Attacker

Reference : Network Attacks and Exploitation by Matthew Monte

Life Cycle of an Operation - Principle of humanity

1. Targeting (continual process - back up, seeking another way…)

   1. Identification of the target (which bank to rob)

      1. hard to be alerted (although the best defence is countersurveillance)

   2. Attack strategies and tactics to exploit the network (how to rob)

      1. make the tactic first and seek for the vulnerable network → Strategic Access Operation (look for unspecified target)
      2. At this time, objectivity is onset (as not know what will get)
      3. Any behaviour or information that are for the intrusion are considered as targeting process.

      eg. 어플리케이션 취약점 확인, 이를 사용하는 기업들을 찾아봄, 2009년에 서브웨이가 걸림

      당한 당사자가 아니더라도, 이를 통해 취약점 확인, 보완 하는 방법으로 접근해야 한다.

2. Initial Access - usually from user level (where it gets most monitored)

   1. Penetrating any defensive security.
   2. Gaining Initial Access
      1. Often the easiest and shortest stage
      2. focus of much of the security industry.
      3. Trends shows that there are constant supplies of this stage in the field.

3. Persistence: turning initial access into reoccurring access that sustaining an operation possible.

   1. First defensive action of attacker → consolidation and securing of future access.
      • As the vulnerabilities are 1) unknown for the duration 2) not always work.
   2. Backdoor (attacker’s own form of persistence) are for
      • Normal usage; system restarts; reliable command and control channel.
   3. For elimination of breaking the system again (lower the risk)

4. Expansion (to a target network) - area for defensive network

   1. to establish a persistence (initial access are most monitored access point)
   2. to locate and access wanted data. (as often initial access does not contain the worthy data)

5. Exfiltration (몰래 빼오기) - retrieval of wanted data

   1. ultimate measure of success for strategic and directed collection operations.
   2. Hard for defender as it is subtle to differentiate between normal action and carefully managed malacious action.

6. Detection - occurs when an operation is exposed to the target.

   1. Once the tactic is found, all the efforts made it into are gone.

Principle of Access

The approach the Attacker takes to gain initial access depends on the connectivity of the target network which are:

1. Inbound Access (Can initiate a connection into the network from outside)

   • Public

   • Restricted

     • know: password; VPN key; mouse movement etc.

     • have: physical item - key, cell phone. The possession of the item (such as a random confirmation code via text) 인증서 같은거

     • virtual Location: allowed network address - 지정된 장소에서만 접속가능

       — Above are impersonating “legitimate access”

     • Illegitimate access - Circumvent the application (snapchat - collect other users information)

2. Outbound Access (make user inside the network to do something)

   1. Email-attack

      • Attachment
      • Attack the email system (ideal attack) - only require user to preview or view the email.
      • malicious links - 브라우저/플러그인 을 통한 방법. 현재 시스템들은 취약점이 많아 이 방법에 약하다 (하지만 눌러야 가능)

   2. Website Hijack Attacks (Positional Access Operation)

      • Take over the website and implement some code for the users
      • Cross-site-scripting (XSS) (https://ko.wikipedia.org/wiki/사이트간스크립팅)
        • 웹페이지에 악성 스크립트 삽입
      • Domain name stealing
      • Advertisement Filtering 파고들기

   3. Circumventing Outbound Restirctions

      1. Software running on the host computer

      2. Software/hardware running on the network (difficult as the attacker must gain the access itself)

         —> Even though the attacker has the access key and stuff, it does not mean the attacker has the access to it. Outbound access means the attacker needs to find a way to build the communication channel to access the internal network.

   4. Bidirectional Access - Some user group has access to the network

   5. No Outside Access - Physically separated from the outside (need the breach)

Principle of Economy

1. Time - the most important constraint
2. Targeting Capabilities - 타켓에 대한 이해도
3. Exploitation Expertise - need for initial access, persistence, and expansion
4. Networking Expertise - require through operation but most important during initial access, expansion, ande exfiltration.
5. Software Development Expertise - to create robust attack, data collection, and analysis tool. The programs are
   1. Fault tolerant to the extreme - 문제생기면 재부팅 불가능
   2. Highly efficient ane consume few computing resources or bandwidth
   3. Often explicitly breaks or circumvents OS and program norms
   4. Should work against its counter program
6. Operational Expertise
7. Operational Analysis Expertise
8. Technical Resources

Attacker Structure

1. Targeting - 전체적 작전 지휘 간부진들
2. Door kicking Team - Initial Access 담당 들어가서 커뮤니케이션 설계
3. Rapid analysis team - 들어간 후 정보 분석 (빠르게 진행)
4. Networking Team - 장기적 지속성을 위한 확장및 정보추출 (네트워크로 뺴내야 하니까) + 상쉬 보안 뚫기
5. Maintenance Team - 현재까지 만든것들 관리
6. Infrastructure Team - 이메일, 도메인 등의 정보 추출 통로 포인트 유지 관리