Section 1: A Critical Evaluation of the Five Laws of Cyber Deception The study of deception in conflict is a discipline with a lineage stretching back to the earliest recorded military histories. From Sun Tzu’s […]
Category: Offensive
Active Counter-Engagement (ACE): A Framework for Proactive, Intelligence-Driven Defense
Executive Summary The contemporary cybersecurity landscape is defined by a persistent and escalating challenge: the sophisticated adversary. Advanced Persistent Threats (APTs) and organized cybercriminal syndicates now routinely employ adaptive tactics, techniques, and procedures (TTPs) that […]
Fake Security Information and Event Management (SIEM) with Honey data
Deploy a decoy SIEM that collects and displays fabricated security events and alerts. This can be used to mislead attackers, waste their time, or gather information about their attempts to tamper with or evade security monitoring systems.
Decoy Web Application Firewall (WAF) with Alerting Capabilities
Create a decoy WAF that mimics a legitimate one but triggers alerts or performs deceptive actions in response to specific attack patterns. This can be used to identify attackers, disrupt their activities, or gather information about their techniques.
Fake Firewall with Permissive Ruleset
Deploy a decoy firewall with an intentionally permissive ruleset that allows most traffic to pass through. This can be used to lure attackers into a false sense of security, allowing you to observe their activities and gather intelligence on their tools and techniques.
Dynamically Changing Network Configuration
Implement a system that dynamically alters network configurations, such as IP addresses, DNS server settings, or routing tables, in response to detected attacker activity. This can be used to confuse attackers, disrupt their reconnaissance efforts, or redirect them to decoy systems.
Phantom Threads
Create decoy threads within legitimate processes that exhibit unusual or suspicious behavior, such as accessing sensitive registry keys or making unexpected API calls. This can be used to lure attackers into investigating these threads, wasting their time and potentially revealing their tools and techniques.
Fake WMI Provider with Deceptive Data
Create a decoy WMI provider that responds to attacker queries with fabricated or misleading information. This can be used to confuse attackers, disrupt their reconnaissance efforts, or gather information about their WMI-based tools and techniques.
Fake Named Pipe with Delayed Response
Create a decoy named pipe that mimics a legitimate inter-process communication channel but introduces a significant delay before responding to client requests. This can be used to identify attackers attempting to exploit vulnerabilities or gather information through named pipes, as well as to disrupt their activities.
Fake Network Service with Unexpected Protocol Behavior
Deploy a network service that mimics a legitimate one but responds to requests with unexpected or non-compliant protocol behavior. This can be used to confuse attackers, trigger vulnerabilities in their tools, or gather information about their scanning techniques.