10 Hunting with deception
This chapter covers
- Using deception as a hunting tool
- Formalizing the hypotheses of deception-based threat-hunting plays
- Designing and deploying decoys and breadcrumbs
- Uncovering and tracking adversary activities
So far, we have relied on searching data or accessing systems to uncover initial clues. In this chapter, we take a different approach: we try to lure adversaries to what looks like exploitable services or exposed data. We place a few of these decoys and breadcrumbs in the network, hoping that they will attract active adversaries.
The chapter describes how to design and implement decoys, including planting accounts in Microsoft Windows hosts and deploying Microsoft’s Remote Desktop Services (RDS) on a few servers. We conduct a threat-hunting expedition that starts with planting these decoys and then capturing and investigating interesting interactions between internal systems and a few connected decoys.
10.1 No data? No problem!
As you continue to hunt, there may be cases in which you can’t access certain data or systems or the adversary has taken extra precautions to avoid leaving any noticeable traces. Deception (also referred to as active defense) can be very handy in such cases, allowing you to attract adversaries without relying on collecting too much data. To accomplish this task, you’ll need to prepare and strategically place traps in multiple locations in the network. Consider the following when operating a deception solution: