What is the goal of this operation: To identify and track unauthorized access attempts by luring adversaries towards a deceptive user account embedded with canary tokens.
Whats the approach of this operation or element? This element focuses on detecting any interaction with the deceptive user account and its associated canary tokens, directing the attacker’s attention towards this decoy, and analyzing their actions to understand their techniques and objectives.
This active defense element involves creating a deceptive user account within the Active Directory environment. This account appears as a regular employee with access to seemingly valuable resources and information. However, the account is embedded with various canary tokens – these are subtle triggers that alert defenders upon any interaction.