With the passing of ‘Cyber Deception Day’ (appropriately held on April 1) there’s been some resurgence of interest in cyber deception tools and techniques (also known as ‘active detection‘).
My approach:
- Know your enemy: Research Mitre ATT&CK to identify techniques used by your adversaries.
- Deceive your enemy: Use Mitre D3FEND to learn techniques to defend against your adversaries using deception techniques.
- Detect your enemy: Apply defensive tools/methods to detect and respond to the deception triggers you’ve laid out (endpoint detection, os and cloud event logging, SIEM, SOAR)
Here are some ideas for ways to add ‘deceptions’ to your network w/o having to jump into a pro solution (I’m not against $$ but I suggest that as a next step)
Note: most of these suggestions imply a “landmine” approach – i.e. don’t worry about clever deceptions, start with just triggering alarms on things people shouldn’t be touching.
If you want to get to the ‘high interaction level‘ of deception, you’ll probably need a professional product.
The toolkit list for cyber deception:
- fake documents
- user accounts – Microsoft suggest honey token accounts
- Azure resources
- port listeners – could be a honeypot since this is the ‘landmine’ approach
- random VMs with EDR
- random web server with a known vulnerability (that can be contained)
- standalone domain server
- keystore – Microsoft suggests honey token keys
- robots.txt – embed ‘breadcrumbs’ in common places where hackers will visit.
When you’re done with the homegrown stuff, and you’re ready to justify the need for a full-coverage and lower maintenance solution, here are some of the top product vendors for deception tools:
https://cybertrap.com/en/deception-technology/
Simple-Security 
3 thoughts on “Creating a Cyber Deception Toolkit”