Deceive, Detect, Engage

Fake DNS Server

Goal: To identify attackers attempting to resolve internal domain names or perform DNS tunneling.

Approach: Monitoring queries to the fake DNS server and analyzing attacker behavior.

This element involves setting up a fake DNS server that responds to specific queries with deceptive answers or redirects them to a controlled environment.

Engage Goals: EGO0001 Expose, EGO0003 Elicit

Engage Approach: EAP0001 Collect, EAP0002 Detect

Engage Actions: EAC0015 Information Manipulation, EAC0016 Network Manipulation

Name of Element: Fake DNS Server

Description of Element:

Goal: To identify attackers attempting to resolve internal domain names or perform DNS tunneling.

Approach: Monitoring queries to the fake DNS server and analyzing attacker behavior.

This element involves setting up a fake DNS server that responds to specific queries with deceptive answers or redirects them to a controlled environment.

Technical Context:

This element can be combined with other deceptive elements, such as fake websites or deceptive network configurations, to enhance its effectiveness. It aligns with the MITRE ATT&CK technique T1583.001 (Acquire Infrastructure: Domains).

Other:

This element requires careful configuration to avoid interfering with legitimate DNS resolution.

Fake DNS Server

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense