The worst of all deceptions is self-deception
Goal: Redirect attacker exfiltration attempts to controlled channels or disrupt their operations.
Approach: Creating fake data channels that appear to be valuable exfiltration routes.
Set up fake network channels, storage devices, or cloud services that appear to be ideal for data exfiltration. Redirect attacker traffic to these channels to capture exfiltrated data, analyze their methods, or disrupt their operations.
Goal: Identify attackers attempting to exfiltrate data and gather information about their targets.
Approach: Creating and monitoring honeyfiles with enticing but fake data.
Plant “honeyfiles” – files with seemingly sensitive information – in locations where attackers are likely to search for valuable data. These files contain fabricated data, tracking mechanisms, or even trigger alerts upon access.
Goal: Disrupt attacker attempts to exploit common local administrator passwords for lateral movement.
Approach: Deploying a diverse set of fake local administrator passwords across systems.
Configure systems with a variety of deceptive local administrator passwords that differ from the actual password. This can slow down or frustrate attackers who rely on common passwords or credential dumping techniques.
Goal: Lure attackers attempting to use RDP for lateral movement and gather information about their tools and techniques.
Approach: Deploying and monitoring fake RDP servers.
Set up decoy RDP servers that mimic legitimate systems but capture attacker credentials, log keystrokes, or redirect them to a controlled environment.
Goal: Detect attempts to access sensitive or restricted network shares.
Approach: Creating and monitoring fake network shares.
Create fake network shares with enticing names or permissions that appear to contain valuable data. Monitor any access attempts to these shares to identify attackers and gather information about their activities.
Goal: Confuse and misdirect attackers by creating the illusion of different privilege levels or access restrictions.
Approach: Presenting attackers with a misleading view of privilege boundaries.
Manipulate system responses or network configurations to create the perception of different privilege levels or access restrictions. This can lead attackers down unproductive paths or reveal their intentions.
Goal: Detect and track the usage of administrative tools by unauthorized users.
Approach: Monitoring access to and usage of honeytokened tools.
Deploy decoy versions of administrative tools (e.g., PowerShell, PsExec) that mimic their legitimate counterparts but log usage, trigger alerts, or provide misleading information.
Goal: Identify attackers attempting privilege escalation and gather information about their techniques.
Approach: Creating enticing but fake privilege escalation vulnerabilities.
Introduce seemingly vulnerable services or configurations that appear to allow privilege escalation. These paths lead to controlled environments or trigger alerts upon exploitation, revealing attacker TTPs.
Goal: Redirect attackers attempting to authenticate to a deceptive environment.
Approach: Manipulating IdP responses to redirect authentication flows.
When an attacker attempts to authenticate through an IdP (e.g., OAuth, SAML), manipulate the response to redirect them to a fake login portal or a controlled environment.
Goal: Disrupt and delay attackers attempting to bypass Multi-Factor Authentication (MFA).
Approach: Presenting attackers with deceptive MFA prompts.
When an attacker attempts to log in, present them with an unexpected MFA prompt, even if they have valid credentials. This can be a fake push notification, a request for a non-existent biometric scan, or a challenge question with no right answer.