The worst of all deceptions is self-deception
Goal: To identify attackers attempting to exploit vulnerabilities or gain information through exception handling mechanisms.
Approach: Monitoring exception handling routines and providing deceptive responses. This element involves modifying exception handling routines to provide misleading information or redirect execution flow.
By manipulating exception handling, this element can disrupt attacker tools, gather information about their activities, or conceal sensitive data.
Goal: To identify and mislead attackers attempting to hijack system calls for malicious purposes.
Approach: Monitoring system call activity and providing deceptive responses. This element involves manipulating the System Call Table to redirect specific calls to deceptive functions.
By redirecting system calls, this element can disrupt attacker tools, gather information about their activities, or lead them to controlled environments.
Goal: To identify and mislead attackers attempting to manipulate system behavior through API hooking.
Approach: Monitoring API calls and providing deceptive responses. This element involves intercepting specific API calls and returning misleading or unexpected data to attackers.
By manipulating API call responses, this element can confuse attackers, disrupt their tools, or lead them down false paths.
Goal: To identify attackers attempting to gather information about Active Directory objects or to exploit vulnerabilities in the LDAP protocol.
Approach: Monitoring LDAP queries and analyzing attacker behavior. This element involves configuring a deceptive LDAP server that responds to specific queries with misleading or deceptive information.
Attackers who attempt to interact with the deceptive LDAP server will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the Active Directory environment.
Goal: To identify attackers attempting to enumerate or modify Active Directory objects.
Approach: Monitoring access to the fake domain controller and analyzing attacker behavior. This element involves setting up a fake domain controller that mimics a legitimate one but contains deceptive information, such as fake user accounts or group memberships.
Attackers who attempt to interact with the fake domain controller will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the Active Directory environment.
Goal: To identify attackers attempting to steal sensitive information stored as Kubernetes secrets.
Approach: Monitoring access to the fake secrets and analyzing attacker behavior. This element involves creating fake Kubernetes secrets that mimic legitimate secrets but contain misleading or deceptive information.
Attackers who attempt to access or exfiltrate the fake secrets will be identified and their actions will be logged.
Goal: To identify attackers attempting to compromise or gain access to sensitive data within Docker containers.
Approach: Monitoring access to the deceptive container and analyzing attacker behavior. This element involves deploying a deceptive Docker container that mimics a legitimate container but contains fake or misleading data, or triggers alerts upon access.
Attackers who attempt to access or modify data within the deceptive container will be identified and their actions will be logged.
Goal: To identify attackers attempting to resolve internal domain names or perform DNS tunneling.
Approach: Monitoring queries to the fake DNS server and analyzing attacker behavior.
This element involves setting up a fake DNS server that responds to specific queries with deceptive answers or redirects them to a controlled environment.
Goal: To identify attackers attempting to exploit vulnerabilities in the logging system or to gather information about the system’s activity.
Approach: Monitoring the deceptive daemon for any signs of interaction or modification.
This element involves configuring a deceptive syslog daemon that listens for specific log messages and triggers deceptive responses, such as sending fake alerts or redirecting attackers to a honeypot.
Attackers who attempt to interact with or modify the deceptive daemon will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the system.
Goal: To identify attackers attempting to exploit vulnerabilities in the service or to gain persistence on the system.
Approach: Monitoring the fake service for any signs of interaction or modification.This element involves creating a fake systemd service that mimics a legitimate service but performs a deceptive action, such as logging login attempts, triggering alerts, or redirecting connections to a honeypot.
Attackers who attempt to interact with or modify the fake service will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the system.