A key component of threat intelligence is understanding the tactics of bad actors. And that often requires infiltrating their networks.
Persona tracking is a term used by intelligence officers to communicate with actors on various platforms, including the dark web. By crafting identities, threat hunters and other security experts can gain trust and eventually breadcrumbs tied to techniques and support defensive measures by target organizations.
Jon Neuhaus, managing director as managed intelligence company Nisos, told SC Media Senior Reporter Derek Johnson that this concept originally started as a research project but has since blossomed into a new method for threat hunting.
“Depending on the level of sophistication and the actual needs of the customer, we'll take personas and move them into specific areas where other actors are already engaging and communicating about a specific target set,” he said. To embed among Russian people interested in disrupting industrial control systems, for example, the persona would need to be able to communicate in Russian or at least pull off broken English in order to gain the trust of those involved, and also offer personal details as further validation.
Click here to attend the SC Media APT eSummit on demand.
"And then at the same time, [that persona] would take what they give and transition it over to the customer help them defend [their systems] from the attack itself, whether that's [through] writing signatures or just reverse engineering the malware," Neuhaus said. Or, "if you actually see someone actively planning an attack for your specific organization or the sector itself, you can kind of push out a sector wide alert. I know that's a huge thing in the energy community."