T1656: Impersonation

View on MITRE ATT&CK	T1656
Tactic(s)	Defense Evasion

Data from MITRE ATT&CK®:

Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via Phishing for Information, Phishing, or Internal Spearphishing) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.

In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables Financial Theft.

Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as payment, request, or urgent to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal.  

Impersonation is typically preceded by reconnaissance techniques such as Gather Victim Identity Information and Gather Victim Org Information as well as acquiring infrastructure such as email domains (i.e. Domains) to substantiate their false identity.(Citation: CrowdStrike-BEC)

There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may Compromise Accounts targeting one organization which can then be used to support impersonation against other entities.(Citation: VEC)

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Reporting on this Technique

Report

Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks

This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...

View Source

Mitigations for this technique

MITRE ATT&CK Mitigations

Threat Intelligence Program

A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

How to detect this technique

MITRE ATT&CK Data Components

Application Log Content (Application Log)

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)