Persona Development

From Project PM
Jump to: navigation, search

Social Media Persona Development

On October 15th, 2010, Aaron Barr emailed Robert Frisbie about considering Palantir for help "..on some of the integration for link analysis and data correlation. We will likely be able to get into some of the persona management logic.." Barr then attached a PDF titled "Social Media Persona Development".

This is the full text of the above email:

"Hi Bob,

I have shuffled some of the items around into two phases and took into consideration that Palantir is going to help with some of the integration for link analysis and data correlation. We will likely be able to get into some of the persona management logic but didn't want to overshoot.

Aaron"


Below is the full text of the PDF attached to the above email:


Social Media Data Collection and Persona Development

There is an immense amount of data in the social media space that can be collected and analyzed for valuable information that can aid cyber operations. Much of the information can be gleaned is not at first obvious but materializes through link analysis and data correlation across social media platforms. To do this work today is a very manual process, but much of it can be automated. Once the capability is built you could point the collection at any target, the output of which would be a detailed target profile with link diagrams showing the social connections between entities. You can take this data and develop social media platform capabilities (persona's landing pages) that fit within the target profiles. A developed capability to manage these profiles and keep them fresh would be the last stage of development.

PHASE I

The first phase of our effort will be to develop the social media data collectors and analysis tools. For the purposes of initial development we will focus on the following platforms:

1. Facebook

2. LinkedIn

3. Twitter

4. Blogs

5. Myspace

6. Forums

7. Google Buzz

The research and development of this phase will take the following path:

1. Determine what social media data to collect form the different platforms (profession, location, posts, education, subscriptions).

2. Develop a database schema to store collected data.

3. Develop the collectors using the social media APIs. For those sites that don't have robust APIs to allow for easy collection we will develop scrapers.

4. Develop the analytics for data correlation and link analysis. Determine what is statistically normal for a given persona type by profession, demographics, etc. Also to determine what is trending conversationally by topic.

PHASE II

During the second phase we will build the persona management capability. The methods for managing a set of personas for future use on Social Media platforms are simple. Most of the social media platforms do not necessarily front the name of an individual, often times the accounts are handles for users, often the names represent the focus of the page or individual, such as "socialmediaguru". The only two platforms that are an exception are Facebook and LinkedIn, which typically run off of real names. Often times you might want to mature a set of platforms but you are not completely clear how those platforms will be used in the future.

To accomplish our goals we will separate the platforms on these lines. To build this capability we will create a set of personas on Twitter, blogs, forums, buzz, and myspace under created names that fit the profile (satellitejockey, hack3rman, etc.). These accounts are maintained and updated automatically through RSS feeds, retweets, and linking together social media commenting between platforms. With a pool of these accounts to choose from, once you have a real name persona you create a Facebook and LinkedIn account using the given name, lock those accounts down and link these accounts to a selected # of previously created social media accounts, automatically pre-aging the real accounts.

There are some manual steps in this process; creating the actual accounts. Most social media platforms now require a human to actually create the account, this is verified through CAPTCHA images.

Development Time: 2 people for 4 months

Rough Cost: $100,000

Deliverables: Prototype of the data collectors and target profiles, documentation.


Persona Development and Management for the Purpose of Real World Social Media Training

November 14, 2010

HBGary Federal, LLC
3604 Fair Oaks Blvd., Suite 250
Sacramento, CA 95864
Phone: 301.652.8885
Attn: Aaron Barr
CEO
[email protected]

Introduction

Social Media is revolutionizing how we interact with information and services on the web. In conjunction with mobile technologies, social media promises a host of services to enhance the efficiency and connectivity of our daily lives by providing relevant information to us as we live based on disclosed personally identifiable information. Whether it is recommendations for somewhere to eat, an event happening nearby, or meeting someone new. The possibilities are ever more expansive. No longer are we just content consumers but also content producers in a never ending dialogue through media. But these conveniences come at a cost; the cost of creating vulnerabilities by divulging too much information that is publically accessible. The risk is even greater when looking at individuals PII across multiple social media platforms, and even greater still for organizations whose members or employees information can be aggregated to divulge potentially sensitive information about the organization. The pace and variety of social media services are only going to grow so it is imperative that organizations develop clear understanding of the potential vulnerabilities and effective uses of social media.


Graph shown here: http://imageshack.us/photo/my-images/849/landscapej.png/

Figure : Social Media Landscape


Technology Evolution

Looking to the future, mobile access to information and services will dominate. Technologies such as location based services, object, facial, and voice recognition will provide more natural interaction with devices and surroundings. Location based services alone will drastically change how we interface with the web as we move from a browser dominated space to one more focused on points on a map. Mobile devices combined with social, local, and virtual or immersive services will allow us to interact with our environment in new and exciting ways, such as those experiments in the new field of augmented reality. Imagine being notified that you are near a store that is selling something on sale that a friend has on a wish list, or being notified that an event that fits your interests is scheduled for next week and two friends are planning to attend. To enable these services will require more intimate personal details about our specific preferences, associations, and location. And in the end we will provide this information in ever more increasing quantities as the industry figures out better ways to provide personal benefits for providing this information. Companies developing these services are typical commercial companies that are putting significant effort into developing capabilities and little effort into security or focusing on potential vulnerabilities. We cannot rely on Facebook to be concerned with how its information can be used in conjunction with information on LinkedIn to develop targeting profiles on companies and their employees. We must take upon ourselves to understand the effective uses of social media and the vulnerabilities it creates for our organizations.

The Risks

Put simply there is too much PII for us to manage, and the trend is moving quickly towards much more PII disclosure across services. The issues related to individual services handling of PII is important, but more important is an issue that is often not well understood, which are the far greater risks of information exposure across social media services. Our digital lives are a conglomeration of preferences, actions, and social connections. If those preferences, actions, and social connections are collected and analyzed what do they reveal about us? The equivalent in physical space is having a private investigator following an individual, recording conversations, taking pictures, and making notes. For organizations now picture hundreds of investigators following and collecting on all employees. What could be discovered? Within the social media space this can be done by relatively few individuals with the right knowledge and methodologies on how to exploit social media.

Social link analysis alone can divulge significant pieces of information about individuals but especially risky for organizations when analyzing many peoples social connection that belong to a specific group. For example, multiple people that work at a law firm end up developing publically accessible social connections with members of a client company. That relationship might be sensitive but if someone were to analyze the social links of multiple members of the law firm they would be able to discern a pattern of connection. Another example, there might be someone that working on a classified or sensitive government project. That persons associations developed over time with coworkers across different social media platforms could reveal information about that individuals profession and employer.


Figure : Social Connection Link Analysis


Information Exploitation

People are now becoming more and more comfortable with divulging personally identifiable information on multiple social media platforms. Over time this information becomes impossible to manage. Collectively across social media platforms this information can provide adversaries with a significant amount of material for targeting, information reconnaissance, and exploitation. If for example, an individual reveals his/her professional background on linked in, tweets about specific topics of interest, manages personal social connections and reveals bits of personal information across Facebook, and maybe even checks in at favorite locations using foursquare. This is all an adversary would need to both associate you with a target of interest and have multiple avenues to enter the targets social circle, and develop highly personalized spear phishing attacks. It is truly this information in aggregation that makes us so vulnerable.


Figure : Information Exposure from Disclosure of PII


Use Cases

Lets take an example of targeting a Nuclear power plant facility through its employees. For illustration purposes lets choose a single U.S. Energy company, Exelon, the largest nuclear operation in the United States controlling 10 nuclear power generating stations. There are 17 identified nuclear engineers with LinkedIn profiles that are currently employed with Exelon. Lets choose a specific plant, again in LinkedIn there are 289 employees of Exelon in Braidwood, Ill, the location of two of Exelon’s largest generation facilities. The names in LinkedIn can be recorded for further investigation. Those names can be cross-referenced across Facebook, twitter, MySpace, and other social media services to collect information on each individual. Once enough information is collected this information can be used to gain access to these individuals social circles.

Research shows there are four reasons people accept friend requests on Facebook: They know the person. They could know the person and they have mutual friends. They have similar interests and background They sent a request and all requests are accepted.

Even the most restrictive and security conscious of persons can be exploited. Through the targeting and information reconnaissance phase, a person’s hometown and high school will be revealed. An adversary can create a classmates.com account at the same high school and year and find out people you went to high school with that do not have Facebook accounts, then create the account and send a friend request. Under the mutual friend decision, which is where most people can be exploited, an adversary can look at a targets friend list if it is exposed and find a targets most socially promiscuous friends, the ones that have over 300-500 friends, friend them to develop mutual friends before sending a friend request to the target. To that end friend’s accounts can be compromised and used to post malicious material to a targets wall. When choosing to participate in social media an individual is only as protected as his/her weakest friend.

Once an adversary has gotten inside a targets social circle he/she can post links, videos, other media content that will be posted to the targets wall that contain malicious links to exploit whatever system the target is on. If the target is accessing Facebook from work then the work system is compromised. Another attack vector, conduct background checks on the target, enumerate the targets family and run the same process on them. Likelihood is family members are on the same system or network at home as the target, so exploitation of the targets system happens through family members.

Social Media Penetration Testing and Real World Training

Given the vulnerabilities social media presents and the difficulty organizations have in providing protections, it is essential to have robust, real-world social media penetration testing and real-world scenario training. For large organizations this will be an ongoing effort that requires dedicated resources to conduct planning, targeting, information reconnaissance, persona development and management. To stand up such a capability from scratch will likely require 2-3 people to start, focused on planning and capability development. Once a solid foundation is built with effective methods and capabilities the team can grow to meet the needs of a scaled operation.

A robust capability will have four different levels of persona development and management as well as the ability to generate creative content and landing pages for the purposes of simulating real-world experiences. Such a capability will also require significant planning and management of personas and created content to ensure proper metrics can be collected and personas and other digital artifacts associated with personas are not cross-contaminated between exercises.

Persona and Content Development

The scenario and associated mission objectives will dictate the type and number of personas that need to be developed per exercise. Generally speaking we are talking about four types of personas that increase in complexity. The mission objectives and persona characteristics will be provided by the customer for each exercise with development and maintenance support provided by HBGary Federal.

Level 0 Character: Used mostly for quick and temporal communication. No persona description required. These characters have specific user accounts or email addresses that are used for quick communications or to satisfy very specific mission requirements that do not require any more in-depth use. The customer will generate all of the information required to establish these accounts. HBGary Federal will provide the persona management system so the customer can easily deconflict new accounts with historical accounts.

Level 1 Character: These accounts have slightly more depth with created generic names that generate significant hits when the name is queried on search engine and other social media platforms. These accounts are meant to provide slightly more depth for use in establishing contact with individuals and at a glance appearing to be real. Any accounts established for this type of a character would have the most strict privacy settings so as to hide the lack of detail associated with these accounts. As an example, an established level 1 persona might have an associated gmail address with a Facebook, twitter, and or linkedin account. All of the associated social media accounts would be set to the highest privacy settings so no details would be visible other than an account exists and may or may not be associated with a specific email address. The customer will generate all of the information required to establish these accounts. HBGary Federal will provide the persona management system so the customer can easily deconflict new accounts with historical accounts.

Level 2 Character: Level 2 characters are similar to level 1 characters except they provide slightly more detail on the personas background and may require some paid services to set up creative content pages for more in-depth exercise engagements. This requires more upfront character development so as to make a persona that will be viewed as plausible throughout the engagement. With the surge in social media services the majority of capabilities generated to fit the persona will be free, so the focus will be on the details of the persona and because more of the personas background will be visible and more depth required, most of the effort for these characters will be ensuring the persona appears real and active to the audience. This means automated content generation mixed with human generated content related to the persona at a frequency that would be consistent with the personas background. To pull this character off requires a good understanding of the audience and subject matter. HBGary Federal has devised a set of techniques that can make personas appear real, such as manipulating GPS coordinates and using location based services to checkin to specific locations, or using twitter hashtags and specific tweets to make it appear as if a persona is attending a specific conference. HBGary Federal will do the research and develop realistic personas to meet the customer’s exercise requirements. HBGary Federal will also provide the persona management system so the customer can easily deconflict new accounts with historical accounts.

Level 3 Character: The most detailed character. These personas are required to conduct human-to-human direct contact likely in-person to satisfy some more advanced exercise requirements. This character must look, smell, and feel 100% real at the most detailed level. This character will need to be associated with a real company, hold a real position with that company and have all the technical and business artifacts associated with the position and organization. The trick here is while the persona needs to be real, the actual person may not be working in this role 100% of the time. In these cases there are still tricks that can be used to more rapidly age or update accounts. One such trick is to build outward facing accounts such as twitter, YouTube, or blogs with generic names, for example setting up a twitter account s0c1alman. Using some of our micro-blogging techniques for auto-generating content we can manage many of these types of accounts automatically and age them. Then when a real persona is created for a particular exercise we can associate a twitter, YouTube, and blog account that has been aging and link it to a LinkedIn and Facebook profile that was just created. This gives the perception that this person has been around in this space for a while. HBGary Federal also has experience in developing LLCs, phone services, websites, etc. to establish the corporate bonafides. There are also other tricks we can use to build friends lists quickly so as to give the perception the persona is social or professionally active.

Persona Management

HBGary Federal personnel have developed custom persona management capabilities for other organizations and therefore can quickly customize an effective persona management capability for this mission. Persona management entails not just the deconfliction of persona artifacts such as names, email addresses, landing pages, and associated content. It also requires providing the human actors technology that takes the decision process out of the loop when using a specific persona. For this purpose we custom developed either virtual machines or thumb drives for each persona. This allowed the human actor to open a virtual machine or thumb drive with an associated persona and have all the appropriate email accounts, associations, web pages, social media accounts, etc. pre-established and configured with visual cues to remind the actor which persona he/she is using so as not to accidentally cross-contaminate personas during use. This also requires pre-establishing routes of communication to ensure the persona is consistent every time. So all IP addresses, routes, etc. are consistent each time the persona is used so as to maintain authenticity. We have an established capability for using existing IP infrastructures as well as establishing points of presence to maintain this consistency.

It is also important the persona, even though not real, appears real, in that there is a consistency to the use of the account. This will require active use of social media sites, creating content, dialogue exchange, even while the persona is not actively in use. This can be done through effective use of RSS Feeds, web scrapers with some custom development to manage the details for specific accounts. So a particular persona might be a social media strategist. Using the assigned social media accounts we can automate the posting of content that is relevant to the persona. In this case there are specific social media strategy website RSS feeds we can subscribe to and then repost content on twitter with the appropriate hashtags. In fact using hashtags and gaming some location based check-in services we can make it appear as if a persona was actually at a conference and introduce himself/herself to key individuals as part of the exercise, as one example. There are a variety of social media tricks we can use to add a level of realness to all fictitious personas


Experience

HBGary Federal personnel have extensive experience in building social media and web content. In many ways we have been market leaders in developing new capabilities in social media to help specific organizations achieve their mission objectives. Aaron Barr, CEO of HBGary Federal, regularly speaks at conferences on social media vulnerabilities, and as a business capability HBGary Federal provides social penetration tests to customers as well as interactive, real-time social media exploitation demonstrations and training.



Relevant Emails

[email protected] to aaron, 11/7/10

Greetings HBGary,

I was given your name and contact information by my Chief, Pete H. We are considering a commercial contract to develop and maintain online role playing characters for use in our scenario exercises. Your company has come to our attention and we would like to understand your capabilities regarding fulfilling the generic requirements as outlined in the attached document. A whitepaper addressing your company's capability to meet these requirements would be the ideal evaluation vehicle but due to the nature of this correspondence, there may be many questions you would like to have answered first. Please feel free to contact me at the number listed below, M-F, 0930 - 1500 hours and I will be glad to discuss the more pertinent details of this project.

Thank you, Jeff Miller 703 374-5594


Aaron Barr to jsmiller62, 11/8/10

Jeff,

Thank you for your inquiry. I would definitely like to discuss your requirements and our capabilities over the phone or in person if possible. Please let me know a good time to call.

Aaron

Sent from my iPad

On Nov 7, 2010, at 10:04 PM, "[email protected]"


Aaron Barr to jsmiller62, 11/10/10

Jeff,

I enjoyed our conversation today. This area is an area of focus for HBGary Federal so I am excited about the opportunity to submit a whitepaper on some of the capabilities we can provide your organization.

I sat down this afternoon and started writing and it all just started to flow. If you wouldn't mind please take a look at the following draft and let me know if I am on the right track and which areas you would like covered in more detail. Hopefully the flow makes sense I spent a bit of time in the front of the document setting the context, the need for social media real-world exercises that require persona development and management.

As I mentioned we have extensive experience in this area on many different sides.

Thank you,


Aaron Barr to jsmiller62 show details 11/16/10

Hi Jeff,

Just touching base to see if what I sent was off the mark and I need to refocus, or if there is information that you would like to see that is not there. Based on my background and this opportunity I tried to craft a document that was consistent with the medium in which it was being transmitted but also discussed with some detail our capabilities to meet your requirements.

Based on my experience in the field, I feel confident that our developed capabilities and methodologies over the years are unique in total.

Thanks, Aaron


[email protected] to aaron show details 11/21/10

Hey Aaron,

Sorry for the delay ... our new Chief started this past Monday and I have not had an opportunity to review your paper. I am planning on taking a look over the break this week. I appreciate your patience and I'll be back in touch soon.

Thanks ! Jeff


Aaron Barr to jsmiller62 show details 11/21/10

Hey Jeff,

Great thanks. Have a great holiday.


Aaron Barr to jsmiller62 show details 12/1/10

Hi Jeff,

Just checking in to see if you had a chance to review and get your initial feedback. I put this together pretty quick because I wanted to get something in front of you to look at. There are lots of pieces to think about that many people might not be thinking about, so I wanted to focus on those as discriminators. We also have a significant set of relationships in the commercial space for IT infrastructure, service deployments, etc. We have strong relationships with Google, Apple, Akamai, Zynga, etc.

Thanks, Aaron