Deceive, Detect, Engage

Deceptive DNS Responses

Goal: Redirect attacker traffic to a controlled environment by providing deceptive DNS responses.

Approach: Manipulating DNS resolution to redirect traffic.

This element intercepts DNS requests for known malicious domains and returns a deceptive IP address, leading attackers to a honeypot or sinkhole.

Engage Goals: EGO0002 Affect

Engage Approach: EAP0004 Direct

Engage Actions: EAC0004 Network Analysis, EAC0016 Network Manipulation

Name of Element: Deceptive DNS Responses

Description of Element:

Goal: Redirect attacker traffic to a controlled environment by providing deceptive DNS responses.

Approach: Manipulating DNS resolution to redirect traffic.

This element intercepts DNS requests for known malicious domains and returns a deceptive IP address, leading attackers to a honeypot or sinkhole.

Technical Context:

This element can be implemented as a custom DNS server or by manipulating DNS records on the local system.

Other:

This element can be effective against a wide range of attacks, including malware command and control, phishing, and data exfiltration. It aligns with the MITRE ATT&CK technique T1584.001 (Domain Generation Algorithms (DGA)).

Deceptive DNS Responses

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense