Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.[1][2]
攻撃者は、攻撃中に使用するサービスのアカウントを作成し、育てることがあります。攻撃者は、作戦を進めるための人物を構築するためにアカウントを作成することができます。人物の作成は、公開情報、プレゼンス、経歴、適切な所属の作成から構成されます。このような作り込みは、その人物や ID を使用した作戦の過程で、正当性を参照および精査される可能性のあるソーシャル
メディア、ウェブサイト、またはその他の一般に入手可能な情報に適用されます。
For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona
may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of
additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.[1][2]
ソーシャルエンジニアリングを取り入れた作戦では、オンライン上の人物を利用することが重要な場合があります。これらの人物像は、架空のものであっても、実在の人物になりすましたものであってもかまいません。ペルソナは、1つのサイトに存在することもあれば、複数のサイトにまたがることもあります(例:Facebook、LinkedIn、Twitter、Google、GitHub、Docker
Hub、など)。人物を作成するには、実在するように見せるための追加資料の作成が必要になる場合があります。これには、プロフィール情報の記入、ソーシャルネットワークの構築、写真の取り込みなどが含まれます[1][2]。
Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for Phishing for Information
or Phishing.[3]
アカウントの作成には、メールプロバイダのアカウントの作成も含まれ、これらは、フィッシング・フォー・インフォメーションやフィッシングに直接利用される可能性があります[3]。
([3]の7ページ目)
| ID | Name | Description |
|---|---|---|
| G0025 | APT17 |
APT17 has created and cultivated profile pages in Microsoft TechNet. To make profile pages appear more legitimate, APT17 has created biographical sections and posted in forum threads.[4] |
| G0117 | Fox Kitten |
Fox Kitten has created KeyBase accounts to communicate with ransomware victims.[5][6] |
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0029 | Network Traffic | Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
| DS0021 | Persona | Social Media |
Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing). |