Reconnaissance is the initial and essential phase
of a successful advanced persistent threat (APT). In many
cases, attackers collect information from social media, such as
professional social networks. This information is used to select
members that can be exploited to penetrate the organization.
Detecting such reconnaissance activity is extremely hard because
it is performed outside the organization premises. In this paper,
we propose a framework for management of social network
honeypots to aid in detection of APTs at the reconnaissance
phase. We discuss the challenges that such a framework faces,
describe its main components, and present a case study based
on the results of a field trial conducted with the cooperation of
a large European organization. In the case study, we analyze the
deployment process of the social network honeypots and their
maintenance in real social networks. The honeypot profiles were
successfully assimilated into the organizational social network
and received suspicious friend requests and mail messages that
revealed basic indications of a potential forthcoming attack.
In addition, we explore the behavior of employees in professional
social networks, and their resilience and vulnerability toward
social network infiltration.