MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Decoy Persona
Develop personal information (aka a backstory) about a user and plant data to support that backstory.
A decoy persona is used to establish background information about a user. In order to have the adversary believe they are operating against real targets (people and IT), develop a backstory about a user and plant data to support that backstory. Depending on the need for realism, the constructed persona can be supported by evidence of hobbies, social and professional interactions, consumer transactions, employment, etc.
Details
ID:
DTE0015
Opportunities
| ID | Description |
|---|---|
| DOS0002 | There is an opportunity to discover who or what is being targeting by an adversary. |
| DOS0082 | There is an opportunity to introduce data to an adversary to influence their future behaviors. |
| DOS0253 | There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions. |
Use Cases
| ID | Description |
|---|---|
| DUC0019 | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |
| DUC0259 | A defender can use a decoy persona to engage with online communities or to purchase/download information about their organization and review for exposure. |
Procedures
| ID | Description |
|---|---|
| DPR0029 | Create a persona that represents an employee with hobbies, outside interests, personal accounts, etc. This persona may be used in conjunction with decoy accounts and credentials. |
| DPR0030 | Create a persona that represents an employee's projects and job scope. This persona information can be leveraged in conjunction with Burn-In and Pocket Litter. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1566 | Phishing | Initial Access |
| T1589 | Gather Victim Identity Information | Reconnaissance |
| T1591 | Gather Victim Org Information | Reconnaissance |
| T1594 | Search Victim-Owned Websites | Reconnaissance |
| T1596 | Search Open Technical Databases | Reconnaissance |
| T1597 | Search Closed Sources | Reconnaissance |