How to Deceive Cyber-Attackers With a Kill Chain

Karen A. Frenkel Avatar

Updated on:

How to Deceive Cyber-Attackers With a Kill Chain

How to Deceive Cyber-Attackers With a Kill ChainHow to Deceive Cyber-Attackers With a Kill Chain

One way to defend against cyber-attackers is through deception. Gartner reveals ways to do this with a carefully structured series of feints along a “kill chain.”

Gartner Deceptive Response Kill ChainGartner Deceptive Response Kill Chain

Gartner describes a “kill chain” as several types of deceptions that are injected throughout the lifecycle of an attack. They trick an attacker into triggering a detection event, or disrupt segments of the attack kill chain.

ReconnaissanceReconnaissance

Reconnaissance is the first stage of most attacks and it’s a good time to lie to the attacker, making it difficult for the intruder to identify potential services, applications, data or infrastructure components to exploit.

WeaponizationWeaponization

During weaponization, misdirect the attacker through deceitful application responses for emulated services. This delays the attacker’s tool selection or diverts him or her to services not in use.

Deliver PhaseDeliver Phase

Use subterfuge to send unknown, suspicious or known malicious binaries to a deception zone, like a network sandbox. There, it executes a virtual environment that appears to be in use by a real user.

Exploitation PhaseExploitation Phase

Trick or disrupt exploitation depending on the target, but craft your response according to the types of malware and attacker’s behavior. At the network layer, for example, provide deceptive responses and fake the results of an exploit, or shunt traffic to the deception decoy environment.

Installation PhaseInstallation Phase

Interrupt the installation phase by deceiving the malware into “believing” it is running in a virtual environment, or make the malware “believe” it has written files that it has not.

Command PhaseCommand Phase

The most common approach of deception and this stage is to redirect command-and-control traffic to socket servers to understand the communication protocol the botnet uses. Take down botnets by deceiving the agent itself by issuing its commands.

Act PhaseAct Phase

Make attackers believe they have received valid credentials, or have explored real endpoint systems and are seeing real, sensitive data.

The Power of Fake CredentialsThe Power of Fake Credentials

By using attackers’ trust against them, increase detection and delay their efforts, causing them more financial harm; providing an attacker with faked credentials can delay them for a week.

Karen A. Frenkel Avatar