2. “The more you know about the past,
the better prepared you are for the future.”
Theodore Roosevelt
3. “Gauge your opponent’s mind
and send it in different directions.
Make him think various things,
and wonder if you will be slow
or quick.”
Miyamoto Musashi
The Book of Five Rings
15. Are apparent through differences in language…
Talks about
SQL injection
Password cracking
Phishing
Port-scanning
Patch management
Talks About
Squiblydoo
AS-REP roasting
Hot potato attacks
SPN enumeration
LocalAccountTokenFilterPolicy
Unquoted service paths
Process hollowing
OLE embedded phishing
LLMNR poisoning
Bloodhound / user hunting
DLL side loading
GPP exploitation
Time-stomping
20. Good deception blankets the kill chain
Internet Assets
Active Directory Objects
Application Credentials
Files
Network Traffic
Endpoints
People
Servers
Applications
RECONNAISSANCE
DATA EXFILTRATION
PRIVILEGE ESCALATION
EXPLOITATION
LATERAL MOVEMENT
23. Chronology of an Attack - “The Double Cycle Pattern”
Breach Complete
Compromise targets
and effect impact
Privilege escalation #1
Escalated to local administrator
Privilege escalation #2
Escalate to domain administrator
Initial Intrusion
Low privilege
normal user
Lateral Movement
Hunt domain
administrators
C2 and persist
Establish remote
control channel
24. “That was possibly the most frustrating
experience in twelve years of pen-testing.”
27. Deception Strategy 101
• Threat model -> Deception stories
• Placement and density. Is less more?
• Blend-in v/s Stand-out
• Testing = Blind + Full-knowledge
• Intelligence-driven deception
• Response and negative signalling
28. The Golden Rules of Deception
The Observer Effect
in Deception
The Half-life
Of Deception
Kerckhoffs’ Principle
in Deception
29. The Analysis Trifecta
INCIDENT
HANDLING
What happened
on the decoy?
How did it happen
on the endpoint?
Where else
did it happen
in the network
Deception alerts
Decoy telemetry
DFIR / triage
Malware analysis
Netflow / EP telemetry
Threat Hunting
SIEM correlation