The worst of all deceptions is self-deception
Goal: Detect and track the usage of administrative tools by unauthorized users.
Approach: Monitoring access to and usage of honeytokened tools.
Deploy decoy versions of administrative tools (e.g., PowerShell, PsExec) that mimic their legitimate counterparts but log usage, trigger alerts, or provide misleading information.
Goal: Identify attackers attempting privilege escalation and gather information about their techniques.
Approach: Creating enticing but fake privilege escalation vulnerabilities.
Introduce seemingly vulnerable services or configurations that appear to allow privilege escalation. These paths lead to controlled environments or trigger alerts upon exploitation, revealing attacker TTPs.
Goal: Deliver deceptive payloads or disrupt attacker operations through manipulated images.
Approach: Hiding malicious or disruptive code within images.
Embed malicious or disruptive code within images that are designed to be downloaded or processed by attackers. This code can trigger alerts, collect information about the attacker’s environment, or even disrupt their tools and infrastructure.
Goal: Gather information about attacker activity by embedding deceptive metadata in multimedia files.
Approach: Hiding misleading or enticing information within metadata fields.
Embed deceptive metadata within multimedia files, such as images, videos, or audio recordings. This metadata can contain false information, misleading clues, or even links to honeypots or decoy websites.
Goal: Track the dissemination of sensitive documents and identify potential leaks.
Approach: Embedding hidden watermarks in documents to track their movement.
Embed hidden watermarks within documents that reveal themselves only under specific conditions or when accessed by unauthorized parties. These watermarks can contain tracking information, decoy data, or even trigger alerts upon discovery.
Goal: Gather information about attacker activity by offering deceptive software updates.
Approach: Luring attackers to download and execute fake updates.
Create fake software updates that appear legitimate but contain tracking mechanisms or deceptive payloads. When an attacker downloads and executes these updates, valuable information about their tools, techniques, and objectives can be gathered.
Goal: Confuse and misdirect attackers by deploying deceptive beacons.
Approach: Emitting misleading signals to divert attackers.
Deploy beacons that mimic the network traffic of vulnerable or compromised systems. These beacons can lead attackers towards honeypots, decoy networks, or even trigger automated responses.
Goal: Disrupt attacker operations by injecting deceptive code into scripts downloaded from developer machines.
Approach: Manipulating scripts to deliver misleading information or disrupt execution.
If an attacker compromises a developer’s machine and downloads scripts or code, inject subtle errors, delays, or misleading functions into those files. This can cause the attacker’s tools to malfunction or lead them down false paths.
Goal: Redirect attackers attempting to authenticate to a deceptive environment.
Approach: Manipulating IdP responses to redirect authentication flows.
When an attacker attempts to authenticate through an IdP (e.g., OAuth, SAML), manipulate the response to redirect them to a fake login portal or a controlled environment.
Goal: Disrupt and delay attackers attempting to bypass Multi-Factor Authentication (MFA).
Approach: Presenting attackers with deceptive MFA prompts.
When an attacker attempts to log in, present them with an unexpected MFA prompt, even if they have valid credentials. This can be a fake push notification, a request for a non-existent biometric scan, or a challenge question with no right answer.