Both honeypots and canaries have one rule that makes them hard to implement: the moment they generate false positives to where a human has to spend time investigating the cause, they become ineffective. They are not meant to be alert sources that tell you bad stuff is happening, they are supposed to be high fidelity indicators of a compromise.<p>So, internet facing honeypots are usually not useful for detection because everybody and their mother is trying to hack you on the internet. The conditions you could monitor for on honeypots, you almost always should be monitoring on prod boxes too, so the value is more limited there.<p>If you have internal honeypots then failed attempts to compromise them should be ignored and they should be AD joined (long topic). The purpose of internal honeypots is to detect lateral movement and to an attacker, they should not look any different than any of your other similar devices. So, if I have an ssh key,domain password or dumped nthash/kerberos ticket, it should work just same on the honeypot. Furthermore, once compromised they should have content like files and apps that makes them look legit so the threar actor can spend time enumerating on the honeypot so you can learn about their intentions. But most importantly, they should not gain more accesss but they should be able to pivot using existing access from the honeypot to elsewhere.<p>Lastly, I am more of a fan of canaries staged right. New-HoneyHash.ps1 is my favorite.<p>For linux admins, I suggest having a legitimate user account that can't sudo and has password/creds expire like any human user and then deploy that user with private keys that can access other things all over your environment and setup centralized SSH login monitoring. The moment that account is used to login to anywhere should page every admin/security person. And you can use this types of canaries on internet facing stuff.
> One such innovative strategy is the use of honeypots<p>Innovative? Honeypots have been around since forever.<p>A modest article, with much to be modest about.