Building your own intelligence of the attackers going after your organization

Here’s a working idea.

Set up a set of fake personas supposedly working for your company. Do it with all the social indicators – Facebook, Twitter, LinkedIn profiles, e-mail addresses and active e-mail boxes, presentations containing their names and e-mails, comments – the whole thing.

Once ready, set up a set of physical boxes (so malware would not distinguish them as honeypots or virtual boxes) utilizing the corporate image used for all other computers – but do NOT connect them to the corporate network. Instead, connect them to a honeynet – where your honeypots will capture any additional malicious activity.

Note: don’t focus on VIP only. Attackers often target their personal assistants / team members – as such, you would benefit greatly if you create such accounts and such boxes, containing the appropriate fake documents, fake e-mails, etc.

Create a set of pages on your website accessible only in the case of an attacker profiling your organization – not linked from anywhere else but from the set of fake documents you have published for your fake personas. Carefully log all accesses to these web pages and act immediately on containing the treat from these adversaries – or to begin monitoring closely any related activity.

Make sure Google and other search engines are forbidden access to these pages based on user agent / other indicators – think about blocking crawling in robots.txt but keep in mind this measure is a double-edged sword – it makes it too easy to spot your fake pages and their purpose and you will have lots of fake positives if non-compliant search engine start crawling based on your robots.txt file.

On the fake boxes themselves, regularly open the arriving e-mails and their attachments in a controlled manner. Establish complex sandboxes and monitoring solutions to capture every kind of system and network activity. Have swift roll-back systems in place (system image restoration or freeze/unfreeze time-machine like solutions).

Have all attachments sent analyzed by a malware analyst / reverse engineer – or at least do basic static analysis if you don’t have the personnel.

NEVER! run any of the attachments / executables in Virustotal or other public sandboxes – if the attacker is half-advanced they will immediately spot that they’ve been detected – and will make your life much more difficult by changing / improving their behavior.

Documenting your findings

I highly recommend using tools such as Maltego (and / or CaseFile) and CherryTree – https://www.paterva.com/web6/products/download.php and http://www.giuspen.com/cherrytree/

These tools allow for the creation of structured information lists and it is tremendously helpful in visualizing links between elements and their meaning and preparing a final report based on your findings.