Decoy User Credential
A Credential created for the purpose of deceiving an adversary.
How it works
A detection analytic is developed to determine when a user uses decoy credentials. Subsequent actions by that user may be monitored or controlled by the defender.
A credential may be:
- Domain username and password
- Local system username and password
- Decoy credentials should be integrated with a larger decoy environment to ensure that when decoy credentials are compromised, the credentials are used to interact with a decoy asset that is being monitored.
- Continuous maintenance and updates are needed to ensure the legitimacy of the larger decoy environment and specifically the assets that utilize the decoy credentials.
The following references were used to develop the Decoy User Credential knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Decoy and deceptive data object technology
Decoy network-based service for deceiving attackers
MITRE analysis was not found.
System and method for identifying the presence of malware using mini-traps set at network endpoints
Questionable or all files (as determined by the enterprise) are forwarded to the decoy network. Using a manager node user interface, you can setup fake information (ex. IP address of a decoy FTP server) and deploy decoy physical or virtual endpoints.