Creation and Management of Social Network Honeypots for Detecting Targeted Cyber Attacks

Reconnaissance is the initial and essential phase of a successful advanced persistent threat (APT). In many cases, attackers collect information from social media, such as professional social networks. This information is used to select members that can be exploited to penetrate the organization. Detecting such reconnaissance activity is extremely hard because it is performed outside the organization premises. In this paper, we propose a framework for management of social network honeypots to aid in detection of APTs at the reconnaissance phase. We discuss the challenges that such a framework faces, describe its main components, and present a case study based on the results of a field trial conducted with the cooperation of a large European organization. In the case study, we analyze the deployment process of the social network honeypots and their maintenance in real social networks. The honeypot profiles were successfully assimilated into the organizational social network and received suspicious friend requests and mail messages that revealed basic indications of a potential forthcoming attack. In addition, we explore the behavior of employees in professional social networks, and their resilience and vulnerability toward social network infiltration.

[1]  Wei Wang,et al.  A Context-Based Detection Framework for Advanced Persistent Threats , 2012, 2012 International Conference on Cyber Security.

[2]  Fabrício Benevenuto,et al.  Reverse engineering socialbot infiltration strategies in Twitter , 2014, 2015 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM).

[3]  Kyumin Lee,et al.  Uncovering social spammers: social honeypots + machine learning , 2010, SIGIR.

[4]  Ping Chen,et al.  A Study on Advanced Persistent Threats , 2014, Communications and Multimedia Security.

[5]  Rami Puzis,et al.  Anti-Reconnaissance Tools: Detecting Targeted Socialbots , 2014, IEEE Internet Computing.

[6]  Youngsoo Kim,et al.  Analysis of Cyber Attacks and Security Intelligence , 2013, MUSIC.

[7]  Filippo Menczer,et al.  The rise of social bots , 2014, Commun. ACM.

[8]  Lior Rokach,et al.  Intruder or Welcome Friend: Inferring Group Membership in Online Social Networks , 2013, SBP.

[9]  Konstantin Beznosov,et al.  The socialbot network: when bots socialize for fame and money , 2011, ACSAC '11.

[10]  Amir Herzberg,et al.  Ethical Considerations when Employing Fake Identities in Online Social Networks for Research , 2014, Sci. Eng. Ethics.

[11]  Gianluca Stringhini,et al.  Detecting spammers on social networks , 2010, ACSAC '10.

[12]  Sameer Patil,et al.  Will you be my friend?: responses to friendship requests from strangers , 2012, iConference '12.

[13]  Lior Rokach,et al.  HoneyGen: An automated honeytokens generator , 2011, Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics.

[14]  Calton Pu,et al.  Social Honeypots: Making Friends With A Spammer Near You , 2008, CEAS.

[15]  Rossano Schifanella,et al.  People Are Strange When You're a Stranger: Impact and Influence of Bots on Social Networks , 2012, ICWSM.

[16]  Simon Bell Building a Honeypot to Research CyberAttack Techniques Interim report , 2013 .

[17]  Calton Pu,et al.  A social-spam detection framework , 2011, CEAS '11.

[18]  Edgar R. Weippl,et al.  Fake identities in social media: A case study on the sustainability of the Facebook business model , 2012, J. Serv. Sci. Res..

[19]  Yuval Elovici,et al.  Homing Socialbots: Intrusion on a specific organization's employee using Socialbots , 2013, 2013 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2013).

[20]  Kyumin Lee,et al.  Seven Months with the Devils: A Long-Term Study of Content Polluters on Twitter , 2011, ICWSM.

[21]  Chandra Prakash,et al.  SybilInfer: Detecting Sybil Nodes using Social Networks , 2011 .

[22]  Fabrício Benevenuto,et al.  You followed my bot! Transforming robots into influential users in Twitter , 2013, First Monday.

[23]  Ben Y. Zhao,et al.  Uncovering social network sybils in the wild , 2011, IMC '11.

[24]  Markus Strohmaier,et al.  A categorization scheme for socialbot attacks in online social networks , 2014, ArXiv.

[25]  Quanyan Zhu,et al.  Deployment and exploitation of deceptive honeybots in social networks , 2012, 52nd IEEE Conference on Decision and Control.

[26]  Oscar Serrano Serrano,et al.  Changing the game: The art of deceiving sophisticated attackers , 2014, 2014 6th International Conference On Cyber Conflict (CyCon 2014).

[27]  Michael Kaminsky,et al.  SybilLimit: A Near-Optimal Social Network Defense against Sybil Attacks , 2008, S&P 2008.

[28]  Rami Puzis,et al.  TONIC: Target Oriented Network Intelligence Collection for the Social Web , 2013, AAAI.

[29]  Shanton Chang,et al.  Information Leakage through Online Social Networking: Opening the Doorway for Advanced Persistence Threats , 2010, AISM 2010.

[30]  Martín Abadi,et al.  Innocent by association: early recognition of legitimate users , 2012, CCS '12.

[31]  David W. McDonald,et al.  Dissecting a Social Botnet: Growth, Content and Influence in Twitter , 2015, CSCW.

[32]  D. Dittrich The ethics of social honeypots , 2015 .

[33]  Leyla Bilge,et al.  All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[34]  Andrew T. Campbell,et al.  Spawning networks , 1999, IEEE Netw..

[35]  Qiang Cao,et al.  Uncovering Large Groups of Active Malicious Accounts in Online Social Networks , 2014, CCS.

[36]  Rami Puzis,et al.  Hunting organization-targeted socialbots , 2015, 2015 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM).

[37]  R. Jašek,et al.  APT detection system using honeypots , 2013 .

[38]  Michael Sirivianos,et al.  Aiding the Detection of Fake Accounts in Large Scale Social Online Services , 2012, NSDI.

[39]  Yuval Elovici,et al.  Guided socialbots: Infiltrating the social networks of specific organizations' employees , 2014, AI Commun..

[40]  Merete Ask,et al.  Advanced Persistent Threat ( APT ) Beyond the hype Project report in IMT 4582 Network security at Gjøvik University College during spring 2013 , 2013 .

[41]  Mustaque Ahamad,et al.  Phoneypot: Data-driven Understanding of Telephony Threats , 2015, NDSS.