This element involves creating fake DNS records that point to deceptive systems or services.
Tag: EAC0016
Phantom Network Traffic Generator
This element generates fake network traffic that mimics legitimate communication patterns, but leads to non-existent services or devices. This creates a confusing environment for attackers, making it difficult to distinguish between real and fake traffic.
Fake DNS Server
Goal: To identify attackers attempting to resolve internal domain names or perform DNS tunneling.
Approach: Monitoring queries to the fake DNS server and analyzing attacker behavior.
This element involves setting up a fake DNS server that responds to specific queries with deceptive answers or redirects them to a controlled environment.
Deceptive Identity Federation
Goal: Redirect attackers attempting to leverage identity federation protocols to a controlled environment.
Approach: Manipulating identity federation responses to misdirect authentication flows.
Modify identity federation responses, such as SAML assertions or OAuth tokens, to redirect attackers to a fake identity provider (IdP) or a honeypot environment.
Deceptive Firewall Rules
Goal: Disrupt attacker reconnaissance and lateral movement by configuring deceptive firewall rules.
Approach: Creating firewall rules that mislead attackers about network segmentation and access controls.
Configure firewall rules that appear to block access to critical systems or sensitive data, but actually redirect traffic to honeypots or decoy networks. This can mislead attackers about the network topology and hinder their progress.
Fake C2 Servers
Goal: Capture attacker communications and gather intelligence about their infrastructure and operations.
Approach: Setting up decoy C2 servers that mimic legitimate C2 infrastructure.
Deploy fake command-and-control (C2) servers that mimic the behavior of popular malware families. These servers can capture attacker commands, log communications, and even deliver deceptive responses to mislead attackers and disrupt their operations.
Deceptive Data Channels
Goal: Redirect attacker exfiltration attempts to controlled channels or disrupt their operations.
Approach: Creating fake data channels that appear to be valuable exfiltration routes.
Set up fake network channels, storage devices, or cloud services that appear to be ideal for data exfiltration. Redirect attacker traffic to these channels to capture exfiltrated data, analyze their methods, or disrupt their operations.
Fake Privilege Boundaries
Goal: Confuse and misdirect attackers by creating the illusion of different privilege levels or access restrictions.
Approach: Presenting attackers with a misleading view of privilege boundaries.
Manipulate system responses or network configurations to create the perception of different privilege levels or access restrictions. This can lead attackers down unproductive paths or reveal their intentions.
Deceptive Beacons
Goal: Confuse and misdirect attackers by deploying deceptive beacons.
Approach: Emitting misleading signals to divert attackers.
Deploy beacons that mimic the network traffic of vulnerable or compromised systems. These beacons can lead attackers towards honeypots, decoy networks, or even trigger automated responses.
Deceptive Identity Provider (IdP) Responses
Goal: Redirect attackers attempting to authenticate to a deceptive environment.
Approach: Manipulating IdP responses to redirect authentication flows.
When an attacker attempts to authenticate through an IdP (e.g., OAuth, SAML), manipulate the response to redirect them to a fake login portal or a controlled environment.