The very existence of these traps implies that any entity interacting with them (excluding the creators of
            course) needs to be treated as hostile and investigated.

            Example: Deceptive Backup Scripts as Time-Based Traps in Cloud Environments

            Defenders can deploy a bogus scheduled backup script named “nightly-db-backup.sh” on a decoy cloud
            instance. The script can be set to appear as if it ran daily at 04:00 using a convincingly sounding cron job
            (e.g. /etc/cron.d/backup_job). The script can contain clear-text references to fake database credentials,
            S3  storage  paths,  and  mock  sensitive  data  exports.  This  can  be  used as a  timing-based  honeypot,
            existing to attract unauthorized access attempts during off-hours when legitimate activity is minimal.

            Any attempt to execute this script triggers hidden canary tokens that act as an alerting system. This can
            trigger things like an HTTP request where the receiving entity (e.g. web server processing the request)
            has been configured to log and alert on any relevant interaction. This can of course capture timestamps
            showing interactions with the script outside of the bogus scheduled execution window. The defenders
            can then not only detect the unauthorized access but also track subsequent movements due to some of
            the meta-data captured.


            This approach demonstrates how time-based decoy elements, especially those aligned with off-hour
            routines, can effectively expose stealthy adversaries who are mimicking typical system administrator
            behavior.



            Randomized Friction

            Randomized friction aims at increasing an attacker's work factor, in turn increasing the operational cost
            for the adversary. Introducing unpredictability in system responses (e.g. intermittent latency, randomized
            errors, inconsistent firewall behavior) forces attackers to adapt continually, degrading their efficiency and
            increasing the likelihood of detection.



            Example: Randomized Edge Behavior in Cloud Perimeter Defense

            Imagine  a  blue/red  team  exercise  within  a  large  cloud-native  enterprise.  The  security  team  deploys
            randomized friction techniques on a network segment believed to be under passive recon by red team
            actors. The strategy can include intermittent firewall rule randomization. Some of these rules make it so
            that attempts to reach specific HTTP based resources are met with occasional timeouts, 403 errors,
            misdirected HTTP redirects, or to simply give an actual response.

            When the red team conducts external reconnaissance and tries to enumerate target resources, they
            experience inconsistent results. One of their obvious objectives is to remain undetected. Some ports
            appeared  filtered  one  moment  and  opened  the  next.  API  responses  switch  between  errors,  basic
            authentication challenges, or other missing element challenges (e.g. HTTP request header missing). This
            forces red team actors to waste time revalidating findings, rewriting tooling, and second-guessing whether
            their scans were flawed or if detection had occurred.






            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          270
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.