The red teamer’s guide to deception

In the current state of the IT industry, compromising the critical assets of a Fortune 500 company is usually only a matter of time for competent red teams.

Despite EDRs improving at blocking commodity malware infections, reasonably sophisticated attackers who achieve initial execution stand a good chance of achieving their objectives. A significant contributing factor is the presence of fewer reliable detections in the later stages of attacks.

This problem is complex, and while there is no silver bullet, we aim to highlight an underutilized defence mechanism that significantly challenges our work as red teamers:

Internal Honeypots – often marketed as deception technologies or canaries – are intentional traps set for attackers.

In this presentation, we will share our deception strategy designed to intercept the few threats that bypass initial defences. We will outline the high-level principles we follow. Additionally, we’ll provide guidance on the strategic deployment of honeypots to maximize detection capabilities while minimizing rollout complexity and cost.

Our experience with past engagements has often revealed ineffective deception deployments. Sometimes, the traps were easily identifiable, while other times they were concealed so well that attackers would not encounter them.

To help you circumvent these pitfalls, we will discuss common mistakes in deception strategies and how to avoid them.

Although many of the techniques we will discuss are not secretive or highly complex, we are excited to introduce a novel honeypot technique from our research lab – the honeypot we always wanted to have.

This research was performed by the SRLabs Red Team and will be presented by two of it’s members.