The worst of all deceptions is self-deception
Goal: To gather information about attackers or to spread disinformation.
Approach: Monitoring interaction with the fake profile and analyzing attacker behavior.
Attackers who interact with the fake profile or its posts will be identified, and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to gather information about employees or spread disinformation.
Goal: Deceptive Phishing Email with Delayed Delivery
Approach: This element involves sending a deceptive phishing email to employees that appears to be legitimate but is intentionally delayed in delivery.
Attackers who open or interact with the delayed email will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to phish employees.
Goal: To gather information about attackers attempting to exploit SAML vulnerabilities and detect their presence.
Approach: Monitoring access to the deceptive SAML IdP and analyzing attacker behavior.
Attackers who attempt to use the fake SAML IdP for authentication or authorization will be misled, and their actions will be logged.
Goal: To gather information about attackers attempting to exploit OAuth 2.0 vulnerabilities and detect their presence.
Approach: Monitoring access to the fake OAuth 2.0 server and analyzing attacker behavior.
Attackers who attempt to use the fake OAuth 2.0 server for authentication or authorization will be misled, and their actions will be logged.
Goal: To gather information about attackers attempting to exploit Kerberos vulnerabilities and detect their presence.
Approach: Monitoring access to the deceptive Kerberos server and analyzing attacker behavior.
Attackers who attempt to use the fake Kerberos server for authentication or ticket manipulation will be misled, and their actions will be logged.
Goal: Detect attackers attempting to bypass or spoof biometric authentication mechanisms.
Approach: Creating deceptive biometric authentication prompts that capture attacker attempts or redirect them to decoy systems.
Deploy fake biometric authentication prompts that appear to process biometric data but instead capture attacker attempts, log their activities, or redirect them to controlled environments.
Goal: Thwart attackers’ attempts to reset passwords or gain unauthorized access through password recovery mechanisms.
Approach: Introducing deceptive password reset flows that delay attackers or lead them to decoy systems.
Implement fake password reset pages or email flows that appear to process password reset requests but instead capture attacker information, delay their progress, or redirect them to controlled environments.
Goal: Disrupt attackers’ attempts to leverage stolen or forged access tokens for unauthorized access.
Approach: Introducing deceptive access tokens that lead to decoy resources or trigger alerts.
Inject fake access tokens into processes or memory that appear to grant access to sensitive data or critical systems. These tokens can be designed to mislead attackers, cause their tools to malfunction, or trigger alerts upon usage.
Goal: Detect attackers attempting to exploit Kerberos for privilege escalation or lateral movement.
Approach: Creating deceptive Kerberos services or accounts to lure attackers and monitor their activities.
Deploy fake Kerberos services or configure deceptive service principal names (SPNs) that appear to grant access to sensitive resources or systems. Monitor these for unauthorized access attempts or suspicious Kerberos ticket requests.
Goal: Thwart attackers’ attempts to exploit user permissions for lateral movement or unauthorized access.
Approach: Implementing misleading access control lists (ACLs) or fake permissions to misdirect attackers.
Configure deceptive permissions on files, folders, or other resources that suggest access to sensitive data or critical systems. These permissions can lead attackers toward decoy assets or trigger alerts upon unauthorized access attempts.