The worst of all deceptions is self-deception
Goal: Thwart attackers’ attempts to exploit user permissions for lateral movement or unauthorized access.
Approach: Implementing misleading access control lists (ACLs) or fake permissions to misdirect attackers.
Configure deceptive permissions on files, folders, or other resources that suggest access to sensitive data or critical systems. These permissions can lead attackers toward decoy assets or trigger alerts upon unauthorized access attempts.
Goal: Expose attackers attempting to enumerate or exploit group memberships and gather information about their activities.
Approach: Creating fake user groups or assigning users to deceptive groups to monitor unauthorized access attempts.
Create fake user groups with enticing names or privileges, or assign honeytoken accounts to legitimate groups to lure attackers and monitor their attempts to exploit group memberships.
Goal: Misdirect attackers and gather information about their activities by manipulating user profile attributes.
Approach: Subtly altering user profile information to create misleading paths or trigger alerts.
Modify user profile attributes, such as job titles, department names, or contact information, to create misleading trails or to trigger alerts when accessed by unauthorized users.
Goal: Disrupt attacker profiling and behavioral analysis by simulating unusual user activity.
Approach: Generating fake user activity to confuse attackers and trigger alerts.
Generate fake user activity, such as logins at odd hours, access to unusual files, or execution of uncommon commands. This can disrupt attacker attempts to profile user behavior and blend in with normal activity.
Goal: Gather information about attacker activity by planting fake system logs.
Approach: Creating and placing misleading system logs to attract attacker attention.
Create fake system logs that indicate suspicious activity, failed login attempts, or successful privilege escalations. Place these logs in locations where attackers are likely to search for evidence of compromise.
Goal: Disrupt attacker reconnaissance and lateral movement by configuring deceptive firewall rules.
Approach: Creating firewall rules that mislead attackers about network segmentation and access controls.
Configure firewall rules that appear to block access to critical systems or sensitive data, but actually redirect traffic to honeypots or decoy networks. This can mislead attackers about the network topology and hinder their progress.
Goal: Disrupt attacker attempts to gain information or access through help desk impersonation.
Approach: Training help desk personnel to provide deceptive responses to suspicious inquiries.
Train help desk personnel to identify and respond to social engineering attempts with deceptive information, delays, or redirects to security teams. This can disrupt attacker reconnaissance, frustrate their efforts, and buy time for incident response.
Goal: Identify compromised systems by deploying decoy clients that mimic C2 communication patterns.
Approach: Monitoring network traffic for connections to C2 honeyclients.
Deploy decoy clients (“honeyclients”) that mimic the behavior of infected systems communicating with C2 servers. Monitor any attempts to connect to or control these honeyclients to identify compromised systems and attacker infrastructure.
Goal: Disrupt attacker communications by manipulating C2 protocols or introducing unexpected behavior.
Approach: Modifying C2 protocols or introducing anomalies to confuse attackers.
Modify existing C2 protocols or introduce subtle anomalies in communication patterns to confuse attackers, disrupt their tools, or trigger alerts. This can involve changing data formats, introducing delays, or injecting unexpected commands.
Goal: Disrupt attacker attempts to exfiltrate sensitive data by masking or altering its content.
Approach: Modifying sensitive data in transit to render it useless to attackers.
Implement mechanisms that dynamically alter or mask sensitive data as it is being exfiltrated. This can involve encryption, obfuscation, or even replacing the data with decoy information, rendering it useless to the attacker.