One of the most effective ways to learn from the different threat actors that are attacking your network is to set up and utilize deception and disruption technologies

Tactics, techniques, and Procedures (TTPs)

• Specific methods and patterns of activities or behaviors associated with a particular threat actor or group of threat actors

Deceptive and Disruption Technologies

• Technologies designed to mislead, confuse, and divert attackers from critical assets while simultaneously detecting and neutralizing threats
• Honeypots
  • Decoy system or network set up to attract potential hackers
• Honeynets
  • Network of honeypots to create a more complex system that is designed to mimic an entire system of systems
    • Servers
    • Routers
    • Switches
• Honeyfiles
  • Decoy file placed within a system to lure in potential attackers
• Honeytokens
  • Piece of data or a resource that has no legitimate value or use but is monitored for access or use

Some disruption technologies and strategies to help secure enterprise networks:

• Bogus DNS entries
  • Fake Domain Name System entries introduced into your system’s DNS server
• Creating decoy directories
  • Fake folders and files placed within a system’s storage
• Dynamic page generation
  • Effective against automated scraping tools or bots trying to index or steal content from your organization’s website
• Use of port triggering to hide services
  • Port Triggering
    • Security mechanism where specific services or ports on a network device remain closed until a specific outbound traffic pattern is detected
• Spoofing fake telemetry data
  • When a system detects a network scan is being attempted by an attacker, it can be configured to respond by sending out fake telemetry or network data