Human Honeypots: I Make Friends (and So Should You)

I recently ran across a tweet by the very insightful Fernando Montenegro in which he makes an interesting point about a phenomenon we occasionally run into while examining social media profiles associated with a business:

In this case the profile in question ended up being associated with a real person, but I definitely agree with Fernando that social media is rife with businesses which build full or partial employee or customer profiles to promote their business. We’ve all read a customer review page for a product where the reviewer profile pictures looked just a bit too familiar. A quick reverse lookup often shows them to be stock art images, bringing the credibility of the review or even the product into question. Clearly, this type of embellishment runs from borderline unethical to outright illegal.

However, there is at least one very valid and important reason for security teams to generate fake employee profiles on web services and social media. In fact, this is such a low-effort, high reward defensive measure that I highly encourage my readers to have a discussion about it in their own organization as soon as possible.

At the most basic, a fake person is much easier to monitor for abnormal activity  – or any activity at all – than a real one.

Most of my readers will be familiar with the concept of a honeypot. While this technology has changed greatly over the years, the principle stays the same. Some portion of a computer network is emulated inside a LAN or in a DMZ. It looks similar to the real environment, and a casual glance shows real, potentially vulnerable systems. Truthfully, the network contains no sensitive data nor access into the real operational environment. However, it can be carefully monitored for scanning, attempted exploitation, and tampering. Observations from the honeypot network can be used to routinely shore up defenses and improve threat intelligence in real life.

Honeypots are one of the few available tools which may potentially allow for detection and response at the “Reconnaissance” stage of the Kill Chain.

The problem is, hard DMZs are slowing becoming obsolete and going away. Today’s corporate networks are typically much fuzzier – large portions of them may be managed services or hosted in the an external cloud. There isn’t a clear “out” and “in” in a set IP space. Adversaries have also focused more on social engineering and “living off the land” and it has consequently become harder to monitor for the targeting of individual employees. It’s also become trickier to lure adversaries into a network-based honeypot.

We can still lure adversaries into a trap, though. Instead of merely providing a juicy technical target, we can create tempting social engineering, phishing, and credential stuffing “human” honeypots. For example: if an adversary’s tactic is to phish people in Sales using spoofed emails, they must first gather a list of target emails from some source – perhaps a corporate website or LinkedIn. While real life sales people have very dynamic interactions with email, people, and the internet, a fake sales person’s behavior will (hypothetically) stay the same until an adversary targets them. So, a security team might choose to create a fake sales representative associated publicly with their company, and closely monitor that account and mailbox for suspicious inbound communications, account harvesting, or brute force attempts.

The sophistication of this fake profile will depend on the level of security monitoring available in your organization and the amount of time which can be dedicated to honeypots. Creating fake employees isn’t a particularly technical undertaking – but it can be a time consuming one. A very basic human honeypot (or “honey person”) might just entail a LinkedIn profile and an associated corporate email box which forwards directly to a security mailbox. Placed in the right departments, this can be a great tool to detect Business Email Compromise attempts, or targeted phishing. I recommend that a typical business create a fake finance and IT person. If your organization does development or design which may be a target of espionage or sabotage, add fake engineers as appropriate.

Creating a more sophisticated honey person might entail the following:

– A (reasonably complete) LinkedIn profile with at least 2 previous “positions” that is allowed to naturally age on the site for several weeks or months with basic posting / “human” activity.
– An associated, standard-convention mailbox which forwards silently to a security distribution list.
– Business card entries for the person on typical contact info / sales lead databases such as Hoovers.
– A basic corporate directory entry (if such information is made public)
– Additional social accounts and activity to further backstop the account and add credibility.
– An unprivileged / disabled Active Directory account for that user (with 24/7 monitoring for usage or alterations).

You may wish to refer to one of my older blogs: 101 Ways I Screwed Up Making a Fake Identity, to get a general feel for the problems that crop up while trying to make fake profiles passable.

Adding in a layer of active directory monitoring associated with the “user’s” account can improve detection for theft of your complete employee or account list, brute force attempts towards email or VPN, or attempts to abuse or escalate privileges. Once again, this will not be lost in the noise and variability of a real human user. It’s a very clear canary that something is going awry. However, keep in mind that this account could also potentially be abused by an adversary if not carefully monitored and restricted.

Human honeypots or “Honey People” are a tremendously valuable element to defense-in-depth which allow for detection of adversary activity from the top to the bottom of the Kill Chain. These “employees” can be created with pretty minimal effort (although convincing ones require similar time and effort to generate). Once in place, their inbound messages, attempted logins, and successful usage on systems can all be set to trigger monitoring alarms and allow for an early warning of malicious activity against real users. Never use these accounts to inflate employee count, capability, or satisfaction. Always consult with your leadership and policy teams first, to ensure you have permission to create fake public personas or accounts.