|
#128: The Tradecraft Secrets of the Adversary!
|
|
|
Hello!
Welcome to another _secpro! We know you're busy, so here's our highlights this week! If you want to read more, scroll down and check out our coverage of this week's hottest issues and how you can keep up to date with the _secpro!
This week's highlights:
This week's news:
This week's tools:
|
|
Cheers!
Austin Miller
Editor-in-Chief
|
|
"Adversarial tradecraft" in the context of cybersecurity refers to the TTPs employed by cyber adversaries, often with malicious intent, to compromise or exploit computer systems, networks, and information.
|
|
|
A throwback article to a particular type of adversarial technique you might not encounter in your day-to-day worklife. Something to keep you on your toes!
|
|
|
|
In this article, Sai will help understand you a framework called the Atomic Red, a red team tool developed from the perspective of a Blue team member. Just what we love in the _secpro!
|
|
|
What's Happened This Week in Cybersec?
Keeping up with the news is difficult. That's why we've condensed the biggest stories from the best news sources around - just for you, right here. Click the links below to find out what's been going on!
- Krebs on Security - Alleged Extortioner of Psychotherapy Patients Faces Trial: Prosecutors in Finland this week commenced their criminal trial against Julius Kivimäki, a 26-year-old Finnish man charged with extorting a once popular and now-bankrupt online psychotherapy practice and thousands of its patients. In a 2,200-page report, Finnish authorities laid out how they connected the extortion spree to Kivimäki, a notorious hacker who was convicted in 2015 of perpetrating tens of thousands of cybercrimes, including data breaches, payment fraud, operating a botnet and calling in bomb threats.
- Bruce Schneier - LitterDrifter USB Worm: A new worm that spreads via USB sticks is infecting computers in Ukraine and beyond. "The group—known by many names, including Gamaredon, Primitive Bear, ACTINIUM, Armageddon, and Shuckworm—has been active since at least 2014 and has been attributed to Russia’s Federal Security Service by the Security Service of Ukraine. Most Kremlin-backed groups take pains to fly under the radar; Gamaredon doesn’t care to."
- Bruce Schneier - Apple to Add Manual Authentication to iMessage: Signal has had the ability to manually authenticate another account for years. iMessage is getting it: "The feature is called Contact Key Verification, and it does just what its name says: it lets you add a manual verification step in an iMessage conversation to confirm that the other person is who their device says they are."
- Security Affairs - New InfectedSlurs Mirai-based botnet exploits two zero-days: Akamai discovered a new Mirai-based DDoS botnet, named InfectedSlurs, actively exploiting two zero-day vulnerabilities to infect routers and video recorder (NVR) devices. The researchers discovered the botnet in October 2023, but they believe it has been active since at least 2022. The experts reported the two vulnerabilities to the respective vendors, but they plan to release the fixes in December 2023.
- Microsoft Security - North Korean Hackers Distribute Trojanized CyberLink Software in Supply Chain Attack: “Microsoft Threat Intelligence has uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp."
- Unit 42 - North Korean Hackers (Also) Pose as Job Recruiters and Seekers in Malware Campaigns: “Unit 42 researchers recently discovered two separate campaigns targeting job-seeking activities linked to state-sponsored threat actors associated with the DPRK. We call the first campaign “Contagious Interview”."
|
|
|
Cybersecurity Fundamentals
This time, we're turning to Dan Borges' Adversarial Tradecraft in Cybersecurity, a book dedicated to help secpros deal with the confusion and panic of a live attack scenario. Although this book will majorly appeal to blue teamers and other people working on the defensive side of security, pentesters can also gain valuable insights into how they can approach testing which authentically represents the way a threat actor would
|
|
Adversarial theory
Computer security can be such a complex topic that it is often difficult to discuss in terms of dominant high-level theory. Every few years, new strategies emerge in both offense and defense, and after three decades, there is no clear winner of the dominant strategy in the space. The industry is still nascent in terms of a dominant cyber strategy, yet some strategies routinely outperform others in this evolutionary landscape.
CIAAAN
To help analyze the strategies of this game, we will need some basic elements of information security to use as building blocks. For our basic properties of information security, we will use the classic attributes of confidentiality, integrity, availability, authentication, authorization, and nonrepudiation. I will briefly define them here, and I am basing these definitions on the 2008 Carnegie Mellon University memo by Linda Pesante titled Introduction to Information Security. In that memo, Linda defines these six attributes as crucial to cybersecurity, and we will revisit them throughout this book. We will refer to these six elements as the CIAAAN attributes:
• Confidentiality
• Integrity
• Availability
• Authentication
• Authorization
• Non-repudiation
Confidentiality is the ability to keep communications secret. We will see how confidentiality plays a huge role in most data transport as well as command and control (C2) that we use throughout the book. Integrity refers to our ability to ensure information remains what we intend it to be. This means that commands, logs, files, or any information that we set remains true to its intended setting. We will see this play a large role when we start to backdoor files and tamper with logs. Availability is a core element that means we can access the data or service in question. Compromised availability means that the device is generally unusable by a certain party. We will see this play a role when a defender quarantines a device from an attacker, or if an attacker kicks a defender out of a device temporarily.
