Add 2 skills: deception (MITRE Engage, cloud decoys)

- designing-adversary-engagement-with-mitre-engage
- deploying-cloud-deception-with-decoy-resources

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
andrewibrah
2026-06-04 09:56:25 -04:00
parent 04450304b1
commit fd0f0e702a
10 changed files with 1236 additions and 0 deletions
@@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to the Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by the Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding any notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. Please do not remove or change
the license header comment from a contributed file except when
necessary.
Copyright 2026 mukul975
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
@@ -0,0 +1,169 @@
---
name: deploying-cloud-deception-with-decoy-resources
description: >-
Deploy cloud-native deception across AWS, Azure, and GCP using decoy (honey) resources
whose only purpose is to generate a high-fidelity alert the instant an attacker touches
them: canary IAM access keys, permission-less decoy users/roles/service principals,
honey object-storage buckets, and decoy secrets in Secrets Manager / Key Vault / Secret
Manager. Wires detection through CloudTrail + EventBridge, Azure Sentinel honeytoken
watchlists + Defender, and GCP Cloud Audit Logs, so any use of a decoy is routed to the
SOC with near-zero false positives. Use when protecting cloud accounts and data stores,
when an org has only on-prem honeypots and needs cloud coverage, when seeding fake AWS
keys to catch credential theft and code-leak exposure, or when detecting cloud
reconnaissance and lateral movement. Keywords: cloud deception, canary token AWS, honey
S3 bucket, decoy IAM credentials, CloudTrail alert, GuardDuty, Sentinel honeytoken,
decoy secret, honey service account, cloud honeypot, breach detection.
domain: cybersecurity
subdomain: deception-technology
tags:
- cloud-deception
- aws
- azure
- gcp
- canary-token
- honeytoken
- cloudtrail
- breach-detection
version: "1.0"
author: andrewibrah
license: Apache-2.0
nist_csf:
- DE.CM-01
- DE.CM-06
- DE.AE-02
- ID.RA-01
- RS.MA-01
mitre_attack:
- T1078
- T1552
- T1580
- T1530
- T1619
---
# Deploying Cloud Deception with Decoy Resources
## When to Use
- When cloud accounts (AWS/Azure/GCP) hold crown-jewel data or infrastructure and you need a tripwire that fires the moment an attacker who has gained access starts to operate.
- When the only deception in place is on-prem honeypots, leaving the cloud control plane uninstrumented.
- When seeding fake credentials to catch credential theft, accidental code-repo leaks, or secrets exposed in build pipelines.
- When detecting cloud reconnaissance (enumeration of IAM, storage, or secrets) and lateral movement that legitimate users would never perform.
- When you want detections that survive into incident response with strong fidelity — a touch on a decoy resource almost always means malicious or unauthorized activity.
This is the cloud counterpart to on-prem honeypot/honeytoken/canary-token deployment skills. For program strategy and how these Activities map to adversary engagement goals, use `designing-adversary-engagement-with-mitre-engage`.
## Prerequisites
- Cloud admin/IAM permissions to create decoy principals, storage, secrets, and detection wiring, ideally in a dedicated deployment role with least privilege.
- Cloud audit logging already enabled: **AWS CloudTrail** (multi-region, with management and relevant data events), **Azure Activity log + Microsoft Entra audit/sign-in logs**, **GCP Cloud Audit Logs (Admin Activity always on; Data Access enabled where needed)**.
- A SIEM/alert sink: SNS topic, Microsoft Sentinel workspace, or GCP Pub/Sub + Monitoring, with routing to the SOC.
- A naming and tagging convention that is plausible to an attacker but unambiguous to defenders internally (e.g., realistic names, plus an internal `deception=true` tag/label kept out of attacker-visible metadata).
- **Decoy principals must be permission-less (explicit deny-all).** The value is the alert, never the access. A decoy that grants real privilege is a liability, not a control.
