Deceptive Syslog Daemon

Goal: To identify attackers attempting to exploit vulnerabilities in the logging system or to gather information about the system’s activity.

Approach: Monitoring the deceptive daemon for any signs of interaction or modification.

This element involves configuring a deceptive syslog daemon that listens for specific log messages and triggers deceptive responses, such as sending fake alerts or redirecting attackers to a honeypot.

Attackers who attempt to interact with or modify the deceptive daemon will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the system.

Engage Goals: EGO0001 Expose, EGO0003 Elicit

Engage Approach: EAP0001 Collect, EAP0002 Detect

Engage Actions: EAC0015 Information Manipulation, EAC0018 Security Controls

Name of Element: Deceptive Syslog Daemon

Description of Element:

Goal: To identify attackers attempting to exploit vulnerabilities in the logging system or to gather information about the system’s activity.

Approach: Monitoring the deceptive daemon for any signs of interaction or modification.

This element involves configuring a deceptive syslog daemon that listens for specific log messages and triggers deceptive responses, such as sending fake alerts or redirecting attackers to a honeypot.

Attackers who attempt to interact with or modify the deceptive daemon will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the system.

Technical Context:

This element can be combined with other deceptive elements, such as fake files or deceptive network configurations, to enhance its effectiveness. It aligns with the MITRE ATT&CK technique T1070.006 (Indicator Removal on Host: Clear Linux or Mac System Logs).

Other:

This element requires careful planning and execution to ensure that it does not interfere with the normal operation of the system.

Leave a Reply