While human honeypots can be extremely valuable tools to identify threat actors targeting your organization, they do carry their own risks. Add an unprivileged AD account for the user, as long as you can also add constant monitoring for any usage or changes.Post enticing messages/posts on your profile which may attract an attacker (such as mentioning rolling out a new (fake) payroll system).Turn the honeypot into a fully fledged sock puppet with other social media accounts and activity.Add a basic corporate directory entry if that information is public (or include your honeypot on your corporate website).Add typical contact information to sales lead/data amalgamation databases for your honeypot.You'll likely start to see BEC attempts, phishing lures, and suspicious connection requests you can action before (or at the same time) as the attackers are reaching out to real employees. Now, sit back and wait for the connections to roll in. Connect the account to a real email address at your organization that is either immediately forwarded to the security team, or is a shared inbox that security team members have access to.Then expand a little - external recruiters are often a great resource as they'll typically accept almost any connection request, as will others with the same alumni network or similar interests. Reach out first to other people who list the same employer. Then, it should be allowed to 'age' for a few weeks/months, as you login occasionally and provide it with typical activity (liking and sharing posts, sending and accepting connection requests, etc.). It should look as close to a real person as possible. Fill out the LinkedIn profile with a few roles (ideally different roles at your organization), some education, volunteer experience, interests, etc.Fake LinkedIn profile with a name from and a photo from a stock photo site, a site like, or an un-posted photo from a friend (since the first thing any good attacker will do is reverse image search the photo).Ideally, you would start with a finance, sales, and/or IT persona (potentially with the addition of a fake engineer, developer, or designer, depending on whether or not you anticipate being the target of espionage or intellectual property theft).Īdditionally, the idea of a fake executive is very interesting, but presents its own issues, such as being relatively difficult to pull off (executives typically have a very public presence, which is difficult for a fake person to have) or potentially misleading investors if the organization is publicly traded.Ī simple honey pot would start with the following: This profile probably won't be sophisticated enough to fool nation-state actors which may look closely at the fake persona and attempt to confirm details via other social media sites or government records, but its a great way to attract BEC or targeted phishing attempts. You can start with a fake Linkedin profile attached to a corporate email address that silently forwards all requests to the security team (easy to set up if you work for the organization's security team). A simple human honeypot is relatively easy to create and can provide high quality alerts of malicious activity before real users have been impacted. Many threat actors will either develop their targeting lists from these sites or reach out to employees directly on the social media sites. Since many threat actors do their research on who to target via third party data collection sites (which often scrape LinkedIn), LinkedIn itself, or the organization's corporate website, by planting fake data on these sites, you can attract threat actors to your honeypot. While these can be effective, in recent years, there's been a significant uptick in social engineering attacks in an attempt to evade technical controls, and these types of traditional honeypots aren't effective at detecting these attacks. It's much easier to monitor a fake system for abnormal activity (since there's no legitimate activity that would hide the malicious) than a real system which can behave more unpredictably. This allows security teams to draw in attackers, observe their behavior, and shore up their defenses. Typically honeypots are systems designed to look legitimate (and appealing) to an attacker, while actually containing no sensitive data or access to the environment. However, creating fake profiles designed to draw in cybercriminals (particularly BEC actors) can be an effective strategy for corporate security teams. Normally finding clearly fake profiles for a business is a huge red flag - the area of sketchy 5 star reviews and effusive praise for sushi restaurants in Kansas.
0 Comments
Leave a Reply. |