The worst of all deceptions is self-deception
Goal: To gather information about attackers or to spread disinformation.
Approach: Monitoring interaction with the fake profile and analyzing attacker behavior.
Attackers who interact with the fake profile or its posts will be identified, and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to gather information about employees or spread disinformation.
Goal: To identify attackers actively monitoring email traffic or who have compromised an employee’s account.
Approach: Monitoring interaction with the deceptive email and analyzing attacker behavior. This element involves sending a deceptive email to employees that appears to be legitimate but contains hidden links that are only visible when the email is viewed in a specific way, such as using a particular email client or viewing the email’s source code.
Attackers who attempt to view the hidden links will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to phish employees.
Goal: Deceptive Phishing Email with Delayed Delivery
Approach: This element involves sending a deceptive phishing email to employees that appears to be legitimate but is intentionally delayed in delivery.
Attackers who open or interact with the delayed email will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to phish employees.
Goal: Gather information about attackers and their social engineering tactics by creating fake social media profiles.
Approach: Creating and monitoring fake social media profiles to attract attackers.
Create fake social media profiles that appear to belong to employees or partners. Monitor any interactions with these profiles to identify attackers, gather information about their reconnaissance techniques, and understand their social engineering tactics.
Goal: Disrupt attacker attempts to gain information or access through help desk impersonation.
Approach: Training help desk personnel to provide deceptive responses to suspicious inquiries.
Train help desk personnel to identify and respond to social engineering attempts with deceptive information, delays, or redirects to security teams. This can disrupt attacker reconnaissance, frustrate their efforts, and buy time for incident response.
Goal: Identify susceptible individuals and gather information about ongoing phishing campaigns.
Approach: Launching controlled phishing campaigns with deceptive lures.
Conduct internal phishing campaigns with fake but believable phishing emails. Track who clicks on links, downloads attachments, or provides sensitive information. This reveals vulnerable individuals and gathers intelligence about attacker tactics.
Goal: Identify compromised systems by deploying decoy clients that mimic C2 communication patterns.
Approach: Monitoring network traffic for connections to C2 honeyclients.
Deploy decoy clients (“honeyclients”) that mimic the behavior of infected systems communicating with C2 servers. Monitor any attempts to connect to or control these honeyclients to identify compromised systems and attacker infrastructure.
Goal: Disrupt attacker communications by manipulating C2 protocols or introducing unexpected behavior.
Approach: Modifying C2 protocols or introducing anomalies to confuse attackers.
Modify existing C2 protocols or introduce subtle anomalies in communication patterns to confuse attackers, disrupt their tools, or trigger alerts. This can involve changing data formats, introducing delays, or injecting unexpected commands.
Goal: Capture attacker communications and gather intelligence about their infrastructure and operations.
Approach: Setting up decoy C2 servers that mimic legitimate C2 infrastructure.
Deploy fake command-and-control (C2) servers that mimic the behavior of popular malware families. These servers can capture attacker commands, log communications, and even deliver deceptive responses to mislead attackers and disrupt their operations.
Goal: Disrupt attacker attempts to exfiltrate sensitive data by masking or altering its content.
Approach: Modifying sensitive data in transit to render it useless to attackers.
Implement mechanisms that dynamically alter or mask sensitive data as it is being exfiltrated. This can involve encryption, obfuscation, or even replacing the data with decoy information, rendering it useless to the attacker.