The worst of all deceptions is self-deception
Goal: To identify attackers attempting to compromise or gain access to sensitive data within Docker containers.
Approach: Monitoring access to the deceptive container and analyzing attacker behavior. This element involves deploying a deceptive Docker container that mimics a legitimate container but contains fake or misleading data, or triggers alerts upon access.
Attackers who attempt to access or modify data within the deceptive container will be identified and their actions will be logged.
Goal: To identify attackers attempting to exploit vulnerabilities in the logging system or to gather information about the system’s activity.
Approach: Monitoring the deceptive daemon for any signs of interaction or modification.
This element involves configuring a deceptive syslog daemon that listens for specific log messages and triggers deceptive responses, such as sending fake alerts or redirecting attackers to a honeypot.
Attackers who attempt to interact with or modify the deceptive daemon will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the system.
Goal: To identify attackers attempting to exploit vulnerabilities in the service or to gain persistence on the system.
Approach: Monitoring the fake service for any signs of interaction or modification.This element involves creating a fake systemd service that mimics a legitimate service but performs a deceptive action, such as logging login attempts, triggering alerts, or redirecting connections to a honeypot.
Attackers who attempt to interact with or modify the fake service will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the system.
Goal: To identify and gather information about attackers attempting to brute force SSH credentials.
Approach: Monitoring connections to the deceptive SSH server and analyzing attacker behavior.
This element involves creating fake cron jobs that mimic legitimate tasks but trigger alerts or execute harmless commands.
Attackers who attempt to modify or utilize cron jobs for malicious purposes will trigger alerts, revealing their presence and intentions.
Goal: To identify and gather information about attackers attempting to brute force SSH credentials.
Approach: Monitoring connections to the deceptive SSH server and analyzing attacker behavior.
Attackers who attempt to log in to the deceptive SSH server will have their credentials captured, and their activities will be logged. This information can be used to improve defenses and identify potential threats.
Goal: To identify attackers attempting to exploit vulnerabilities in the macOS update process.
Approach: Monitoring interaction with the fake updates and analyzing attacker behavior. This element involves creating fake macOS system updates that mimic legitimate updates but contain misleading or deceptive information or lead to a controlled environment.
Attackers who attempt to install or interact with the fake updates will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the system.
Goal: To identify attackers attempting to establish persistence by creating or modifying launch agents.
Approach: Monitoring access to the deceptive launch agents and analyzing attacker behavior. This element involves creating deceptive launch agents that mimic legitimate ones but contain misleading or deceptive information or trigger alerts.
Attackers who attempt to interact with or modify the deceptive launch agents will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to maintain persistence on the system.
Goal: To identify attackers attempting to tamper with or destroy system logs.
Approach: Monitoring access to the fake system logs and analyzing attacker behavior. This element involves creating fake system logs that mimic legitimate logs but contain misleading or deceptive information.
Attackers who attempt to tamper with or destroy the fake system logs will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to cover their tracks.
Goal: To identify attackers attempting to execute unauthorized shell commands.
Approach: Monitoring command execution and analyzing attacker behavior. This element involves creating deceptive shell commands that mimic legitimate commands but return misleading or deceptive information or trigger alerts.
Attackers who attempt to execute the deceptive shell commands will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to interact with the system.
Goal: To identify attackers attempting to enumerate or modify sensitive configuration files.
Approach: Monitoring access to the deceptive configuration files and analyzing attacker behavior. This element involves creating deceptive configuration files that mimic legitimate files but contain misleading or deceptive information.
Attackers who attempt to access or modify the deceptive configuration files will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to gather information about the system or modify its configuration.