Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
A Persona is used to establish background information about a victim to increase the believability of the target. To create a persona, the defender must develop a backstory and seed the environment with varying data in support of this story. Depending on the need for realism, the constructed persona can be supported by evidence of hobbies, social and professional interactions, consumer transactions, employment, browsing habits, etc.
In addition to lending legitimacy to the environment, personas can be used to engage directly with adversaries, such as during phishing email exchanges. Additionally, personas can make changes to the environment during the operation, such as adding or removing a USB device or introducing new decoy documents or credentials.
|ATT&CK® Tactics||Adversary Vulnerability Presented|
|Impact, Discovery, Persistence, Initial Access||When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource|
|Collection, Discovery, Initial Access||When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse.|
|Command and Control, Initial Access, Reconnaissance, Execution||When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user|
|Credential Access||When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment.|
|Credential Access, Collection||When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable.|
|Discovery, Reconnaissance, Collection||When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.|
|Command and Control, Initial Access||When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities|
|Reconnaissance||When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data|
|Reconnaissance||When adversaries collect targetting information from open or closed data sources, they may reveal their targetting preferences.|