Introduction
Cyber deception is a proactive defense strategy that deploys decoy assets (canaries, honeypots, honeytokens) throughout your environment to detect adversary presence. Unlike traditional security tools that rely on signatures or known malicious behavior, deception techniques detect attackers by monitoring access to resources that have no legitimate business purpose.
Key Principle: Any interaction with a canary asset is inherently suspicious because legitimate users and processes have no reason to access them.
Why Cyber Deception?
Limitations of Traditional Security Tools
| Traditional Tool | Limitation |
|---|---|
| Antivirus/EDR | Relies on signatures; can be bypassed with custom malware |
| Firewalls | Cannot detect lateral movement within trusted networks |
| IDS/IPS | Generates false positives; misses novel attack techniques |
| SIEM | Only as good as the logs collected; alert fatigue |
Advantages of Cyber Deception
- Low False Positive Rate: Canaries have no legitimate use, so any access is suspicious
- Detects Unknown Threats: Works against zero-days, custom malware, and living-off-the-land techniques
- Early Warning System: Detects reconnaissance and lateral movement early in the kill chain
- Attacker Attribution: Provides insight into attacker TTPs and objectives
- Cost Effective: Minimal infrastructure and maintenance requirements
- Works Against Insider Threats: Detects both external attackers and malicious insiders
Prerequisites
Required Permissions
| Environment | Required Role |
|---|---|
| Domain Controller | Domain Admin or Enterprise Admin |
| Domain-Joined Server/Workstation | Local Administrator + Domain privileges for auditing |
| Standalone Server/Workstation | Local Administrator |
Tools Needed
- PowerShell (Run as Administrator)
- Active Directory Users and Computers (ADUC) - Domain environments
- Group Policy Management Console (GPMC) - Domain environments
- Local Security Policy (secpol.msc) - Standalone systems
- Advanced Security Audit Policy Configuration
Canary Accounts
Canary accounts are fake user accounts designed to attract attackers performing credential harvesting, enumeration, or lateral movement.
Naming Strategy
Choose names that appear valuable to attackers:
svc_backup
svc_sql
admin_temp
helpdesk_admin
svc_scanner
IT_Admin
Domain_Admin_Backup
svc_azure_sync
emergency_admin
Domain Environment Setup
Creating the Canary Account
# Import Active Directory moduleImport-Module ActiveDirectory# Create canary account with enticing propertiesNew-ADUser -Name "svc_backup" ` -SamAccountName "svc_backup" ` -UserPrincipalName "svc_backup@domain.local" ` -Description "Backup Service Account - DO NOT DELETE" ` -DisplayName "Backup Service Account" ` -Enabled $true ` -PasswordNeverExpires $true ` -CannotChangePassword $true ` -AccountPassword (ConvertTo-SecureString "C0mpl3x_P@ssw0rd_2024!" -AsPlainText -Force) ` -Path "OU=Service Accounts,DC=domain,DC=local"# Add to enticing groups (but not actually privileged)Add-ADGroupMember -Identity "Backup Operators" -Members "svc_backup"# Set additional attributes to make it look valuableSet-ADUser -Identity "svc_backup" -Add @{ 'adminDescription' = 'Critical backup infrastructure account' 'info' = 'Contact IT Security before modifying'}
Making the Account Discoverable (But Not Usable)
# Option 1: Disable the account but keep it visibleDisable-ADAccount -Identity "svc_backup"# Option 2: Set logon restrictions (cannot logon anywhere)Set-ADUser -Identity "svc_backup" -LogonWorkstations "YOURDOMAINCONTROLLER"# Option 3: Set expired password (account exists but can't authenticate)Set-ADAccountExpiration -Identity "svc_backup" -DateTime (Get-Date).AddDays(-1)
Standalone/Workgroup Environment Setup
# Create local canary account$Password = ConvertTo-SecureString "C0mpl3x_P@ssw0rd_2024!" -AsPlainText -ForceNew-LocalUser -Name "svc_backup" ` -Password $Password ` -Description "Backup Service Account" ` -PasswordNeverExpires $true ` -UserMayNotChangePassword $true# Add to Administrators group (for attractiveness)Add-LocalGroupMember -Group "Administrators" -Member "svc_backup"# Disable the accountDisable-LocalUser -Name "svc_backup"
Auditing Canary Account Access
Configure SACL on the Account (Domain)
# Get the canary account$CanaryAccount = Get-ADUser -Identity "svc_backup"$CanaryDN = $CanaryAccount.DistinguishedName# Get the current ACL$ACL = Get-Acl "AD:\$CanaryDN"# Create audit rule for all access$AuditRule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule( [System.Security.Principal.SecurityIdentifier]"S-1-1-0", # Everyone [System.DirectoryServices.ActiveDirectoryRights]::GenericRead, [System.Security.AccessControl.AuditFlags]::Success, [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None)# Add the audit rule$ACL.AddAuditRule($AuditRule)Set-Acl "AD:\$CanaryDN" $ACLWrite-Host "SACL configured for canary account: $CanaryDN"
GUI Method for SACL Configuration
- Open Active Directory Users and Computers
- Enable View > Advanced Features
- Right-click the canary account > Properties > Security > Advanced
- Go to the Auditing tab
- Click Add and configure:
- Principal: Everyone
- Type: Success
- Applies to: This object only
- Permissions: Read all properties, Read permissions