Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
A Persona is used to establish background information about a victim to increase the believability of the target. To create a persona, the defender must develop a backstory and seed the environment with varying data in support of this story. Depending on the need for realism, the constructed persona can be supported by evidence of hobbies, social and professional interactions, consumer transactions, employment, browsing habits, etc.
In addition to lending legitimacy to the environment, personas can be used to engage directly with adversaries, such as during phishing email exchanges. Additionally, personas can make changes to the environment during the operation, such as adding or removing a USB device or introducing new decoy documents or credentials.
|ATT&CK® Tactics||Adversary Vulnerability Presented|
|Discovery, Initial Access, Collection||When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse.|
|Initial Access, Discovery, Persistence, Impact||When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource.|
|Initial Access, Command and Control||When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities.|
|Discovery, Collection, Reconnaissance||When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.|
|Command and Control, Initial Access, Execution, Reconnaissance||When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user.|
|Collection, Credential Access||When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable.|
|Credential Access||When adversaries collect manipulated artifacts, they are vulnerable to revealing their presence when using or moving the artifacts elsewhere in the engagement environment.|
|Reconnaissance||When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data.|
|Reconnaissance||When adversaries collect targeting information from open or closed data sources, they may reveal their targeting preferences.|