Computer Network Exploitation is the modern version of espionage, the stealing of information.
The contents of this gist (except the team organisation table) are my notes from Matthew Monte's excellent book called Network Attacks and Exploitation.
An operation is conducted using a variety of roles. Realistically, team members simultaneously play multiple roles.
| Scope | Role | Description |
|---|---|---|
| Operation | Operator | Responsible for the offensive life cycle: initial access and post-exploitation. |
| Operation | Analyst | SME in the target's field that expands and leverages target-specific knowledge to provide direction to operators and meet operational objectives. E.g. trawling through collected data, diagramming the network, identifying users and paths to assets, etc. |
| Operation | Developer | Develops robust, bespoke solutions (e.g. exploits, scripts) and adapts existing ones. |
| Operation | SysAdmin | Manages operational infrastructure and security; groupthink buster. |
| Operation | QA Tester | Malware analyst with defensive background to assess the program and operational security of the operation. |
| Global | Researcher | Develops capabilities (e.g. zero-days), methodologies, and researches exploitable gaps in defensive security solutions that are applicable to multiple operations. |
| Global | SysAdmin | Maintains global infrastructure. |
Shown below is an organizational chart designed for "ideal" program security. The attack team would leverage unique vulnerabilities, tools, infrastructure, and methods against each target. There would be no overlap whatsoever. Even the people involved during the attack would be different so as not to have similarities in style.
| Principle | Description |
|---|---|
| Humanity | CNE is grounded in human nature. Technology is designed, built, and used by humans. |
| Access | There is always someone with legitimate access to data and a means to use it. |
| Economy | There is a priority, cost, and benefit to every action and outcome. |
| Knowledge | Broad and deep understanding of technology, people, and organizations. |
| Innovation | Creating or adapting technology and methodology to new circumstances. |
| Awareness | Mapping the operational domain; detecting and monitoring events. |
| Precaution | Minimizing the impact of unwitting actions on an operation. |
| Operational Security | Minimizing exposure, detection, and reaction to an operation. |
| Program Security | Containing damage caused by the compromise of an operation. |
- The broad and deep understanding of:
- technical characteristics of computers and computer networks,
- psychological characteristics of people,
- behavioural and social characteristics of organizations.
- Improves operational efficiency and effectiveness.
- Technical knowledge is often the only answer to technical constraints.
- Psychological knowledge enables the prediction of defender actions.
- Business and social knowledge can determine the points of access.
- Best decisions are made by those that have a balance of knowledge of the three characteristics.
- Innovation is creativity brought to scale through sound engineering.
- Given new circumstances, it is the ability to:
- create new technology and leverage existing technologies in new ways,
- develop and adapt operational methods
- It is required for finding new ways to hide, survey, or move throughout a network.
- Innovation can improve efficiencies and decrease frictions.
- Complex, repetitive, or time-consuming operational tasks can be automated.
- Carefully mapping the operational domain.
- Actively detecting and monitoring events in near real time.
- Awareness is gleaned from the target environment and is target specific:
- which systems are most heavily scrutinized,
- which users have the most technical issues,
- which monitoring and GRC platforms are used,
- when and where updates and upgrades are coming.
- Awareness can tell the likelihood and consequences of being caught.
- Awareness leads to more effective deployment of tactics.
- Awareness buys time to put in redundancy and time to collect data.
- The operational risk of awareness must be balanced with the precaution principle.
- Sometimes attackers could be monitoring the network better than the defender.
- Minimizing the impact of unwitting actions on an operation.
- Unwitting actions can get attackers caught and also impede operations.
- Almost all of a target's actions are taken without knowledge of the attacker's presence.
- Small-scale changes to the target's network may be catastrophic to the attacker.
- Anomalies can occur beyond what an attacker can predict through knowledge and awareness.
- Precaution protects against hard-to-predict events that cause catastrophic consequences.
- Two overriding themes for precaution are redundancy and diversity:
- Sustaining access through unwitting changes can be done by having redundant points of access.
- The redundancy must have independent modes of failure. Access methods must be diverse.
- Implementing diversity helps prevent any one change from causing full operational failure.
- Persisting through complete cleaning and reformatting is a good way to exercise precaution.
- During access expansion, new passwords can be consistently captured to prepare for changes.
- Too much redundancy creates a larger footprint to be noticed.
- Rules of thumb:
- Redundancy:
access points per network segment = logn(number of devices). - Diversity:
1 or 2 methods / platform.
- Redundancy:
- Minimizing defender exposure, recognition, and reaction to the existence of an operation.
- This requires limiting the deployment of technologies and methods while avoiding operational success.
- Stealth minimizes the defender's opportunity to observe artefacts of the operation.
- Entails operating where people are not looking or where automated detection is lacking.
- Ensure that observable artefacts and actions are kept within an expected pattern.
- Reduce recognition by spacing odd actions in space/time to fly below the threshold of perceived cause.
- In the event of defender exposure, attackers may:
- stage a high profile attack to draw attention and resources away (e.g. DoS, mass account lockout),
- allow deliberate detection of an inconsequential tool to lull defenders into a false sense of security.
- Most operationally secure footprint is small, but most precautionary footprint is large.
- Only the necessary amount of technical and operational tradecraft for an operation should be leveraged.
- Containing damage caused by the compromise of an operation.
- Using a capability is just another way of saying potentially exposing a capability.
- Use the least sophisticated TTPs when possible.
- Avoid failures in one operation impacting another.
- Attackers can have a lot to lose (liabilities) which fall into these categories:
- Identity: information about who the attacker is.
- Target pollution: information that can identify other attacker operations.
- Attack infrastructure: information about the attacker's transit points, or drop points.
- Technical vulnerabilities: information leveraged to gain initial access or expand access.
- Operational methodologies: information about techniques to avoid detection, expand, and more.
- Use a hybrid strategy for best results:
- Leverage low-cost techniques and methods for day-to-day operations.
- Leave in place high-cost-to-replace and high-cost-to-detect methods as a contingency.
- Diversity: Leveraging various tools, development methods, network signatures, infrastructure, and operational methods.
- Stealth: Leveraging tools, technologies, and methods that are hidden from view, or if in view, unlikely to attract attention.
- Can be more accurately measured by taking target awareness into account than understanding generic gaps in defensive solutions.
- Redundancy: Reasonable fail-safes, backups, and contingency plans for foreseeable setbacks and obstacles.