WHAT IS A HONEYTOKEN?
We’re using ‘honey token’ in this paper as a stand-in for anything you can lock down and fire alerts from. This can be nearly anything, depending on your context and capabilities: In a database, a record that won’t get returned in normal business queries, but will get returned by an unwary attacker running, can be a honey token, as long as you alert if that record is ever queried. If you control a DNS server, you can set up alarms on certain subdomains being resolved, and sprinkle links to them in your documentation, where your employees will never see it but a curious interloper will spider it. Alternatively you might put some bogus internal email addresses in your CMS and if they ever start getting spam, you know someone’s been peeking at your stuff. All of these are relatively easy to create for one-off or low-scale deployments, and you should consider doing so (or using a freely-available third-party service to do it for you).
