Deceptive Identity-as-a-Service (IDaaS)

Goal: Identify attackers attempting to leverage compromised accounts for lateral movement or unauthorized access to cloud resources.

Approach: Deploying fake IDaaS endpoints that mimic legitimate services but capture attacker interactions.

Create decoy IDaaS endpoints that appear to provide access to cloud resources or sensitive data. These endpoints can be designed to capture attacker requests, log their activities, or redirect them to controlled environments.

Engage Goals: EGO0001 Expose, EGO0003 Elicit

Engage Approach: EAP0001 Collect, EAP0002 Detect

Engage Actions: EAC0005 Lures, EAC0018 Security Controls

Name of Element: Deceptive Identity-as-a-Service (IDaaS)

Description of Element:

Goal: Identify attackers attempting to leverage compromised accounts for lateral movement or unauthorized access to cloud resources.

Approach: Deploying fake IDaaS endpoints that mimic legitimate services but capture attacker interactions.

Create decoy IDaaS endpoints that appear to provide access to cloud resources or sensitive data. These endpoints can be designed to capture attacker requests, log their activities, or redirect them to controlled environments.

Technical Context:

This element requires the ability to create and deploy API endpoints that integrate with cloud identity management systems. This can be achieved through serverless functions, containerized applications, or by manipulating existing IDaaS configurations. This aligns with the MITRE ATT&CK technique T1614 (Cloud Accounts).

Other:

This element can be combined with deceptive user profiles or fake access tokens to make the decoy IDaaS endpoints more convincing.

Leave a Reply