EAC0004 – D E C E I V E R . I O

Deceptive Identity Federation

Goal: Redirect attackers attempting to leverage identity federation protocols to a controlled environment.

Approach: Manipulating identity federation responses to misdirect authentication flows.

Modify identity federation responses, such as SAML assertions or OAuth tokens, to redirect attackers to a fake identity provider (IdP) or a honeypot environment.

Deceptive Beacons

Goal: Confuse and misdirect attackers by deploying deceptive beacons.

Approach: Emitting misleading signals to divert attackers.

Deploy beacons that mimic the network traffic of vulnerable or compromised systems. These beacons can lead attackers towards honeypots, decoy networks, or even trigger automated responses.

Deceptive Identity Provider (IdP) Responses

Goal: Redirect attackers attempting to authenticate to a deceptive environment.

Approach: Manipulating IdP responses to redirect authentication flows.

When an attacker attempts to authenticate through an IdP (e.g., OAuth, SAML), manipulate the response to redirect them to a fake login portal or a controlled environment.

Deceptive DNS Responses

Goal: Redirect attacker traffic to a controlled environment by providing deceptive DNS responses.

Approach: Manipulating DNS resolution to redirect traffic.

This element intercepts DNS requests for known malicious domains and returns a deceptive IP address, leading attackers to a honeypot or sinkhole.

Tag: EAC0004

Deceptive Identity Federation

Deceptive Beacons

Deceptive Identity Provider (IdP) Responses

Deceptive DNS Responses

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense