10 Hunting with Deception
This chapter covers
- How to use deception as a hunting tool.
- Formalizing the hypotheses of deception-based threat hunting plays.
- Designing and deploying threat hunting decoys and breadcrumbs.
- Practice threat hunting using decoys to uncover and track adversary activities.
So far, we have relied on searching data or accessing systems to uncover initial clues. In this chapter, we take a different approach. We try to lure adversaries to what looks like exploitable services or exposed data. We place a few of these decoys and breadcrumbs in the network, hoping they will attract active adversaries.
We describe how to design and implement decoys, including planting accounts in Microsoft Windows hosts and deploying Microsoft Remote Desktop service on a few servers. We conduct a threat hunting expedition that starts with planting these decoys and then capturing and investigating interesting interactions between internal systems and a few connected decoys.
10.1 No data? No problem!
As you continue to hunt, there may be instances where you cannot access certain data or systems, or the adversary has taken extra precautions to avoid leaving any noticeable traces. Also referred to as active defense, deception can be very handy in such instances, allowing you to attract those adversaries without relying on collecting too much data. To accomplish this, you'll need to prepare and strategically place traps in multiple locations in the network.