xorl %eax, %eax

Guide on Offensive Operations for Companies

leave a comment »

I’ve been thinking of writing this post for some time, but I decided to finally do it. Everything I wrote here heavily depends on what you are legally allowed to do which, in turn, depends on the country of your legal entity/company, regional laws and regulations, international laws affecting you, as well as the business itself (for instance, a cyber-security firm would have way more freedom compared to a retail business). This is why if you decide to move into offensive operations against your adversaries, you MUST first check your objectives with your legal advisor and get their sign-off.

That being said, there are many levels between doing nothing and hacking-back an adversary. Some of which are pretty common, and others that are only employed by nation-state actors. To simplify the structure, I created a diagram that tries to put them in some sort of framework that will help you decide which offensive operations you are legally allowed and technically capable of performing. Feel free to use this as a starting guide if you aren’t sure on where to start; but do not limit yourself only to what’s mentioned there, develop it further based on your needs and capabilities. It should give you a starting point. Under the diagram you’ll find a brief explanation of what each mentioned name means.

Starting from the low complexity, low business risk and moving we have:

  • Local Deception Operations: All the cyber deception that can be implemented internally in a company’s environment such as honeytokens, honeypots, honey networks, canary tokens, deception/fake networks, etc. in order to lure the adversary into a highly controlled environment and monitor their activities, and/or to quickly detect and deny/disrupt their operation.
    • Offensive action: Tricking the adversary into actions that will give you the detection and response tactical advantage.
    • Complexity: Low/medium
    • Business risk: Minor (due to keeping all those deception operations confidential which could result in a negative impact/perception by employees, as well as complex processes within the security team(s))
  • Infrastructure Takedowns: That is reporting and requesting takedowns of malicious infrastructure through either service providers or directly via the hosting companies. This includes things like request takedown of phishing domains, malware hosting servers, email accounts, etc.
    • Offensive action: Depending on the takedown this could be a degradation, denial, disruption, or destruction operation against an adversary’s infrastructure, inducing them cost to reestablish that.
    • Complexity: Low/medium
    • Business risk: Medium. Process needs to be well-defined to avoid any issues such as requesting takedowns of legitimate infrastructure, having legal issues from the affected companies, avoid leaking sensitive information on the takedown requests, etc.
  • Indirect Public Disclosure: Several threat intelligence vendors and national CERTs allow for anonymized reporting/public disclosure of intelligence reports. This capability allows a company to publicly disclose details that would otherwise have the risks of the “Public Disclosure” operations mentioned later.
    • Offensive action: Forcing the adversaries to change their TTPs (thus inducing cost and delays to their operations), making it globally known what the adversary does and how, which could enable nation-state actors or other companies to use this public material as supportive evidence in more aggressive offensive actions.
    • Complexity: Low
    • Business risk: Minor when the anonymization is done carefully.
  • Active Darkweb Monitoring: By that term I mean any sort of operations to obtain access and monitor your adversaries’ communication channels (e.g. Telegram groups, darkweb forums, etc.) to know as early as possible any offensive actions targeting your business and take appropriate measures. For most companies this is typically implemented that via threat intelligence vendor(s).
    • Offensive action: Infiltrating into the adversaries’ communication platforms and collecting intelligence on their activities.
    • Complexity: Low/medium
    • Business risk: Minor when done via a vendor. Medium when developed in-house as it requires high discipline, processes, OPSEC measures, legal and privacy sign-offs, etc.
  • Collaboration with Authorities: That is proactively reaching out to law enforcement and/or intelligence agencies related to cyber operations to help them in an operation against a specific adversary. For instance, providing them with evidence, information only your company has, etc.
    • Offensive action: Potential for nation-state action against your adversary(-ies) such as prosecution, diplomatic/external actions, sanctions, covert actions, etc.
    • Complexity: Medium
    • Business risk: This imposes a noticeable risk of affiliation of a business with a specific government and/or political party, having accidental involvement in unrelated government issues, becoming an “agent” of the authorities you worked with, seen as a nation-state proxy by other countries/governments, etc.
  • Legal Actions: This involves any sort of legal actions your company might impose to an adversary such as cease and desist letters, seizure of malicious infrastructure, criminal complaints on specific adversaries, sanctions, etc.
    • Offensive action: Active and overt approaches to disrupt and destroy adversarial activities through legal means.
    • Complexity: Medium/high
