Engage Goals: EGO0001 Expose, EGO0003 Elicit
Engage Approach: EAP0001 Collect, EAP0002 Detect
Engage Actions: EAC0003 System Activity Monitoring, EAC0012 Personas
Name of Element: Deceptive Group Memberships
Description of Element:
Goal: Expose attackers attempting to enumerate or exploit group memberships and gather information about their activities.
Approach: Creating fake user groups or assigning users to deceptive groups to monitor unauthorized access attempts.
Create fake user groups with enticing names or privileges, or assign honeytoken accounts to legitimate groups to lure attackers and monitor their attempts to exploit group memberships.
Technical Context:
This element requires integration with the identity and access management system. It can be implemented by creating fake group objects in Active Directory or other directory services. This aligns with the MITRE ATT&CK technique T1069.002 (Permission Groups Discovery: Domain Groups).
Other:
This element can be combined with deceptive authentication mechanisms to create a more convincing illusion. For example, attackers attempting to access resources restricted to fake user groups could be presented with deceptive login prompts to capture their credentials.