Conceal and reveal both facts and fictions to support a deception story
Information Manipulation is used to support the deception story. Revealed facts and fictions can be used to adjust the adversary’s trust in the environment. Concealed facts and fiction can be used to adjust the adversary’s sense of uncertainty towards the environment. Revealed facts may include OS type and version, geographic location, hardware type and version, accounts, credentials, etc. Revealed fictions may include the content of decoy files, emails, messages, etc. Revealed facts and fictions may or may not be believed by the adversary.
If an adversary believes a revealed fact or fiction, it may lend credibility to the environment or encourage a specific action. If an adversary is suspicious or does not believe a revealed fact or fiction, it may erode adversary trust in the environment. For example, if the adversary discovers that a collection of legitimate passwords all contain the phrase "honeytoken" or "canarytoken" they may lose trust in the legitimacy of the environment, even if the credentials are real and valid in the enterprise network. Conversely, if the adversary checks the timestamps on various files on the target and finds timestamps going back multiple years, they may trust that the environment is legitimate even if, in reality, the files are new and the timestamps were falsified. In this way, revealed facts and fictions can be used to adjust the adversary's trust in the environment in ways that support the defender's goals.
Concealed facts may include virtualized systems disguised as physical systems, monitoring software, or collection efforts. Concealed fictions may include an encrypted, interestingly named, decoy file or a partially deleted email thread referencing high value, but decoy, assets. Concealed facts and fictions may or may not be discovered by the adversary. If the adversary discovers a concealed fact or fiction, it may increase the ambiguity of the environment and affect the adversary's sense of uncertainty.
For example, if an adversary discovers a hidden monitoring solution is deployed, they may feel less comfortable engaging with that specific target. Conversely, if the defender deploys a hidden monitoring solution with an intentional blind spot that the adversary discovers, the adversary may feel a decrease in ambiguity and take additional actions believing that they will be undetected. In this way, concealed facts and fictions can be used to adjust the ambiguity and affect the adversary's sense of uncertainty in ways that support the defender's goals.
|ATT&CK® Tactics||Adversary Vulnerability Presented|
|Discovery, Collection, Defense Evasion, Execution||When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence|
|Discovery, Collection, Impact, Defense Evasion, Reconnaissance, Execution||When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.|
|Collection, Exfiltration, Discovery, Impact, Command and Control, Lateral Movement||When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities|
|Collection||When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment.|
|Reconnaissance||When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data|
|Reconnaissance||When adversaries collect targetting information from open or closed data sources, they may reveal their targetting preferences.|
|Execution||When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user|
|Defense Evasion||When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource|