Hi Hayden,
Thanks for reaching out on our Discuss Hub.
When deploying deception technology, creativity plays an important factor so you really got to ask yourself first “What are my strategy goals?”. 
Here are some requirements and goals examples that can hopefully help:
- Generate actionable, high-fidelity alerts.
- Reduce the “dwell time” of an initial compromise.
- Confuse the attacker with false assets and misinformation.
- Tackle the human attacker or APT.
- Threat intelligence regarding tactics, techniques, and procedures.
- Integrate with existing defense-in-depth architecture.
Once you have that objective in mind you can start with:
- Determining locations to place your honey files. Locations in which your decoys are placed in
a file system should be selected so that the decoys remain conspicuous to malicious insiders
but do not impede a legitimate user’s normal actions. I would start looking at the most recently
accessed documents as well as ten folders/Network Shares/Directories containing the greatest number of files with common document extensions .pdf, .doc, .docx, .ppt, .xls, .txt, .html, and .htm…etc
Selecting the most populated and most recently accessed folders increases the conspicuousness of decoys, since these are directories that would be the most probable targets for malicious insiders. - Naming of Honey Files. The prime objective of the naming scheme is to create filenames that blend in with existing legitimate documents so that they do not look overtly suspicious. Appending either “-final” or “-updated” to the end of the filename, or a date string makes a document appear as if it has been marked as a more authentic, official version.
Aside from our Help Site, I strongly recommend reading our Blog on Deception Technologies where you might find a couple more tips on Honey Files.
I hope you will find this useful.
Thanks,
Oli