Create decoy service accounts with names suggesting elevated privileges (e.g., “deployment-admin,” “database-owner”) but with restricted access. Monitor any attempts to utilize these accounts, which could indicate an attacker attempting privilege escalation or lateral movement.
Tag: EAC0012
Azure Active Directory (AD) Decoy User Accounts
Create fake user accounts within Azure AD with enticing names or roles (e.g., “admin,” “backup_admin”). Monitor login attempts and activity related to these accounts to identify credential stuffing or brute-force attacks.
Fake Social Media Profile with Deceptive Posts
Goal: To gather information about attackers or to spread disinformation.
Approach: Monitoring interaction with the fake profile and analyzing attacker behavior.
Attackers who interact with the fake profile or its posts will be identified, and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to gather information about employees or spread disinformation.
Deceptive Service Accounts
Goal: Detect and track the usage of service accounts by unauthorized users or malicious processes.
Approach: Creating and monitoring decoy service accounts to identify suspicious activities.
Deploy decoy service accounts with names or privileges that mimic legitimate accounts. Monitor these accounts for any login attempts, resource access, or modifications to reveal attacker activity.
Deceptive Group Memberships
Goal: Expose attackers attempting to enumerate or exploit group memberships and gather information about their activities.
Approach: Creating fake user groups or assigning users to deceptive groups to monitor unauthorized access attempts.
Create fake user groups with enticing names or privileges, or assign honeytoken accounts to legitimate groups to lure attackers and monitor their attempts to exploit group memberships.
Deceptive User Profile Attributes
Goal: Misdirect attackers and gather information about their activities by manipulating user profile attributes.
Approach: Subtly altering user profile information to create misleading paths or trigger alerts.
Modify user profile attributes, such as job titles, department names, or contact information, to create misleading trails or to trigger alerts when accessed by unauthorized users.
Deceptive User Behavior Patterns
Goal: Disrupt attacker profiling and behavioral analysis by simulating unusual user activity.
Approach: Generating fake user activity to confuse attackers and trigger alerts.
Generate fake user activity, such as logins at odd hours, access to unusual files, or execution of uncommon commands. This can disrupt attacker attempts to profile user behavior and blend in with normal activity.
Fake Social Media Profiles
Goal: Gather information about attackers and their social engineering tactics by creating fake social media profiles.
Approach: Creating and monitoring fake social media profiles to attract attackers.
Create fake social media profiles that appear to belong to employees or partners. Monitor any interactions with these profiles to identify attackers, gather information about their reconnaissance techniques, and understand their social engineering tactics.
Deceptive Help Desk Responses
Goal: Disrupt attacker attempts to gain information or access through help desk impersonation.
Approach: Training help desk personnel to provide deceptive responses to suspicious inquiries.
Train help desk personnel to identify and respond to social engineering attempts with deceptive information, delays, or redirects to security teams. This can disrupt attacker reconnaissance, frustrate their efforts, and buy time for incident response.
Deceptive Phishing Campaigns
Goal: Identify susceptible individuals and gather information about ongoing phishing campaigns.
Approach: Launching controlled phishing campaigns with deceptive lures.
Conduct internal phishing campaigns with fake but believable phishing emails. Track who clicks on links, downloads attachments, or provides sensitive information. This reveals vulnerable individuals and gathers intelligence about attacker tactics.