Fake Firewall with Permissive Ruleset

Engage Goals: EGO0003 Elicit

Engage Approach: EAP0001 Collect

Engage Actions: EAC0016 Network Manipulation, EAC0018 Security Controls

Name of Element: Fake Firewall with Permissive Ruleset

Description of Element:

Deploy a decoy firewall with an intentionally permissive ruleset that allows most traffic to pass through. This can be used to lure attackers into a false sense of security, allowing you to observe their activities and gather intelligence on their tools and techniques.

Technical Context:

Placement: Deployed at the network perimeter or within a DMZ, positioned to intercept attacker traffic.

Utilize a virtual machine or a dedicated hardware appliance to deploy a firewall software (e.g., pfSense, OPNsense). Configure the firewall with a ruleset that allows most traffic, potentially with exceptions for specific services or protocols to be monitored. Implement logging and monitoring capabilities to capture attacker activity and analyze their behavior.

Other:

Att&ck/Engage Mapping: T1562 Impair Defenses, E1501 Honeytrap

Fake Firewall with Permissive Ruleset

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense