The worst of all deceptions is self-deception
Goal: Track the dissemination of sensitive documents and identify potential leaks.
Approach: Embedding hidden watermarks in documents to track their movement.
Embed hidden watermarks within documents that reveal themselves only under specific conditions or when accessed by unauthorized parties. These watermarks can contain tracking information, decoy data, or even trigger alerts upon discovery.
Goal: Disrupt attacker operations by injecting deceptive code into scripts downloaded from developer machines.
Approach: Manipulating scripts to deliver misleading information or disrupt execution.
If an attacker compromises a developer’s machine and downloads scripts or code, inject subtle errors, delays, or misleading functions into those files. This can cause the attacker’s tools to malfunction or lead them down false paths.
Goal: Disrupt and delay attackers attempting to bypass Multi-Factor Authentication (MFA).
Approach: Presenting attackers with deceptive MFA prompts.
When an attacker attempts to log in, present them with an unexpected MFA prompt, even if they have valid credentials. This can be a fake push notification, a request for a non-existent biometric scan, or a challenge question with no right answer.
Goal: Gather information about attacker activity by creating fake Active Directory objects.
Approach: Monitoring access to deceptive Active Directory objects.
This element creates fake user accounts, computers, or groups within Active Directory. Any attempts to access or interact with these objects are logged, providing valuable intelligence about attacker reconnaissance and lateral movement.
Goal: Disrupt attacker activity by generating deceptive WMI events.
Approach: Generating fake WMI events to confuse attackers.
This element generates deceptive WMI events that mimic legitimate system activity but contain false information. This can confuse attackers and disrupt their reconnaissance or lateral movement efforts.
Goal: Detect attempts to communicate with known malicious named pipes.
Approach: Monitoring for connections to deceptive named pipes.
This element creates a named pipe with a name commonly used by malware. When malware attempts to connect, the deceptive server captures information about the malware and can optionally deliver a deceptive payload.
Goal: Gather information about web-based attacks by deploying a deceptive browser extension.
Approach: Collecting data on attacker activity through a deceptive browser extension.
This element involves creating a browser extension that mimics legitimate functionality but secretly collects information about attacker activity.
Goal: Detect rootkit activity by presenting a deceptive view of kernel modules.
Approach: Monitoring kernel module activity for anomalies.
This element involves creating a deceptive kernel module that mimics legitimate modules but provides false information when queried by malicious actors.
Goal: To detect and mitigate insider threats using deceptive techniques.
Approach: Detecting malicious activities by insiders using deception.
This element involves deploying deception assets and techniques to detect and deter malicious insiders. It may include creating fake files, documents, or credentials that are designed to attract insider attention.
To gather comprehensive information about malware behavior and identify potential deception parameters.
Deep analysis of malware using symbolic execution.
This element utilizes symbolic execution to analyze malware behavior and extract potential deception parameters. By exploring multiple execution paths, it can reveal hidden behaviors and identify critical system configurations that can be manipulated for deception,