Decoy files are a defense mechanism employed by Cynet 360 using honeypot tactics. Cynet 360 is able to deploy various deception entities on scanned hosts, which are used to lure attackers. When these entities are used, Cynet 360 is able to detect them and issue alerts for illicit activity.
There are multiple forms in which Cynet deploys the deception capabilities. The following list is a high-level explanation of each deception type:
- Office Documents – Cynet will deploy Excel, Word, and PowerPoint documents to the host in a newly created user directory. These files contain beacons, which will communicate back to the Cynet server when opened and generate an alert.
- Remote Desktop Files – Cynet will deploy RDP files with saved imitation credentials on the host. When this file is executed, it will attempt to connect to the Cynet server with invalid credentials and generate an alert.
- ODBC – Cynet will configure an ODBC connection on the host, which points to the Cynet server. When this ODBC connection is used, it will generate an error and an alert.
- NetBIOS – Cynet will configure network shares on the host, which are monitored. When the session is used, it will generate an alert.
- Stored Credentials – Cynet will implant invalid credential information in the Windows Credential Manager. If these credentials are obtained by an attacker and used for authentication elsewhere in the environment, it will generate an alert.
- Text files – Cynet will deploy text files to the host with invalid credentials. These credentials disguise themselves as domain credentials or credentials to an internal web application. If either of these invalid credentials are used, it will generate an alert.
Every Decoy alert will contain details about which type of decoy was triggered, the attacker IP address, the Victim IP address, hostname and File name (if applicable).