    • Business risk: Medium/high. This will require experienced investigators, digital forensics experts with practical legal/prosecution experience, processes for building a criminal case and managing the evidence, experienced legal resources, appetite for public exposure, and of course, acceptance that now your adversaries know what you know, and there is always a chance that you might lose the case when it gets to the court.
  • Public Disclosure: This a foreign policy tool of many nation-state actors which can also be implemented in private companies. By making everyone aware of who targeted you, especially for nation-state actors, to the entire world you give ammunition to any other nation-state to use this information against your adversaries, without your direct involvement.
    • Offensive action: Revealing an operation that was aiming on being covert, causing the adversaries to change their tactics, and giving their adversaries the opportunity to use this disclosed material against them.
    • Complexity: Medium/high
    • Business risk: Medium/high. This disclosure might bring a lot of negative press, and will also reveal what you know. This means that those adversaries are likely to use more advanced techniques the next time they’ll go after your company. Furthermore, nation-states might request your support in legal actions. For a less risky approach, check the “Indirect Public Disclosure” operations.
  • Remote Passive SIGINT (Signals Intelligence): This means obtaining signals (typically raw network traffic or raw communications) by third parties such as data brokers or threat intelligence vendors, which can help you proactively discover adversarial activities.
    • Offensive action: Inspecting data collected outside your organization to proactively discovery and deny any adversarial activity against your company.
    • Complexity: Medium
    • Business risk: Minor. The only risk is to make sure you do not use any illegal or shady services, and instead rely on industry standards and well-known vendors.
  • Remote Deception Operations: Such operations include the creation of fake profiles of your company, fake publicly exposed services, fake leaked documents with tracking tokens, etc. This is a lighter version of the “Sting Operations” discussed later.
    • Offensive action: Hunt adversaries by luring them with fake targets so that you can catch them before they target the real assets of the company.
    • Complexity: Medium
    • Business risk: Minor. Mostly around having strong processes to avoid security mistakes which will jeopardise your security posture, and keep those well-managed, but also operating on a need-to-know basis.
  • Data Breach Data Exploitation: This means getting access to data from data breaches and using them to uncover adversarial activities or intelligence which will help you proactively protect your company. Examples include proactively discovering infrastructure used for malicious purposes, accounts used by adversaries, deanonymization, etc.
    • Offensive action: Exploiting data which would otherwise be confidential to the organization that had them, in order to get more insights on your adversaries.
    • Complexity: Medium
    • Business risk: Medium. There is a lot of legal and ethical debate over the data breach data exploitation and that could have some business impact for a company. Additionally, the handling of such data involves some complexity in terms of access management, auditability of who did what and why, retention policies, etc. which means additional resources, technology, and processes will likely be needed.
  • False Flag Operations: An advanced offensive technique to trick your adversaries into a thought process to take advantage over their actions. For instance, make it look like a rival adversary leaked information about them, or have them believe that a rival adversary has already compromised the systems they are in.
    • Offensive action: Dynamically and actively change your adversaries’ TTPs by forcing them into believing that something other than what they see is happening.
    • Complexity: Medium/high
    • Business risk: Medium/high. Those operations need very careful planning, discipline and could easily backfire in a variety of different ways including negative media attention, making your adversaries switch to more advanced techniques, legal actions from government bodies that you might have interfered with their operations, having the opposite effect, etc.
  • CNA Operations: Computer Network Attack (CNA) operations are any activities that will cause degradation, disruption, or destruction of the adversaries infrastructure and resources. Examples include denial of service attacks, seizure of their resources, flooding their resources (e.g. mass mailers, automated calls, etc.), making countless fake accounts on their platforms, spam, feeding them with fake data, etc.
    • Offensive action: Causing the adversaries to focus their efforts on responding to the CNA operation instead of performing their intended malicious activity.
    • Complexity: High
    • Business risk: High. This is a very grey area which might get the company into them being treated as a criminal entity. There needs to be a very thorough legal and business alignment on how, why, who, when, and where those activities will happen, and in most cases it is (legally) impossible for most companies to perform such operations.
  • Sting Operations: Here the defenders could try to pose as criminals to infiltrate a group, or set up a fake website to recruit cyber-criminals, and other similar operations with the end goal to infiltrate the adversary’s entities.
    • Offensive action: Proactively identifying adversarial plans and denying them by applying the appropriate security controls.