## Workflow
### 1. Decide what to mimic
Pick decoys that match how *your* attackers operate: leaked AWS keys (credential theft), an "admin" S3 bucket (data discovery), a `prod-db-password` secret (secrets harvesting), a privileged-looking service account (cloud lateral movement). Place credential decoys where harvesting tools look: env files, CI variables, code comments, an internal wiki.
### 2A. AWS — canary access keys on a permission-less user
Create a decoy IAM user with an explicit deny-all policy, then issue an access key to plant:
```bash
aws iam create-user --user-name svc-backup-prod --tags Key=deception,Value=true
aws iam put-user-policy --user-name svc-backup-prod \
--policy-name deny-all \
--policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"*","Resource":"*"}]}'
aws iam create-access-key --user-name svc-backup-prod # plant the returned AccessKeyId/Secret
```
Any use of this key appears in CloudTrail (even denied calls, which still log `AccessDenied`). Wire an EventBridge rule on CloudTrail to alert:
```bash
aws events put-rule --name decoy-key-used \
--event-pattern '{"detail":{"userIdentity":{"userName":["svc-backup-prod"]}}}'
aws events put-targets --rule decoy-key-used \
--targets "Id"="1","Arn"="arn:aws:sns:us-east-1:111111111111:soc-deception-alerts"
```
### 2B. AWS — honey S3 bucket
Create a believable bucket, enable object-level data events, and alert on any read/list:
```bash
aws s3api create-bucket --bucket acme-prod-db-backups-2026 --region us-east-1
aws s3api put-bucket-tagging --bucket acme-prod-db-backups-2026 \
--tagging 'TagSet=[{Key=deception,Value=true}]'
# Ensure CloudTrail captures S3 data events for this bucket, then alert on GetObject/ListBucket
aws events put-rule --name decoy-bucket-access \
--event-pattern '{"detail":{"eventSource":["s3.amazonaws.com"],"requestParameters":{"bucketName":["acme-prod-db-backups-2026"]}}}'
```
### 2C. AWS — decoy secret
```bash
aws secretsmanager create-secret --name prod/db/master-password \
--secret-string '{"username":"dbadmin","password":"DECOY-DO-NOT-USE"}' \
--tags Key=deception,Value=true
# Alert on GetSecretValue for this secret via EventBridge -> SNS
```
### 3A. Azure — honeytoken watchlist + decoy service principal
Microsoft Sentinel natively supports honeytokens via a **Watchlist** of the `HoneyTokens` template; tagged decoy accounts/secrets raise analytics alerts on use. Create a permission-less decoy app registration / service principal, then add its identifiers to the HoneyTokens watchlist and enable the related analytics rules. Microsoft Defender for Cloud and Entra ID Protection surface anomalous sign-ins to the decoy identity.
### 3B. Azure — honey storage + Key Vault decoy secret
Create a decoy Storage account and Key Vault, enable diagnostic logging to the Sentinel workspace, store a decoy secret, and write an analytics rule that fires on any data-plane read of the decoy resources.
### 4A. GCP — decoy service account + honey GCS bucket
Create a service account with no role bindings (permission-less), generate a key to plant, and alert on its use via Cloud Audit Logs:
```bash
gcloud iam service-accounts create svc-billing-export \
--display-name="billing-export"
gcloud iam service-accounts keys create decoy-key.json \
--iam-account=svc-billing-export@PROJECT.iam.gserviceaccount.com # plant this key
gsutil mb -b on gs://acme-finance-exports-2026
```
Create a log-based metric + alerting policy in Cloud Monitoring that triggers on any audit-log entry where the principal is the decoy service account or the resource is the honey bucket.
### 5. Centralize and de-duplicate
Route all clouds' decoy alerts to one SOC pipeline. Tag each alert as DECEPTION/high-fidelity so it bypasses normal noise filtering and triggers an IR playbook rather than a triage queue.
### 6. Validate (red-team the decoys)
Have an authorized tester use each decoy (read the bucket, call with the key, fetch the secret) and confirm an alert lands end-to-end within target latency. A decoy you have not tested is assumed broken.
### 7. Maintain realism and rotate
Refresh decoy names, secrets, and pocket-litter periodically so they age with the real environment. Track every decoy in an inventory so they are never mistaken for real assets during audits or cleanups.
## Key Concepts
| Concept | Definition |
|---|---|
| Decoy / honey resource | A cloud object created solely to be touched by an attacker; no legitimate user has any reason to use it. |
| Canary access key | A planted credential whose use generates an audit-log event; carries deny-all permissions. |
| High-fidelity alert | A near-zero-false-positive signal because legitimate workflows never reference the decoy. |
| Permission-less principal | A decoy IAM user/role/service principal/service account with explicit deny-all or no role bindings. |
| Data event | Cloud audit logging of object/data-plane access (e.g., S3 GetObject), required to detect storage decoys. |
| Pocket litter | Plausible supporting artifacts (fake configs, env files, wiki entries) that make a decoy credible. |
| Decoy inventory | The authoritative internal record distinguishing decoys from real assets. |
## Tools & Systems
- **AWS** — IAM (decoy users/roles), S3 (honey buckets, data events), Secrets Manager / SSM Parameter Store (decoy secrets), CloudTrail, EventBridge, SNS/Lambda, GuardDuty (correlate anomalous use).
- **Azure** — Microsoft Entra ID (decoy app registrations / service principals), Storage / Key Vault decoys, **Microsoft Sentinel HoneyTokens watchlist** and analytics rules, Microsoft Defender for Cloud, Entra ID Protection.
- **GCP** — IAM service accounts (decoys), Cloud Storage (honey buckets), Secret Manager (decoy secrets), Cloud Audit Logs, log-based metrics + Cloud Monitoring alerting, Pub/Sub.
- **Open-source / managed honeytoken systems** — Canarytokens (https://canarytokens.org offers AWS API key tokens), Thinkst Canary, SpaceSiren / SpaceCrab (self-hosted AWS honey-token frameworks).
- **SIEM/SOAR** — to centralize alerts across clouds and drive an IR playbook on any decoy hit.
## Common Scenarios
- **Credential-theft / code-leak detection.** Plant a canary AWS key in CI variables, an env file, and a private repo. Any external use (even from a leaked public push) fires within minutes.
- **Crown-jewel data store.** Stand up a honey "backups" bucket next to the real one; attackers enumerating storage hit the decoy first and reveal themselves.
- **Cloud lateral movement.** A permission-less decoy service principal that "looks" privileged catches adversaries assuming roles during pivoting.
- **Secrets harvesting.** Decoy entries in Secrets Manager / Key Vault / Secret Manager detect tools scraping the secrets store.
- **Migrating from on-prem-only deception.** Mirror the existing on-prem decoy strategy into the cloud control plane so coverage follows workloads.
## Output Format
Produce a **Cloud Deception Deployment Record** using `assets/template.md`, containing:
1. **Decoy inventory** — per decoy: cloud, type, plausible name, real placement location of any planted credential, internal `deception` tag/label, owner.
2. **Detection wiring** — per decoy: audit-log source → rule/pattern → alert sink → IR playbook reference, with the target alert latency.
3. **Least-privilege proof** — evidence each decoy principal is deny-all / no-role-binding.
4. **Validation results** — date tested, who tested, end-to-end latency observed, pass/fail.
5. **Maintenance plan** — rotation cadence and review owner.
Use `scripts/process.py` to render the deployment record and a per-decoy detection checklist from a decoy-inventory JSON, and to flag decoys missing detection wiring or validation.
@@ -0,0 +1,33 @@
# Cloud Deception Deployment Record
> Worked example. Keep this record internal and separate from any attacker-visible metadata.
**Account / project:** acme-prod (AWS 111111111111) · **Owner:** [Cloud security lead] · **Last validated:** 2026-05-20
## 1. Decoy inventory & detection wiring
| Decoy | Cloud | Type | Plausible placement | Detection: source → rule → sink → playbook | Deny-all? | Target latency |
|---|---|---|---|---|---|---|
| svc-backup-prod (key) | AWS | Canary access key | CI variables, repo `.env`, internal wiki | CloudTrail → `decoy-key-used``sns:soc-deception-alerts` → IR-CLOUD-07 | Yes | < 5 min |
| acme-prod-db-backups-2026 | AWS | Honey S3 bucket | Discoverable via S3 list | CloudTrail data events → `decoy-bucket-access` → SNS → IR-CLOUD-07 | n/a | < 5 min |
| prod/db/master-password | AWS | Decoy secret | Secrets Manager | CloudTrail `GetSecretValue``decoy-secret-read` → SNS → IR-CLOUD-07 | n/a | < 5 min |
| h* sentinel honeytoken acct | Azure | Decoy service principal | Entra app registration | Sentinel HoneyTokens watchlist → analytics rule → SOC → IR-CLOUD-07 | Yes (no roles) | < 10 min |
| svc-billing-export | GCP | Decoy service account key | Build config | Cloud Audit Logs → log-based metric → Monitoring alert → IR-CLOUD-07 | Yes (no bindings) | < 10 min |
## 2. Least-privilege proof
- AWS decoy users: explicit `Deny *` inline policy attached (`deny-all`); verified with `aws iam get-user-policy`.
- Azure decoy SP: zero role assignments; verified in Entra.
- GCP decoy SA: zero IAM policy bindings; verified with `gcloud iam service-accounts get-iam-policy`.
## 3. Validation results (red-team each decoy)
| Decoy | Tested | By | Observed latency | Pass/Fail |
|---|---|---|---|---|
| svc-backup-prod | 2026-05-20 | Red team | 90 s | PASS |
| acme-prod-db-backups-2026 | 2026-05-20 | Red team | 2 min | PASS |
| prod/db/master-password | 2026-05-20 | Red team | 75 s | PASS |
| Azure honeytoken SP | 2026-05-20 | Red team | 6 min | PASS |
| svc-billing-export | 2026-05-20 | Red team | 4 min | PASS |
## 4. Maintenance plan
- **Rotation cadence:** Refresh names/secrets/pocket-litter quarterly so decoys age with prod.
- **Review owner:** [Cloud security lead], quarterly.
- **Inventory rule:** No decoy is deleted during clean-ups/audits without confirming against this record.
@@ -0,0 +1,62 @@
# Cloud Deception — Standards & Reference
## Detection foundations (audit logging is mandatory)
Cloud deception only works if a decoy touch is logged. Confirm these before deploying.
### AWS
- **CloudTrail** — management events plus **data events** (S3 object-level, Lambda invoke, etc.) for any storage/secret decoys. Multi-region trail recommended.
- **EventBridge** — pattern-match CloudTrail events on `userIdentity.userName`, `eventSource`, or `requestParameters.bucketName` and target SNS/Lambda.
- **GuardDuty** — correlates anomalous credential/API behavior; useful to enrich a decoy hit.
- Note: even *denied* API calls by a deny-all decoy principal are recorded in CloudTrail as `AccessDenied`, so the alert fires regardless of granted permission.
### Azure / Microsoft
- **Azure Activity log** + **Microsoft Entra ID audit and sign-in logs** streamed to a Log Analytics / Microsoft Sentinel workspace.
- **Microsoft Sentinel HoneyTokens** — built-in watchlist template; decoy identifiers added to the watchlist drive analytics rules that alert on use.
- **Microsoft Defender for Cloud** and **Entra ID Protection** — surface anomalous access to decoy identities.
- Enable diagnostic settings on decoy Storage accounts and Key Vaults to capture data-plane reads.
### GCP
- **Cloud Audit Logs** — Admin Activity logs are always on; enable **Data Access** logs for the services hosting decoys (Cloud Storage, Secret Manager, IAM).
- **Log-based metrics + Cloud Monitoring alerting policies** — trigger on audit entries where `protoPayload.authenticationInfo.principalEmail` is the decoy service account or the resource is the honey bucket.
- **Pub/Sub** sink to forward to a SIEM.
## MITRE D3FEND — Deceive tactic mappings
| D3FEND technique | Cloud decoy realization |
|---|---|
| Decoy User Credential | Canary IAM access key / decoy app secret / decoy SA key |
| Decoy Network Resource | Honey S3 / GCS / Azure Storage bucket |
| Decoy Object | Decoy secret in Secrets Manager / Key Vault / Secret Manager |
| Decoy Persona | Permission-less decoy IAM user / service principal / service account |
| Decoy Session Token | Planted temporary credential / SAS token |
## MITRE ATT&CK techniques detected
| Technique | Detected by decoy |
|---|---|
| T1078 / T1078.004 Valid Accounts (Cloud) | Canary key / decoy principal use |
| T1552 / T1552.001 Unsecured Credentials | Decoy secret read; planted credential use |
| T1580 Cloud Infrastructure Discovery | Enumeration touching decoy principals/resources |
| T1619 Cloud Storage Object Discovery | List on honey bucket |
| T1530 Data from Cloud Storage Object | GetObject on honey bucket |
## NIST CSF 2.0 alignment
| CSF 2.0 ID | Relevance |
|---|---|
| DE.CM-01 | Networks/environments monitored to find adverse events |
| DE.CM-06 | External service provider (cloud) activity monitored |
| DE.AE-02 | Potentially adverse events analyzed — decoy alert triage |
| ID.RA-01 | Vulnerabilities/exposures identified — informs decoy placement |
| RS.MA-01 | Incident management — decoy hit invokes the IR playbook |
## Tooling references
- Canarytokens (AWS API key token): https://canarytokens.org
- Thinkst Canary: https://canary.tools
- SpaceSiren (self-hosted AWS honey tokens, serverless): open-source
- Microsoft Sentinel HoneyTokens watchlist: Microsoft Learn — "Deploy decoys/honeytokens with Sentinel"
- AWS CloudTrail data events: AWS docs — "Logging data events"
- GCP Cloud Audit Logs: Google Cloud docs — "Cloud Audit Logs overview"
## Operating principles
- **Deny-all decoys only.** Decoy principals must carry an explicit deny-all policy (AWS) or no role bindings (GCP) / no privileged roles (Azure). The control's value is the alert, never access.
- **Keep an internal decoy inventory** separate from attacker-visible metadata so audits and clean-ups never delete a tripwire by accident, and real assets are never mistaken for decoys.
- **Validate end-to-end** (red-team each decoy) and record observed alert latency. Untested decoys are assumed non-functional.
- **Mark deception alerts high-fidelity** so they bypass routine noise filtering and go straight to an IR playbook.
@@ -0,0 +1,130 @@
#!/usr/bin/env python3
"""
Cloud deception deployment validator.
Reads a decoy-inventory JSON, checks each decoy for the controls that make a
cloud decoy trustworthy (detection wiring, deny-all/least-privilege, validation,
internal tagging), renders a Cloud Deception Deployment Record, and exits non-zero
if any decoy is missing a required control.
Usage:
python process.py --inventory decoys.json --out record.md
decoys.json format:
{
"account": "acme-prod (AWS 1111...)",
"decoys": [
{
"name": "svc-backup-prod",
"cloud": "aws",
"type": "canary_access_key",
"placement": "CI variables + private repo .env",
"deny_all": true,
"detection": {"source": "CloudTrail", "rule": "decoy-key-used", "sink": "sns:soc-deception-alerts", "playbook": "IR-CLOUD-07"},
"validated": {"date": "2026-05-20", "by": "redteam", "latency_sec": 90, "passed": true},
"internal_tag": "deception=true"
}
]
}
"""
import argparse
import json
import sys
from datetime import date
REQUIRED = ["name", "cloud", "type", "placement"]
VALID_CLOUDS = {"aws", "azure", "gcp"}
def check_decoy(d):
"""Return list of issues for one decoy."""
issues = []
for k in REQUIRED:
if not d.get(k):
issues.append(f"missing required field '{k}'")
if d.get("cloud") and d["cloud"].lower() not in VALID_CLOUDS:
issues.append(f"unknown cloud '{d.get('cloud')}'")
det = d.get("detection") or {}
for k in ("source", "rule", "sink"):
if not det.get(k):
issues.append(f"detection wiring missing '{k}' (decoy is blind)")
if not det.get("playbook"):
issues.append("no IR playbook reference for the alert")
# Credential/principal decoys must be deny-all / least privilege.
cred_types = {"canary_access_key", "decoy_principal", "decoy_service_account",
"decoy_service_principal", "decoy_iam_user"}
if d.get("type") in cred_types and not d.get("deny_all"):
issues.append("credential/principal decoy is not marked deny_all (liability risk)")
val = d.get("validated") or {}
if not val.get("passed"):
issues.append("not validated end-to-end (assume non-functional)")
if not d.get("internal_tag"):
issues.append("no internal deception tag/label (audit-cleanup risk)")
return issues
def render(inv, results):
lines = [f"# Cloud Deception Deployment Record",
f"\n_Account: {inv.get('account', 'UNKNOWN')} — generated {date.today().isoformat()}_\n",
"## 1. Decoy inventory & detection wiring",
"| Decoy | Cloud | Type | Placement | Detection (source→rule→sink) | Playbook | Validated | Status |",
"|---|---|---|---|---|---|---|---|"]
for d, issues in results:
det = d.get("detection") or {}
wiring = f"{det.get('source','?')}{det.get('rule','?')}{det.get('sink','?')}"
val = d.get("validated") or {}
vstr = f"{val.get('date','-')} ({val.get('latency_sec','?')}s)" if val.get("passed") else "NO"
status = "OK" if not issues else f"{len(issues)} issue(s)"
lines.append(f"| {d.get('name','?')} | {d.get('cloud','?')} | {d.get('type','?')} | "
f"{d.get('placement','?')} | {wiring} | {det.get('playbook','-')} | {vstr} | {status} |")
problem = [(d, i) for d, i in results if i]
if problem:
lines.append("\n## 2. Issues to remediate before relying on these decoys")
for d, issues in problem:
lines.append(f"\n**{d.get('name','?')}** ({d.get('cloud','?')}):")
for it in issues:
lines.append(f"- {it}")
else:
lines.append("\n## 2. Issues\nNone — all decoys have detection wiring, least privilege, and validation.")
lines.append("\n## 3. Maintenance")
lines.append("- Rotation cadence: TBD · Review owner: TBD")
lines.append("- Keep this record separate from attacker-visible metadata.")
return "\n".join(lines)
def main():
p = argparse.ArgumentParser(description="Cloud deception deployment validator")
p.add_argument("--inventory", required=True, help="Path to decoy-inventory JSON")
p.add_argument("--out", help="Output markdown path (default: stdout)")
args = p.parse_args()
with open(args.inventory) as f:
inv = json.load(f)
decoys = inv.get("decoys", [])
results = [(d, check_decoy(d)) for d in decoys]
total_issues = sum(len(i) for _, i in results)
healthy = sum(1 for _, i in results if not i)
print(f"{len(decoys)} decoy(s): {healthy} healthy, {total_issues} total issue(s).",
file=sys.stderr)
out = render(inv, results)
if args.out:
with open(args.out, "w") as f:
f.write(out + "\n")
print(f"Wrote deployment record -> {args.out}", file=sys.stderr)
else:
print(out)
# Non-zero exit if any decoy has issues, so this can gate a pipeline.
sys.exit(1 if total_issues else 0)
if __name__ == "__main__":
main()