We welcome your feedback about MITRE Engage v0.9 Beta: Email us at engage@mitre.org

Personas

Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.

A Persona is used to establish background information about a victim to increase the believability of the target. To create a persona, the defender must develop a backstory and seed the environment with varying data in support of this story. Depending on the need for realism, the constructed persona can be supported by evidence of hobbies, social and professional interactions, consumer transactions, employment, browsing habits, etc.

In addition to lending legitimacy to the environment, personas can be used to engage directly with adversaries, such as during phishing email exchanges. Additionally, personas can make changes to the environment during the operation, such as adding or removing a USB device or introducing new decoy documents or credentials.

Details
ID: EAC0012
Type:  Engagement 
Goals:  Elicit
Approaches:  Motivation
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Personas.

ATT&CK® Tactics Adversary Vulnerability Presented
Impact Discovery Persistence Initial Access When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource
Collection Discovery Initial Access When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse.
Command and Control Initial Access Reconnaissance Execution When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user
Credential Access When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment.
Credential Access Collection When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable.
Discovery Reconnaissance Collection When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.
Command and Control Initial Access When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities
Reconnaissance When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data
Reconnaissance When adversaries collect targetting information from open or closed data sources, they may reveal their targetting preferences.