Decoy Persona

Develop personal information (aka a backstory) about a user and plant data to support that backstory.

A decoy persona is used to establish background information about a user. In order to have the adversary believe they are operating against real targets (people and IT), develop a backstory about a user and plant data to support that backstory. Depending on the need for realism, the constructed persona can be supported by evidence of hobbies, social and professional interactions, consumer transactions, employment, etc.

Details
ID: DTE0015
Tactics:  Channel Facilitate Legitimize Test Detect

Opportunities

IDDescription
DOS0002 There is an opportunity to discover who or what is being targeting by an adversary.
DOS0082 There is an opportunity to introduce data to an adversary to influence their future behaviors.
DOS0253 There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions.

Use Cases

IDDescription
DUC0019 A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity.
DUC0259 A defender can use a decoy persona to engage with online communities or to purchase/download information about their organization and review for exposure.

Procedures

IDDescription
DPR0029 Create a persona that represents an employee with hobbies, outside interests, personal accounts, etc. This persona may be used in conjunction with decoy accounts and credentials.
DPR0030 Create a persona that represents an employee's projects and job scope. This persona information can be leveraged in conjunction with Burn-In and Pocket Litter.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1566 Phishing Initial Access
T1589 Gather Victim Identity Information Reconnaissance
T1591 Gather Victim Org Information Reconnaissance
T1594 Search Victim-Owned Websites Reconnaissance
T1596 Search Open Technical Databases Reconnaissance
T1597 Search Closed Sources Reconnaissance