The worst of all deceptions is self-deception
Goal: To identify and gather information about attackers attempting to brute force SSH credentials.
Approach: Monitoring connections to the deceptive SSH server and analyzing attacker behavior.
This element involves creating fake cron jobs that mimic legitimate tasks but trigger alerts or execute harmless commands.
Attackers who attempt to modify or utilize cron jobs for malicious purposes will trigger alerts, revealing their presence and intentions.
Goal: To identify and gather information about attackers attempting to brute force SSH credentials.
Approach: Monitoring connections to the deceptive SSH server and analyzing attacker behavior.
Attackers who attempt to log in to the deceptive SSH server will have their credentials captured, and their activities will be logged. This information can be used to improve defenses and identify potential threats.
Goal: To identify attackers attempting to exploit vulnerabilities in the macOS update process.
Approach: Monitoring interaction with the fake updates and analyzing attacker behavior. This element involves creating fake macOS system updates that mimic legitimate updates but contain misleading or deceptive information or lead to a controlled environment.
Attackers who attempt to install or interact with the fake updates will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the system.
Goal: To identify attackers attempting to establish persistence by creating or modifying launch agents.
Approach: Monitoring access to the deceptive launch agents and analyzing attacker behavior. This element involves creating deceptive launch agents that mimic legitimate ones but contain misleading or deceptive information or trigger alerts.
Attackers who attempt to interact with or modify the deceptive launch agents will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to maintain persistence on the system.
Goal: To identify attackers attempting to tamper with or destroy system logs.
Approach: Monitoring access to the fake system logs and analyzing attacker behavior. This element involves creating fake system logs that mimic legitimate logs but contain misleading or deceptive information.
Attackers who attempt to tamper with or destroy the fake system logs will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to cover their tracks.
Goal: To identify attackers attempting to execute unauthorized shell commands.
Approach: Monitoring command execution and analyzing attacker behavior. This element involves creating deceptive shell commands that mimic legitimate commands but return misleading or deceptive information or trigger alerts.
Attackers who attempt to execute the deceptive shell commands will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to interact with the system.
Goal: To identify attackers attempting to enumerate or modify sensitive configuration files.
Approach: Monitoring access to the deceptive configuration files and analyzing attacker behavior. This element involves creating deceptive configuration files that mimic legitimate files but contain misleading or deceptive information.
Attackers who attempt to access or modify the deceptive configuration files will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to gather information about the system or modify its configuration.
Goal: To identify attackers attempting to access or modify sensitive system files.
Approach: Monitoring access to the fake system files and analyzing attacker behavior.
This element involves creating fake system files that mimic legitimate files but contain misleading or deceptive information.
Attackers who attempt to access or modify the fake system files will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to gather information about the system or modify its configuration.
Goal: To identify attackers attempting to make unauthorized API calls.
Approach: Monitoring API calls and analyzing attacker behavior.
This element involves creating deceptive API calls that mimic legitimate calls but return misleading or deceptive information.
Attackers who attempt to make the deceptive API calls will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to interact with the system.
Goal: To identify attackers attempting to enumerate or modify sensitive registry keys.
Approach: Monitoring access to the deceptive registry keys and analyzing attacker behavior.
This element involves creating deceptive registry keys that mimic legitimate keys but contain misleading or deceptive information.
Attackers who attempt to access or modify the deceptive registry keys will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to gather information about the system or modify its configuration.