares during recon Database VLAN Fake DB server SQL scanning detected in past incidents AD/DC Segment Honeytoken ac...