The worst of all deceptions is self-deception
Goal: Identify compromised systems by deploying decoy clients that mimic C2 communication patterns.
Approach: Monitoring network traffic for connections to C2 honeyclients.
Deploy decoy clients (“honeyclients”) that mimic the behavior of infected systems communicating with C2 servers. Monitor any attempts to connect to or control these honeyclients to identify compromised systems and attacker infrastructure.
Goal: Disrupt attacker communications by manipulating C2 protocols or introducing unexpected behavior.
Approach: Modifying C2 protocols or introducing anomalies to confuse attackers.
Modify existing C2 protocols or introduce subtle anomalies in communication patterns to confuse attackers, disrupt their tools, or trigger alerts. This can involve changing data formats, introducing delays, or injecting unexpected commands.
Goal: Capture attacker communications and gather intelligence about their infrastructure and operations.
Approach: Setting up decoy C2 servers that mimic legitimate C2 infrastructure.
Deploy fake command-and-control (C2) servers that mimic the behavior of popular malware families. These servers can capture attacker commands, log communications, and even deliver deceptive responses to mislead attackers and disrupt their operations.
Goal: Disrupt attacker attempts to exfiltrate sensitive data by masking or altering its content.
Approach: Modifying sensitive data in transit to render it useless to attackers.
Implement mechanisms that dynamically alter or mask sensitive data as it is being exfiltrated. This can involve encryption, obfuscation, or even replacing the data with decoy information, rendering it useless to the attacker.
Goal: Redirect attacker exfiltration attempts to controlled channels or disrupt their operations.
Approach: Creating fake data channels that appear to be valuable exfiltration routes.
Set up fake network channels, storage devices, or cloud services that appear to be ideal for data exfiltration. Redirect attacker traffic to these channels to capture exfiltrated data, analyze their methods, or disrupt their operations.
Goal: Identify attackers attempting to exfiltrate data and gather information about their targets.
Approach: Creating and monitoring honeyfiles with enticing but fake data.
Plant “honeyfiles” – files with seemingly sensitive information – in locations where attackers are likely to search for valuable data. These files contain fabricated data, tracking mechanisms, or even trigger alerts upon access.
Goal: Disrupt attacker attempts to exploit common local administrator passwords for lateral movement.
Approach: Deploying a diverse set of fake local administrator passwords across systems.
Configure systems with a variety of deceptive local administrator passwords that differ from the actual password. This can slow down or frustrate attackers who rely on common passwords or credential dumping techniques.
Goal: Lure attackers attempting to use RDP for lateral movement and gather information about their tools and techniques.
Approach: Deploying and monitoring fake RDP servers.
Set up decoy RDP servers that mimic legitimate systems but capture attacker credentials, log keystrokes, or redirect them to a controlled environment.
Goal: Detect attempts to access sensitive or restricted network shares.
Approach: Creating and monitoring fake network shares.
Create fake network shares with enticing names or permissions that appear to contain valuable data. Monitor any access attempts to these shares to identify attackers and gather information about their activities.
Goal: Confuse and misdirect attackers by creating the illusion of different privilege levels or access restrictions.
Approach: Presenting attackers with a misleading view of privilege boundaries.
Manipulate system responses or network configurations to create the perception of different privilege levels or access restrictions. This can lead attackers down unproductive paths or reveal their intentions.