The worst of all deceptions is self-deception
Goal: Identify attackers attempting to exfiltrate data and gather information about their targets.
Approach: Creating and monitoring honeyfiles with enticing but fake data.
Plant “honeyfiles” – files with seemingly sensitive information – in locations where attackers are likely to search for valuable data. These files contain fabricated data, tracking mechanisms, or even trigger alerts upon access.
Goal: Deliver deceptive payloads or disrupt attacker operations through manipulated images.
Approach: Hiding malicious or disruptive code within images.
Embed malicious or disruptive code within images that are designed to be downloaded or processed by attackers. This code can trigger alerts, collect information about the attacker’s environment, or even disrupt their tools and infrastructure.
Goal: Gather information about attacker activity by embedding deceptive metadata in multimedia files.
Approach: Hiding misleading or enticing information within metadata fields.
Embed deceptive metadata within multimedia files, such as images, videos, or audio recordings. This metadata can contain false information, misleading clues, or even links to honeypots or decoy websites.
Goal: Track the dissemination of sensitive documents and identify potential leaks.
Approach: Embedding hidden watermarks in documents to track their movement.
Embed hidden watermarks within documents that reveal themselves only under specific conditions or when accessed by unauthorized parties. These watermarks can contain tracking information, decoy data, or even trigger alerts upon discovery.
Goal: Gather information about attacker activity by offering deceptive software updates.
Approach: Luring attackers to download and execute fake updates.
Create fake software updates that appear legitimate but contain tracking mechanisms or deceptive payloads. When an attacker downloads and executes these updates, valuable information about their tools, techniques, and objectives can be gathered.
Goal: Confuse and misdirect attackers by deploying deceptive beacons.
Approach: Emitting misleading signals to divert attackers.
Deploy beacons that mimic the network traffic of vulnerable or compromised systems. These beacons can lead attackers towards honeypots, decoy networks, or even trigger automated responses.
Goal: Disrupt attacker operations by injecting deceptive code into scripts downloaded from developer machines.
Approach: Manipulating scripts to deliver misleading information or disrupt execution.
If an attacker compromises a developer’s machine and downloads scripts or code, inject subtle errors, delays, or misleading functions into those files. This can cause the attacker’s tools to malfunction or lead them down false paths.
Goal: Disrupt and delay attackers attempting to bypass Multi-Factor Authentication (MFA).
Approach: Presenting attackers with deceptive MFA prompts.
When an attacker attempts to log in, present them with an unexpected MFA prompt, even if they have valid credentials. This can be a fake push notification, a request for a non-existent biometric scan, or a challenge question with no right answer.
Goal: Expose attackers attempting to utilize compromised accounts and gather information about their activities.
Approach: Monitoring access to and usage of honeytoken accounts.
Create realistic but fake user accounts (“honeytokens”) with attractive data or access privileges. These accounts have deceptive profiles, leading attackers towards fabricated resources or triggering alerts upon access.
Goal: Disrupt attacker activity by generating deceptive WMI events.
Approach: Generating fake WMI events to confuse attackers.
This element generates deceptive WMI events that mimic legitimate system activity but contain false information. This can confuse attackers and disrupt their reconnaissance or lateral movement efforts.