Authentication and authorization are technically two very different elements: Authentication defines how you prove your identity and authorization defines what you can access with that identity. However, for the sake of simplifying the conversation, we will generally refer to these as a single identity-based element. Finally, non-repudiation, or the ability to state historically that an event has happened, is a critical attribute. Non-repudiation is essentially creating logs or receipts for an event. Non-repudiation is an often-overlooked element, but we will learn throughout this book how crucial it is to log events, as these logs will become our eyes and ears into the digital world. Some evidence is often not captured by any log source; it can be extremely short-lived and ephemeral, such as data held in RAM. If such temporal forensic data is not captured or analyzed soon, it will be lost, thus an effort to log all critical security data we explore will prove useful in our hunts. Using these CIAAAN attributes will help us evaluate our strategies throughout the text.
Game theory
Game theory (GT) is a form of analytic discipline in which the optimal strategies of a game are studied for various players. Essentially, GT attempts to find the best response a player could make in a given situation. GT often focuses on simple games in which basic strategies can be empirically determined as the best. This is because simple games in GT can be expressed as mathematical notation, only requiring three basic inputs: the players of the game, the information and actions available to them at decision points, and the consequences of those decisions. I will attempt to approximate the information available to the players and the consequences of the decisions using the CIAAAN attributes. We can use these approximations to make generalized theories about which strategies are stronger with GT. Games within GT often revolve around conflict or cooperation, in which multiple players must choose their best response among other competing players to be victorious. In GT, a non-cooperative game is a game in which players typically compete for their individual best possible outcome. I will show readers how some strategies can play to certain principles of conflict, and thus remove CIAAAN attributes from their opponents. When you remove CIAAAN attributes from your opponent in what is essentially an information-based conflict, you gain the opportunity to manipulate or expel them from your environment, which is often the end goal of these conflicts. We will use these attributes to search for dominant moves or strategies that naturally best other opposing strategies
Opponents may also develop strategies for their optimal play. This back and forth of shifting strategies is known as reaction correspondence. We will explore several of these evolutions and show how optimal strategies may become suboptimal after a certain reaction correspondence occurs. A simple way to think about reaction correspondences is as the defense shifts to attempt to counter the offense, the offense must shift again to regain the upper hand. When each opponent or adversary chooses the best possible response for their opponent's best response, a state is reached known as the Nash equilibrium, or optimal play for both sides in a non-cooperative game. We will use other techniques in this chapter, such as kill chains and attack trees, to help model these reaction correspondences.
|
|
Have You Tried...
Adversarial tradecraft has been the theme this week, so why change that for our tool suggestions?
-
RedTeamOperations/Detecting-Adversarial-Tradecrafts-Tools-by-leveraging-ETW - CyberWarFare Labs hands-on workshop on the topic "Detecting Adversarial Tradecrafts/Tools by leveraging ETW"
-
Trusted-AI/adversarial-robustness-toolbox - Adversarial Robustness Toolbox (ART) - Python Library for Machine Learning Security - Evasion, Poisoning, Extraction, and Inference for both Red and Blue Teams.
-
eriklindernoren/PyTorch-GAN - "Collection of PyTorch implementations of Generative Adversarial Network varieties presented in research papers. Model architectures will not always mirror the ones proposed in the papers, but I have chosen to focus on getting the core ideas covered instead of getting every layer configuration right. Contributions and suggestions of GANs to implement are very welcomed."
-
safe-graph/graph-adversarial-learning-literature - "A curated list of adversarial attacks and defenses papers on graph-structured data. Papers are sorted by their uploaded dates in descending order."
|
|
|
|
Copyright © 2023 Packt Publishing, All rights reserved.
As a GDPR-compliant company, we want you to know why you’re getting this email. The _secpro team, as a part of Packt Publishing, believes that you have a legitimate interest in our newsletter and the products associated with it. Our research shows that you opted-in for communication with Packt Publishing in the past and we think that your previous interest warrants our appropriate communication. If you do not feel that you should have received this or are no longer interested in _secpro, you can opt out of our emails using the unsubscribe link below.
Our mailing address is:
Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.
|
|
|
|
