Deceptive Identity Federation

Engage Goals: EGO0002 Affect

Engage Approach: EAP0004 Direct

Engage Actions: EAC0004 Network Analysis, EAC0016 Network Manipulation

Name of Element: Deceptive Identity Federation

Description of Element:

Goal: Redirect attackers attempting to leverage identity federation protocols to a controlled environment.

Approach: Manipulating identity federation responses to misdirect authentication flows.

Modify identity federation responses, such as SAML assertions or OAuth tokens, to redirect attackers to a fake identity provider (IdP) or a honeypot environment.

Technical Context:

This element requires the ability to intercept and modify network traffic related to identity federation protocols. This can be achieved through network manipulation, proxy servers, or by compromising a non-critical IdP. This aligns with the MITRE ATT&CK technique T1606 (Compromise Accounts).

Other:

This element can be particularly effective against attackers attempting to exploit vulnerabilities in federated Single Sign-On (SSO) systems.

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense