Know the opponent's cyber tactics

(To Orazio Danilo Russo)
24/05/21

Any cyber security and cyber protection activity is based on the determination of a border to guard (the security perimeter) and on the estimate of the possibility of suffering damage connected to more or less foreseeable circumstances (the risk assessment).

The risk must be assessed taking into due consideration the threat and vulnerabilities that it can exploit, the surrounding predisposing conditions, the probability of implementation and success of the harmful conduct and, finally, the extent of the losses that can be caused.

Let us stop here to consider only the first element - the threat - and try to establish some fixed points that will help us to face a difficult, but not impossible, method of studying our adversary. Yes, because battles, more than with weapons, are won thanks to the knowledge of the opponent: of his "DENA", acronym traditionally known in military Schools for Dislocation, Entity, Nature and Attitude of the enemy; and in particular of its TTPs, that is, of its Tactics, Techniques and Operating Procedures.

However shrewd and gifted, our opponent will still have to follow a common thread if he is to be successful. And logic and experience allow us to conceptualize a "path of damage" or if you want a "threat life cycle" that must be kept in mind if you want to do effective and focused risk analysis and security investments.

Typically this cycle starts from one preparatory phase, where the opponent monitors the victim's networks, information systems and IT services from the outside with reconnaissance activities: for example with active tools scanning or Host information gathering, looking for vulnerabilities or detailed data on the configurations of perimeter systems or on the procedures for physical access to data centers and desktops. In this phase, moreover, the opponent acquires the resources necessary to conduct the attack, such as the creation of botnet to launch actions of Denial of service or the rental of Virtual Private Server to ensure anonymity.

After this preparatory phase, similar to the offensive tactical operations in land maneuvers, there is the penetration of the defense wall, typically in the most vulnerable point where, with different techniques such as the theft of personal credentials or the installation of malware on pendrive given to internal staff of the organization, the opponent ensures a "bridgehead" that allows him to install malicious codes within the security perimeter.

This is followed by theExecution malicious codes with which the opponent launches the attack and / or guarantees the undercover control (and the anonymity can last months or years as a sleeper cell) of part of the system, network or service to implement further preparations and intelligence strategies and compromise.

At this stage the opponent can conduct tactics of persistence, aimed precisely at maintaining the access gate, the "bridgehead" within the security perimeter despite cut-off such as restarting or changing credentials; of privilege escalation, with which it tries to guarantee higher level access privileges, such as those greedy for system administration; of defense evasion, with which it tries to disguise itself in the monitoring and detection activities of the security system; of credential access, aimed at stealing login credentials; of discovery, with which he observes - this time from the inside - the environment, orienting his attack strategies better or revising his objectives; of lateral movement with which it expands, acquiring control of contiguous network segments or partitions of controlled access servers or remote information systems; of collection with which he identifies, analyzes and collects the information he wants to steal; of C2 with which it establishes ghost communication channels to guarantee command and control of the compromised system from the outside; and finally tactics of exfiltration or impact depending on whether the objective of the attack is to steal information or to disrupt the system's operation; or both, as in the case of the infamous ransomware more advanced that extract a copy of the data to threaten its publication on the darkweb, at the same time encrypting and making part or all of the memory that contains them unavailable.

For each of these tactics, there are subtle and advanced hacking techniques and procedures, as well as algorithms of penetration, exfiltration and impact specially developed by cyber criminals.

Fortunately, however, these tactics are known to the world of intelligence and cybersecurity which in turn has developed countermeasure strategies in terms of protection, monitoring, detection, mitigation and response. We will talk about this in a future article.

To learn more:

Online Defense: "What is the cyber kill chain?"

https://doi.org/10.6028/NIST.SP.800-30r1

https://www.dni.gov/index.php/cyber-threat-framework

https://attack.mitre.org/