Abigail Paradise, Rami Puzis, Aviad Elyashar, Yuval Elovici, Asaf Shabtai
IEEE Transactions on Computational Social Systems (IEEE T-CSS), accepted (2017)
Reconnaissance is the initial and essential phaseof a successful advanced persistent threat (APT). In manycases, attackers collect information from social media, such asprofessional social networks. This information is used to selectmembers that can be exploited to penetrate the organization.Detecting such reconnaissance activity is extremely hard becauseit is performed outside the organization premises. In this paper,we propose a framework for management of social networkhoneypots to aid in detection of APTs at the reconnaissancephase. We discuss the challenges that such a framework faces,describe its main components, and present a case study basedon the results of a field trial conducted with the cooperation ofa large European organization. In the case study, we analyze thedeployment process of the social network honeypots and theirmaintenance in real social networks. The honeypot profiles weresuccessfully assimilated into the organizational social networkand received suspicious friend requests and mail messages thatrevealed basic indications of a potential forthcoming attack.In addition, we explore the behavior of employees in professionalsocial networks, and their resilience and vulnerability towardsocial network infiltration.