    • Complexity: High
    • Business risk: High. For the vast majority of companies out there, it would be impossible to legally do this. However, some might be able to pull this off in collaboration with the authorities. The risk is high and on multiple levels, from public relations, to impacting law enforcement operations, to privacy and legal issues, etc.
  • Takeover: In takeover operations the private company uses their knowledge and resources to take control of infrastructure operated by the adversary. This will not only induce costs to the adversaries for new infrastructure, but it can also reveal details of their TTPs, identifiable information connecting them to their real identities, and so on.
    • Offensive action: Denying access to the adversaries, disrupting or degrading their operations, and collecting a significant part of their digital capabilities and information.
    • Complexity: High
    • Business risk: High. Back in the day, those were a common occurrence but as cyber is becoming more and more of a regulated and controlled space, conducting a takeover could result in very serious legal and PR implications for a business. Nowadays, those are typically limited to specific companies operating in this space and government entities. They can still be performed by others, but it is a complex process with many moving parts.
  • Online HUMINT (Human Intelligence): The purpose of those operations is both to understand and infiltrate into adversarial groups/networks by exploiting human weaknesses (e.g. social engineering, recruiting insiders, etc.), but also to disrupt their operations from the inside. For example, recruit (or become) an influential member and create tensions in the group, make arguments to change the group’s focus from operations to internal conflicts, create division among members, etc.
    • Offensive action: Depending on the level it could be anything from collecting intelligence on the TTPs of the adversary to proactively protect your assets, all the way to creating internal conflicts that will result in disrupting or destroying a group entirely. In some cases, those tensions could go as far as members reporting each other to the authorities.
    • Complexity: High
    • Business risk: High. Those operations are typically limited to nation-state actors that have dedicated resources for such covert activities. It is not unheard of that a private company could support those, but the risk is quite high due to the potential impact a business could have from both the adversaries and the involved authorities.
  • 3rd/4th Party Collection: In simple terms this can be considered a step up from the “Takeover” operations discussed earlier. Here the operation doesn’t involve only taking over the adversary’s infrastructure, but using it to collect data from where this infrastructure has access to. For example, you might have taken over a Command & Control server and in there found some VPN connections for a server the threat actors use. You use them to access and collect intelligence and/or disrupt their operations. That could go in multiple levels on the other side too. For instance, use the C&C to send commands on the infected hosts (if an adversary system is infected) and collect data (or perform other actions) there too.
    • Offensive action: Exploitation of adversarial infrastructure in multiple levels, masking your activities using the taken over system(s). This could be used for anything from intelligence collection to disruption, degradation, denial, etc.
    • Complexity: High
    • Business risk: High. Those operations are typically limited to nation-state actors that have dedicated resources for such covert activities. It would be very complex and risky for any private company to try to conduct this since it involves breaking into systems in multiple levels.
  • CNE Operations: This is the research to identify and exploit vulnerabilities in order to execute a Computer Network Exploitation (CNE) operation against an adversary. For instance, find a software vulnerability in their malware allowing you to takeover their C&C, or identify a misconfiguration on their operational hosts allowing you to infiltrate into it, etc. This is what is commonly known as hacking-back.
    • Offensive action: Exploitation of adversarial infrastructure. This could be used for anything from intelligence collection to disruption, degradation, denial, etc.
    • Complexity: High
    • Business risk: High. Those operations are typically limited to nation-state actors that have dedicated resources for such covert activities. It would be complex and risky for any private company to try to conduct this since it involves breaking into systems.
  • Automated CNE: That is scaling-up the “CNE Operations” by automating the exploitation step. That is, developing the ability not only to take advantage of the identified vulnerabilities in adversarial infrastructure, but automatically (or on-demand via automation) exploiting all existing and newly deployed adversarial infrastructure with no (or minimal) human interaction.
    • Offensive action: Exploitation of adversarial infrastructure. This could be used for anything from intelligence collection to disruption, degradation, denial, etc.
    • Complexity: High
    • Business risk: High. Those operations are typically limited to nation-state actors that have dedicated resources for such covert activities. It would be complex and risky for any private company to try to conduct this since it involves breaking into systems.

Written by xorl

December 28, 2021 at 15:28

Posted in security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: