Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
Network diversity involves the use a diverse collection of network items to make a decoy network look more realistic. It also ensures the network contains the appropriate amount and types of things that would normally be expected, perhaps including networking devices, firewalls, printers, phones, etc.
|DOS0024||There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment.|
|DOS0081||There is an opportunity to entice the adversary to expose additional TTPs.|
|DUC0081||The defender can add unique endpoints, servers, routers, and other devices to give the adversary a broader attack surface. This can cause the adversary to expose additional capabilities.|
|DUC0087||A defender can setup networks that use Kerberos authentication and systems that authenticate using it. This gives you a chance to see if an adversary has the capacity to steal or forge Kerberos tickets for lateral movement.|
|DPR0043||Deploy a mix of network devices (systems, servers, printers, phones, etc.) to make a decoy network look realistic.|
|DPR0044||Deploy a variety of systems which reflect the use of multiple operating systems, hardware platforms, network services, etc.|
|T1040||Network Sniffing||Credential Access, Discovery|
|T1558||Steal or Forge Kerberos Tickets||Credential Access|