Python for active defense: Decoys

Infosec Institute - 

The MITRE ATT&CK framework is probably the best-known of the MITRE Corporation’s cybersecurity resources; however, it is focused on the offensive side of cybersecurity. The MITRE Shield framework is a recent project focused on active defense.

Like the MITRE ATT&CK framework, MITRE Shield is organized into tactics (operational objectives) and techniques (methods for achieving these objectives). The difference is instead of describing how cyberattacks are performed, Shield describes ways in which defenders can act against cyberthreats.

One aspect of active defense is the use of deception. MITRE Shield describes various means by which decoys can be used to mislead and trick an attacker.

Decoy processes for active defense

Processes are running applications on a computer. The processes running on a system are of extreme interest to both an attacker and a defender. One might be looking for antivirus or other security solutions, while the other is checking for suspicious and potentially malicious programs on a computer.

Decoy processes

In MITRE Shield, decoy processes can be used for a couple of different purposes. They’re explicitly mentioned as part of the channel and legitimize tactics within the framework.

These processes can be used to trick an attacker into taking certain actions,

Read More: