Deception and disruption technology — SY0-701
Reference page for SY0-701 exam candidates on deception and disruption technology — honeypots, honeynets, and honey tokens — grounded in NIST definitions.
WHAT IT IS
Deception and disruption technology refers to systems and resources deliberately designed to attract, engage, and detect adversaries by presenting them with decoys or false targets — while simultaneously impeding or redirecting their activity. The foundational example in the NIST glossary is the honeypot, defined as "a system (e.g., a web server) or system resource (e.g., a file on a server) that is designed to be attractive to potential crackers and intruders, like honey is attractive to bears" (CNSSI 4009-2015, citing IETF RFC 4949 Ver 2). Deception technology extends this core idea across multiple layers of an environment, from individual files to entire simulated network segments.
Mental model
Picture a museum that places a convincing replica of a priceless artifact in an obvious spot, while the real one sits in a vault. Anyone who touches the replica is immediately flagged — their behavior is recorded, their techniques are observed, and their access to the real collection is blocked. No legitimate visitor has any reason to handle the replica. Any interaction with it is, by definition, unauthorized and suspicious.
That is the operating logic of all deception technology: legitimate users and processes do not interact with decoys. Any contact signals adversary activity. This shifts detection from a noise-filtering problem (who among thousands of events is an attacker?) to a near-zero false-positive signal (anyone who touches the decoy is a threat actor, per NIST SP 800-150's definition of threat actor as "an individual or a group posing a threat").
When to use it
Deception components differ in scope and placement. The exam tests whether a candidate can match the right tool to the right scenario:
| Component | What it is | Primary purpose | Scope |
|---|---|---|---|
| Honeypot | A single system or resource designed to attract intruders (NIST: CNSSI 4009-2015) | Lure and observe attackers targeting one decoy asset | Single host or service |
| Honeynet | A network of honeypots that simulate a broader environment | Observe attacker lateral movement and multi-stage behavior | Network segment |
| Honey token | A specific decoy data object (credential, file, record) placed inside real systems | Detect unauthorized access to sensitive data stores | Individual asset or data record |
| DNS sinkhole | A DNS resolver configured to return controlled responses for known-malicious domains | Disrupt command-and-control communication; redirect malicious traffic for analysis | Network-wide DNS layer |
Note: "honeynet," "honey token," and "DNS sinkhole" do not appear as standalone terms in the NIST CSRC glossary at the time of authoring. The honeypot definition (CNSSI 4009-2015) is the grounded anchor; adjacent terms reflect common industry usage within that same definitional family.
COMMON MISCONCEPTION
The exam exploits a confusion between deception technology and intrusion detection systems (IDS). Candidates often assume these serve the same function because both produce alerts about adversary activity. They do not work the same way.
An IDS, as defined by NIST, is "a security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner." An IDS watches real production traffic and must distinguish malicious events from benign noise — a problem that produces false positives (NIST SP 800-115 defines a false positive as "an alert that incorrectly indicates that a vulnerability is present"). Tuning an IDS to reduce false positives is an ongoing operational challenge.
A honeypot, by design, has no legitimate users. There is no benign baseline traffic to confuse with malicious activity. Any interaction is suspicious by definition. Deception technology does not replace detection; it creates a high-confidence signal source with a fundamentally different noise profile than production traffic monitoring.
A second trap: candidates confuse the purpose of deception with prevention. Deception technology does not block an attacker at the perimeter. It lets an adversary engage with a controlled, instrumented environment so that their tactics, techniques, and procedures can be observed and that enriched context can feed decision-making processes — consistent with NIST SP 800-150's framing of threat intelligence as "threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes."
How it shows up on the exam
The cognitive target is application — given a scenario, identify the right deception component or distinguish deception technology from a different detective control. Candidates often struggle when a question describes an organization wanting to detect insider misuse of a credential database; a honey token (a fake but plausible credential record in that database) is the deception answer, while an IDS watching database query logs is the monitoring answer. Both detect, but through different mechanisms.
Signal phrases to watch for:
- "attract," "lure," or "appear legitimate to attackers" → points toward a honeypot or decoy construct
- "observe attacker behavior" or "gather threat intelligence" → deception technology used for enrichment, consistent with NIST SP 800-150
- "redirect malicious traffic" or "disrupt command-and-control" → disruption function, consistent with sinkhole-type mechanisms
- "no legitimate users would access this" → the defining characteristic of a decoy; any alert from it is high-confidence
The adversary framing matters: NIST SP 800-30 Rev. 1 defines an adversary as a "person, group, organization, or government that conducts or has the intent to conduct detrimental activities." Deception technology works precisely because it exploits adversary behavior — the intent to access something that looks valuable — against the adversary.
Related concepts
- CIA Triad — Deception technology primarily serves confidentiality and integrity goals by detecting unauthorized access before real assets are reached.
- Non-repudiation — Interaction logs captured by honeypots contribute to an audit trail that supports non-repudiation of adversary actions.
- AAA Framework — Deception technology operates outside the normal authorization boundary; any "authenticated" session on a honeypot is by definition anomalous, which surfaces gaps in the AAA enforcement perimeter.
Sources
Every claim on this page traces to the public exam blueprint and official documentation: