The worst of all deceptions is self-deception
Goal: Misdirect attackers and gather information about their activities by manipulating user profile attributes.
Approach: Subtly altering user profile information to create misleading paths or trigger alerts.
Modify user profile attributes, such as job titles, department names, or contact information, to create misleading trails or to trigger alerts when accessed by unauthorized users.
Goal: Gather information about attacker activity by planting fake system logs.
Approach: Creating and placing misleading system logs to attract attacker attention.
Create fake system logs that indicate suspicious activity, failed login attempts, or successful privilege escalations. Place these logs in locations where attackers are likely to search for evidence of compromise.
Goal: Gather information about attackers and their social engineering tactics by creating fake social media profiles.
Approach: Creating and monitoring fake social media profiles to attract attackers.
Create fake social media profiles that appear to belong to employees or partners. Monitor any interactions with these profiles to identify attackers, gather information about their reconnaissance techniques, and understand their social engineering tactics.
Goal: Disrupt attacker attempts to gain information or access through help desk impersonation.
Approach: Training help desk personnel to provide deceptive responses to suspicious inquiries.
Train help desk personnel to identify and respond to social engineering attempts with deceptive information, delays, or redirects to security teams. This can disrupt attacker reconnaissance, frustrate their efforts, and buy time for incident response.
Goal: Disrupt attacker communications by manipulating C2 protocols or introducing unexpected behavior.
Approach: Modifying C2 protocols or introducing anomalies to confuse attackers.
Modify existing C2 protocols or introduce subtle anomalies in communication patterns to confuse attackers, disrupt their tools, or trigger alerts. This can involve changing data formats, introducing delays, or injecting unexpected commands.
Goal: Disrupt attacker attempts to exfiltrate sensitive data by masking or altering its content.
Approach: Modifying sensitive data in transit to render it useless to attackers.
Implement mechanisms that dynamically alter or mask sensitive data as it is being exfiltrated. This can involve encryption, obfuscation, or even replacing the data with decoy information, rendering it useless to the attacker.
Goal: Disrupt attacker attempts to exploit common local administrator passwords for lateral movement.
Approach: Deploying a diverse set of fake local administrator passwords across systems.
Configure systems with a variety of deceptive local administrator passwords that differ from the actual password. This can slow down or frustrate attackers who rely on common passwords or credential dumping techniques.
Goal: Detect attempts to access sensitive or restricted network shares.
Approach: Creating and monitoring fake network shares.
Create fake network shares with enticing names or permissions that appear to contain valuable data. Monitor any access attempts to these shares to identify attackers and gather information about their activities.
Goal: Confuse and misdirect attackers by creating the illusion of different privilege levels or access restrictions.
Approach: Presenting attackers with a misleading view of privilege boundaries.
Manipulate system responses or network configurations to create the perception of different privilege levels or access restrictions. This can lead attackers down unproductive paths or reveal their intentions.
Goal: Gather information about attacker activity by embedding deceptive metadata in multimedia files.
Approach: Hiding misleading or enticing information within metadata fields.
Embed deceptive metadata within multimedia files, such as images, videos, or audio recordings. This metadata can contain false information, misleading clues, or even links to honeypots or decoy websites.