D3FEND Top Ten – #5

This week, we’re taking a little sidestep from our usual focus on one particular technique. Instead, we’re looking at a family of techniques that are unified in their general approach: decoy objects. That involves exploring six different subtechniques contained within the D3FEND framework:

  • Decoy file
  • Decoy network resource
  • Decoy persona
  • Decoy public release
  • Decoy session token
  • Decoy user credential

What is a decoy object?

A decoy object refers to a security mechanism or technique used to mislead and divert potential attackers, thereby protecting the actual target or sensitive information. It is a form of deception employed to enhance the security posture of a system or network.

A decoy object is designed to mimic a legitimate target, such as a file, server, or network resource, in order to lure attackers away from the real assets. It can take various forms, including decoy files, decoy servers, or even entire decoy networks.

Why do we use decoy objects?

The primary purpose of deploying decoy objects is to deceive attackers and delay or deter their progress during an intrusion attempt. By enticing attackers to interact with decoy objects, defenders can gain valuable insights into their techniques, tactics, and tools. This information can be used to analyze and understand the attacker’s behavior, gather intelligence, and strengthen the overall security infrastructure.

Decoy objects are often used in conjunction with other security measures, such as honeypots, which are entire systems or networks designed to appear vulnerable or enticing to attackers. The goal is to attract and monitor malicious activity while ensuring the real systems remain protected and unaffected.

What are some examples of decoy objects?

  • Decoy file: A decoy file is a fabricated or misleading file designed to divert attention or deceive potential attackers. It appears legitimate but typically contains no valuable or sensitive information and serves as a trap or distraction.
  • Decoy network resource: A decoy network resource mimics a real network service or device, such as a server or router. It is intentionally designed to lure attackers, monitor their activities, and gather information about their techniques and intentions, while the actual network resources remain protected.
  • Decoy persona: A decoy persona is a fictional or simulated online identity created to mislead or confuse adversaries. It is often used in social engineering or intelligence operations to interact with potential attackers, gather information, or deflect their attention from real individuals or targets.
  • Decoy public release: A decoy public release involves intentionally leaking false or misleading information to misdirect potential attackers or disrupt their activities. It can involve the release of fake documents, code snippets, or other fabricated materials to divert attention or confuse adversaries.
  • Decoy session token: A decoy session token is a specially crafted token or identifier used in web applications or systems to mislead attackers during session hijacking or similar attacks. It appears valid but leads the attacker to an isolated or monitored environment, preventing them from gaining access to legitimate user accounts or sessions.
  • Decoy user credential: A decoy user credential is a false or non-functional set of login credentials presented to potential attackers. It appears to be valid but is designed to mislead or deter unauthorized access attempts. By interacting with decoy user credentials, defenders can monitor and analyze attackers’ actions while keeping genuine user accounts secure.

What tools can I use to build decoy objects?

Creating decoy objects often requires a combination of technical expertise and specialized tools. Here are six examples of tools that can be used to create decoy objects:


Honeyd is a tool that allows the creation of virtual honeypots—decoy systems that mimic real network services. It emulates various network protocols and services to attract and monitor attackers.


Canarytokens is a tool that enables the creation of decoy files, URLs, and email addresses. These decoys generate alerts when accessed or interacted with, providing early warning of potential security breaches.


Kippo is a medium-interaction SSH honeypot that emulates a Linux environment, enticing attackers to interact with the system. It captures and logs their activities for analysis and research. Find out more about Kippo at:


Glastopf is a web application honeypot designed to emulate vulnerabilities and attract attackers. It captures and analyzes their attack patterns, providing valuable insights into emerging threats.


BeEF (Browser Exploitation Framework) is a tool for testing and exploiting web browsers. It can be used to create decoy web pages that mimic legitimate websites, enabling the collection of information about attackers’ techniques and vulnerabilities.


Metasploit is a widely-used penetration testing framework that includes features for creating decoy objects. It provides various modules and payloads that can be used to deploy decoy systems, honeypots, and other deceptive elements.

Please note that these tools are provided for informational purposes, and their usage should comply with legal and ethical standards.

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.