NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-26Decoys

Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Decoys (i.e., honeypots, honeynets, or deception nets) are established to attract adversaries and deflect attacks away from the operational systems that support organizational mission and business functions. Use of decoys requires some supporting isolation measures to ensure that any deflected malicious code does not infect organizational systems. Depending on the specific usage of the decoy, consultation with the Office of the General Counsel before deployment may be needed.

Practitioner Notes

Decoys (honeypots, honeynets, honey tokens) are fake systems or data designed to attract attackers and detect unauthorized activity. They look real to an attacker but serve no legitimate business purpose.

Example 1: Deploy a honeypot server on your network that looks like a vulnerable file server. It has fake "sensitive" files and open shares. Any access to this server is immediately suspicious because no legitimate user has a reason to touch it. Alert your SIEM on any connection to the honeypot.

Example 2: Create honey tokens — fake credentials stored in a document on a file share, or fake API keys in a configuration file. If these credentials are ever used to authenticate, you know an attacker has accessed your internal systems and is trying to move laterally.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability