Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Deception Technology

Deception Technology

Section titled “Deception Technology”

5 automated security scanners

Decoy Document Tracking

Section titled “Decoy Document Tracking”

Purpose: The Decoy Document Tracking Scanner is designed to analyze decoy document deployment by identifying various tracking methods used within documents. It aims to detect and report on the presence of document tracking platforms, canary tokens, watermarking systems, breadcrumb trails, and other deceptive practices that could be exploited by adversaries.

What It Detects:

  • Document Tracking Detection: Identifies if a domain is using any known document tracking services or technologies.
  • Canary Token Services: Checks for the presence of canary tokens, specifically looking for Thinkst Canary and canarytokens.org references.
  • Document Watermarking: Detects the use of watermarks within documents to track their usage.
  • Tracking Technology Stack: Identifies the vendors and technologies used in document tracking.
  • Deployment Indicators: Tests for the disclosure of deployment details that could indicate ongoing tracking activities.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) which is required to perform the scan on a specific website or service.

Business Impact: Document tracking exposure poses significant risks as it can lead to unauthorized access, data leakage, and strategic information disclosure. Publicly disclosed canary tokens reduce their effectiveness in detecting intrusions, while exposed tracking systems enable adversaries to use evasion techniques. Visible watermarking alerts potential thieves, and the disclosure of breadcrumbs allows attackers to filter out deceptive documents.

Risk Levels:

  • Critical: If document tracking capabilities are publicly disclosed through endpoints like canary tokens or detailed deployment claims, this poses a critical risk as it significantly compromises security measures.
  • High: The detection of any form of document tracking technology without explicit user consent indicates a high risk level, especially if it involves unauthorized access to sensitive information.
  • Medium: Exposure of potential tracking technologies and endpoints that could be used for monitoring but not yet confirmed can be considered medium risk, depending on the context and sensitivity of the data being tracked.
  • Low: Informational findings about deployment claims or minor exposure through non-critical services are considered low risk unless they indicate a broader pattern of unauthorized access or tracking activities.

Example Findings:

  1. “The domain ekkatha.com is actively using Thinkst Canary for document tracking, which poses a critical risk as it allows full visibility into any intrusions.”
  2. “The website exposes multiple endpoints used for document tracking, including ‘/canary’ and ‘/tracking’, indicating a high risk of unauthorized access to sensitive information.”

Honeypot Effectiveness

Section titled “Honeypot Effectiveness”

Purpose: The Honeypot Effectiveness Scanner is designed to assess the effectiveness of honeypot deployments by evaluating various aspects that can reveal information about the deployment’s exposure, type, architecture, and operational indicators. This tool aims to identify potential risks associated with public disclosure of honeypot infrastructure, which could lead to increased vulnerability for attackers and hinder effective security operations.

What It Detects:

  • Honeypot Platform Detection: Identifies mentions of honeypot software or frameworks within the target domain’s content.
  • Honeypot Type Identification: Determines whether the honeypot is low-interaction, high-interaction, network, application, or database based on textual references.
  • Deployment Architecture Exposure: Uncovers details about where and how the honeypot is deployed, including any distributed setups or mentions of specific deployment topologies.
  • Technology Stack Fingerprints: Detects the use of common honeypot technologies such as Cowrie, Dionaea, Kippo, and others, as well as identifies proprietary or custom implementations.
  • Operational Indicators: Checks for indicators of monitoring, alert generation, threat intelligence integration, and analysis capabilities related to the honeypot deployment.

Inputs Required:

  • domain (string): The fully qualified domain name (e.g., ekkatha.com) that is being evaluated.

Business Impact: Honeypots are critical components of a defense-in-depth strategy, as they can provide valuable insights into attacker behavior and techniques. Public disclosure of honeypot infrastructure not only compromises the effectiveness of these systems but also risks revealing sensitive operational details that could be exploited by adversaries to bypass security measures.

Risk Levels:

  • Critical: Exposure of specific honeypot technologies or detailed deployment architecture, which aids in attacker research and evasion techniques.
  • High: General mentions of honeypot platforms without specific technology identification, but still indicative of potential exposure.
  • Medium: Indirect references to honeypot operations that do not directly compromise security but suggest ongoing engagement with potentially deceptive infrastructure.
  • Low: Informal or non-specific references that are unlikely to reveal sensitive operational details.
  • Info: Minimal or purely informational mentions that have minimal impact on the overall risk assessment.

Example Findings:

  1. The domain reveals specific references to “Cowrie” honeypot software, indicating a known deployment of this technology for deception purposes.
  2. Mention of “honeyfarm” in the documentation suggests a distributed or clustered honeypot setup that could be used to enhance security monitoring and analysis capabilities while maintaining operational secrecy.

Honeytoken Deployment

Section titled “Honeytoken Deployment”

Purpose: The Honeytoken Deployment Scanner is designed to analyze honeytoken deployment strategies by identifying token-based deception systems, assessing credential trap usage, detecting fake data deployment, and evaluating weaknesses in honeytoken operational security that could expose deception tactics to adversaries. This tool aims to help organizations understand the risks associated with publicly exposing honeytokens and take appropriate measures to secure their digital assets.

What It Detects:

  • Honeytoken Platform Detection: Identifies the presence of honeytoken services, credential trap systems, fake data deployment, and token tracking platforms that might reveal deception tactics.
  • Token Type Identification: Checks for the use of credential honeytokens, API key traps, database record tokens, file-based honeytokens, and network share tokens which are indicative of potential deception.
  • Token Tracking Services: Detects the usage of Thinkst Canary and canarytokens.org, as well as custom token platforms that could be used to track sensitive information.
  • Deployment Strategy Exposure: Evaluates whether claims about token placement, distribution, and coverage disclose details that might aid adversaries in identifying honeytokens.
  • Integration Indicators: Tests for SIEM integration, alert routing references, incident response integration, threat intelligence feeds, and token analytics platforms that could expose sensitive information or operational weaknesses.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) which is the target of the honeytoken analysis.

Business Impact: Honeytoken exposure can lead to significant security risks, including public token disclosure that enables attackers to filter and exploit systems more effectively, exposed token systems allowing evasion techniques, reduced effectiveness of credential traps due to visibility, platform fingerprints aiding adversary bypass, and deployment details enabling honeytoken identification. These factors highlight the importance of proactive monitoring and securing honeytokens to protect sensitive information and operational security.

Risk Levels:

  • Critical: Exposure of any type of token or detailed deployment strategy that could be exploited by adversaries in real-time scenarios.
  • High: Public disclosure of tokens, which may lead to unauthorized access attempts or data theft if not mitigated promptly.
  • Medium: Exposure of specific types of tokens (e.g., API keys) and initial indicators of deployment strategies that might suggest further exposure if not addressed.
  • Low: General references to token tracking platforms without detailed information that could be used for real-time threat detection but does not pose an immediate risk.
  • Info: Informal mentions or non-specific references that do not directly indicate a security risk but may warrant further investigation for informational purposes.

Example Findings:

  1. The domain ekkatha.com publicly discloses honeytoken deployment strategies, including the use of Thinkst Canary tokens and explicit claims about token placement which could be exploited by adversaries.
  2. A hypothetical organization’s database exposes sensitive information through a file-based honeytoken that was not properly secured, posing a risk to both data integrity and operational security.

Active Defense Measures

Section titled “Active Defense Measures”

Purpose: The Active Defense Measures Scanner is designed to assess an organization’s active defense capabilities by evaluating its exposure to deception technology, identifying claims about active defense measures, and examining the vulnerabilities that could be exploited by adversaries through offensive security tactics. This tool aims to uncover weaknesses in defensive posture, revealing potential areas for proactive threat hunting and enhancing overall operational security.

What It Detects:

  • Deception Technology Detection: The scanner identifies the presence of deception technology platforms used by vendors such as Attivo, TrapX, and Illusive. It also checks for mentions of honeypots, honeytokens, canary tokens, decoy systems, and breadcrumb trails that might indicate active defense measures in place.
  • Active Defense Claims: The scanner verifies the authenticity of claims about threat engagement, offensive security tactics, counter-threat operations, and defensive countermeasures. It also tests for mentions of active defense marketing strategies that could alert sophisticated adversaries to potential vulnerabilities.
  • Countermeasure Disclosure: By identifying systems designed to automatically respond to threats or disrupt attacks, the scanner helps in uncovering the existence of automated response mechanisms and attack deflection claims.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) that represents the target organization’s website for analysis.

Business Impact: The exposure of active defense measures, particularly through public disclosure of deception systems and details about defensive countermeasures, can significantly reduce the effectiveness of these defenses against sophisticated cyber threats. This not only compromises real-time security but also potentially exposes organizations to long-term strategic vulnerabilities that could be exploited by adversaries for future attacks.

Risk Levels:

  • Critical: Exposure of active defense measures through public disclosure or detailed documentation, which significantly reduces the effectiveness of these defenses and enables attacker evasion strategies.
  • High: Public mention of deception technology platforms without proper obfuscation mechanisms, which could be exploited by adversaries to bypass defensive systems.
  • Medium: Claims about active defense that are not substantiated with concrete evidence, indicating potential marketing efforts rather than effective operational security practices.
  • Low: Minimal disclosure of active defense elements in the public domain, suggesting a lower risk but still requiring vigilance for emerging threats and vulnerabilities.
  • Info: Informational findings regarding the existence of defensive countermeasures or claims about active defense that do not pose immediate risks but are indicative of ongoing efforts to enhance security posture.

If specific conditions for each risk level are not detailed in the README, these inferences are based on the potential impact and implications of the scanner’s purpose.

Example Findings:

  • The organization inadvertently exposes a public API endpoint that reveals details about its active defense strategy, including deployment locations and operational scope.
  • Marketing materials for the organization’s products falsely claim advanced active defense capabilities without substantiating these claims with actual defensive measures or mechanisms in place.

Network Deception

Section titled “Network Deception”

Purpose: The Network Deception Scanner is designed to analyze network-based deception by identifying various aspects that could reveal decoy networks, services, honeypots, and other components. It aims to detect public disclosure of decoy networks, attacker filtering through exposed decoy services, reduced effectiveness due to visible network honeypots, aid in evasion through fingerprints of decoy infrastructure, and enable adversary mapping of deception topologies.

What It Detects:

  • Decoy Network Detection: Identifies references to decoy networks, detects claims about decoy infrastructure, checks for shadow IT deception, tests deployment of decoy subnets, and flags any network exposure related to deception.
  • Decoy Service Deployment: Checks for references to decoy services, detects deployed decoy applications, verifies monitoring of unused ports, identifies claims about decoy endpoints, and tests the presence of decoy protocol services.
  • Network Honeypot Indicators: Identifies deployment of network honeypots, detects references to decoy routers/switches, checks for claims about decoy network devices, tests for decoy wireless networks, and verifies deployment of decoy VLANs.
  • Deception Technology Stack: Identifies vendors providing network deception solutions, detects commercial deception platforms, examines custom network deception implementations, tests for SDN-based deception, and flags any fingerprints that might indicate deception technology in use.
  • Topology Exposure: Tests for the disclosure of network maps, checks references to decoy placements, verifies claims about deception coverage, identifies deployment architectures, and assesses the scope of network deception exposure.

Inputs Required:

  • domain (string): Fully qualified domain name (e.g., ekkatha.com) - This is necessary for making HTTP requests to analyze the target website’s content.

Business Impact: Network deception exposure creates significant operational risks, including public disclosure of decoy networks that enable adversaries to avoid detection, exposed decoy services allowing attackers to filter through and exploit them, visible network honeypots reducing their effectiveness, and decoy infrastructure fingerprints aiding in adversary evasion and mapping of deception topologies.

Risk Levels:

  • Critical: Public disclosure of decoy networks enables avoidance, exposing decoy services allow attacker filtering, visible network honeypots reduce effectiveness, decoy infrastructure fingerprints aid evasion, and topology disclosure enables deception mapping.
  • High: The scanner identifies weaknesses in network deception operational security that could reveal the deception topology to adversaries.
  • Medium: The scanner detects potential issues related to public exposure of decoy networks or services, which might be exploited by attackers.
  • Low: Informational findings regarding the use of specific deception vendors or technologies, indicating a need for further investigation and possibly no immediate risk.
  • Info: Findings that do not directly impact security but could indicate areas for improvement in network deception practices.

Example Findings:

  1. “Publicly disclosed network deception capabilities suggest an increased risk of adversary exploitation.”
  2. “Exposed decoy service endpoints provide clear targets for targeted attacks, increasing the severity of potential breaches.”

This structure provides a comprehensive overview suitable for user-facing documentation derived from the internal scanner documentation.