Fake Security Information and Event Management (SIEM) with Honey data

Engage Goals: EGO0003 Elicit

Engage Approach: EAP0001 Collect

Engage Actions: EAC0015 Information Manipulation, EAC0018 Security Controls

Name of Element: Fake Security Information and Event Management (SIEM) with Honey data

Description of Element:

Deploy a decoy SIEM that collects and displays fabricated security events and alerts. This can be used to mislead attackers, waste their time, or gather information about their attempts to tamper with or evade security monitoring systems.

Technical Context:

Placement: Deployed within the organization’s security infrastructure, alongside legitimate security monitoring tools.

Utilize a virtual machine or a dedicated server to deploy a SIEM software (e.g., Splunk, ELK stack). Configure the SIEM to ingest fabricated security events and alerts, potentially mimicking real attack scenarios or targeting specific attacker techniques. Implement logging and monitoring capabilities to capture attacker interactions with the decoy SIEM and analyze their behavior.

Other:

Att&ck/Engage Mapping: T1070 Indicator Removal on Host, E1504 Decoy Content

Fake Security Information and Event Management (SIEM) with Honey data

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense