Reference :
- Network Attacks and Exploitation by Matthew Monte
- The Australian National University CECS

Target

Five levels of target: Operation Scope —> Networks —> Subnet/VLAN —> Systems —> Software.

Five influential elements:

1. Launch Points: Where can this target point be engaged from?
2. Cover: 누구로 위장? 네트워크를 뚫고 침입해서 정보를 뺴갈만한 사람이 누구인가?
3. Obstacles: 목표를 향하는데 방해/고려 요소들. 방어 체계가 어떻게 되어있나
4. Key Terrain: 타겟에 접근하기 전에 해두어야 (이뤄두어야 할) 요소들
5. Gaps: 목표의 첫 진입로는 무엇인가

위 네가지 요소들은 시작전에도 필요하지만 작전이 진행되면서 계속해서 바뀌어간다.

Tactics

Discovery

has Two Modes:

• Passive: no negative effect on the target
• Active: Provoking a system to observe its response

has Two Vectors:

• Indircet: Interacting with infrastructure not controlled by the target
• Direct: Engaging target infrastructure

Research: 타겟에 대한 정보를 직접적인 건드림 없이 모으는 행위.

• 리서치의 목표는 정찰 활동에 집중하기 위해서
• 호스트 발견하기 위해서
• 작전 보안의 위험성을 낮추기 위해서
• 정보는 미완성이고 관련성과 최신성이 낮다
• 존재하는 정보들을 모으는 단계라고도 볼 수 있는데 두가지가 있음
  1. Harvesting: 목표와 관계된 정보들을 최대한 모아서 그곳에서 목표 가능한 개체를 찾는것
     • 웹사이트 컨텐츠나 서류에서 정보를 수확할 수 잇다
     • 인터넷 인프라 - 지역 인터넷 이용자, DNS등
     • 컨텐트와 메타데이터 로부터 얻는 이메일과 이름, 아이피 주소와 도메인등
  2. Mining: 하나의 개체를 중심으로 정보를 더 깊게 파는행위
     • 구글 크롤링이나 인덱스
     • 제 3자 정보 모아주는 서비스 이용 (무료/유료)
     • Google, Shodan, Maltego

Reconnaissance: 리서치 단계로부터 얻는 결과에 대한 확인과 보완 작업

• 목표는 물리적 시스템과 소프트웨어

• 목표와 직접적으로 반하기 때문에 들킬 수 있다.

• 가장 최신화된 정보를 제공함

• 타겟에 대한 접근성을 테스트 함

• 좀더 현실성 있는 정보들을 흭득하는데 두가지 방법이 있음

  1. Scanning: 사이버 레이더와 비슷함

     • 호스트, 서비스, 버전등의 발견을 목표로함
     • Port scanning, Service enumeration, Ping. Trace Route, Firewalking, DNS zone transfer 등

  2. Probing: 목표를 도발(건드림) 함으로써 반응을 살핀후, 치명적인 약점을 찾아내는것

     • 훨씬 시끄럽고, IDS/IPS signatures 로 부터 수상한 움직임으로 발견될 수 있음
     • 목표 시스템을 심문함으로써 취약점을 발견
     • Vulnerability scannig, fuzzing, brute forcing, stress testing.

Password

해쉬는 디스크 혹은 확인 절차중의 트래픽에서 수집된다

트래픽에서 하는 해쉬가 훨씬더 보호되고 풀기도 어렵다

해쉬를 크랙킹 하는것은 오프라인 공격에 해당된다

온라인 공격은 시스템이라 웹사이트 로그인 기능에 대한것이다

보통 브루트 포스와 딕셔너리 (해쉬 저장된)를 이용한다.

Access

보통 해킹이라 불리는 단계가 이 단계

1. Exploit: 소프트웨어 취약점을 목표로 한 코드. 목표 시스템에 들어가서 payload 를 실행함
   • 두 시스템간의 신용 (trust)을 이용함
   • 백엔드의 경우 프론트엔드를 믿고 받은 커맨드를 실행함. 따라서 프론트엔드의 실수가 백엔드로 이어지는것 (트위터 포스트에 코드 올려서 인풋이 실행된다던가 혹은 SQL Injection)
   • 혹은 중간에 들어가서 클라이언트, 서버 역할을 해서 정보를 뺴낸다던가
2. Payload: 목표 시스템에서 해커에게 access 제공하는 코드
   • 해커에게 문열어주기, 더 많은 페이로드 설치하기 (한번에 다 보내면 위험하니까), 셋팅 바꾸기 (그리고 사라짐)
3. Vector: 시스템 공격부터 목표까지 도달하기 위한 위 두가지를 전달하기 위한 이벤트의 절차나 순서들
   • 직접 (해커-목표), interception (정당한 다른 시스템-목표 평소 사용하던 광고 사이트에 광고 요구, 광고가 감염됨 (서버아님) — watering hole attack), redirection (목표를 위험한 사이트로 인도하는것 - 서버가 감염됨))

Assure (확실)

• 접근은 작전의 시작 부분이고, 이 확실 부분이 접근과 실행단계를 연결해주는 다리 역할
• 이 확실 단계가 가장 들키기 쉬운 단계로 다른 부분들에 비해 제일 위험하다
• 접근은 너를 문안으로 발자국을 딛게 해주고, 확실은 문 키를 주는것.
• 작전에 따라 확실 정도가 달라짐
• 작전 완료를 위한 시간 버는 중요한 단계
• 결과론적으로 확실단계는 작업 필요성과 타겟과의 마찰을 적절하게 유지하는 것.

접근과 마찬가지로 시스템, 네트워크 레벨 총 두단계로 나눠지는데

• System Level Assurance: 특정한 시스템에 접근권한을 유지하는것
• Network Level Assurance: 네트워크에 접근권한을 유지하는것. 네트워크 레벨 접근은 사실 시스템 접근성에 기반을 두고 있다.

접근의 경우 방어나, 혹은 자연적인 시스템에 의해 잃을수 있다.

• Access Losing action 은 사람이나, 기계의 방해에 따른 (방어나, 혹은 중립적인 시스템 이벤트에) 결과이다.

  • Hostile: 너의 칩입을 겨냥한 반응

  • Neutral: 자연적인 시스템 사건에 의한 반응

  • Human: 사람의 선택에 따른 반응 (업데이트/업그레이드 혹은 설정 바꾸기등)

  • Machine: 머신의 프로그래밍에 의한 반응

    

    Assurance - Sub-components

    Security

    상대방의 행동으로 인한 접근권한 잃는것을 지켜준다.

  • 접근 보안이 Assurance의 세 부분중 (보안, 감시, 잠행) 가장 먼저 지켜져야 한다

  • 보안은 redundancy를 통해 (즉 백도어) 달성될 수 있다.

  • 백도어의 중요한 원칙은 백도어간의 단절화가 지켜져야 한다.

  • 백도어는 두가지 방법으로 설치가 가능한데

    • 타겟 시스템에 새로운 소프트웨어를 설치하는법
    • 타겟 시스템에 존재하는 소프트웨어를 수정하는법

    Redundancy는 한 접근 방법을 잃을 때 다른 접근 방법이 남겨지는것이다.

  • 접근 위험을 퍼트려야 한다 (하나 걸릴때 다른거 안걸리게)

  • 첫번째 접근 했던 방법을 고려해서 이 방법에 영향 받지 않는 두번째 접근 방법을 고려해라.

  • 복제 형식으로도 가능하지만, 이는 곳 signatrue를 강하게 남긴다는 뜻이다

  • 완벽한 단절은 엄청난 시간과 투자를 요구한다.

    보안의 목적은

  • 수화물이 프로세스가 죽었을때 다시 켜지는것

  • 공격 스테이션이 실행되고 있는 수화물에 접근 가능하게 하기 위해 (즉 프로그램 심어놓고, 그 프로그램에 대한 접근이 가능해야 뭘 하지)

    보통 두가지를 사용하는데

  • Bootstrapping : 수화물을 운영체제에 연결하는법

    • 윈도우의 경우, 시작폴더, 서비스, 레지스트리 들을 참조한다
    • 스케쥴링은 어플리케이션 실행하는데 다른 방법이다.

  • Beaconing: 타켓에서 공격자 인프라에 연결을 하게 하는것.

    • 접근 세션 혹은 정보의 변경/추출 을 시도한다.
    • 정기적으로 beacon에 의해 수화물이 설정변경 가능하다 (타겟이랑 연결되어 있으니 수화물 조정이 가능하지)
    • 해당 시스템의 운영체제에 있는 어플리케이션이나, 새로 다운된 것들을 실행하도록 스케쥴링을 시킬수 있다.

    Surveillance

    위험성을 감지함으로써 적절한 반응 (responsive action)을 시간내에 가능하게 해준다

  • Is only an enabler to responsive action or investigation.

  • May alert to threatening actions and allow you to take timely action.

  • 접근을 잃으면 이 감시를 더 분석하고, 미래의 접근 방법을 조정하게 해준다

  • 시스템/사람 모두로 인해 위협이 일어나니 모두 고려해야한다

  • 감시 기간동안 걸리면 접근이 차단될 수 있다. (즉 감시 하다가 걸리면 당연히 뭘 하겠지 상대방이)

    로컬 atcivity 들을 모니터링 함으로써 시스템의 위협을 감지 할 수 있다.

  • 그 행동이 (activity) 가 중립적인지 적대적인지를 확인하는것이 시스템 위협 모니터링의 목적이다

  • 보통 적대적 시스템 행동은 보안 기기나 보안 소프트웨어에 의한다

  • 목표 기기가 알아차린것과 사람이 반응하는 시간 차이는 목표물의 보안 성숙도와 교양에 달려있다.

    사람 위협의 감지는 기기와 인간이 만든 컨텐트들의 모니터링을 필요로 한다

  • 사람 행동을 로컬 시스템 이벤트들로 감지 가능하다

  • 사람이 만든 컨텐트는 잠재 위협 행동의 가장 좋은 지표이다 (사람이 뭘 만들었으면 시스템이 바뀔 예정이니 뭐가 어찌될지 예상/확인이 가능하다)

  • 이러한 감시들은 관리자 워크스테이션에서 존재해야 가능 할 수 있다 (may)

  • Assurance는 관리자 시스템에 접근하기 위함이 첫번째 이유이다.

    모니터링에는 두가지 종류가 존재하는데

  • Static Monitoring: take a snap of target activity (processes, stats, logs).

    • 커맨드를 사용해 파일로 만들고, 압축해서 보낸다. 부트스트래핑을 이용한 방법이다.

  • Dynamic Monitoring (Real time): 특정 행동들을 감시하는것

    • 저장하고, 쿼리로 만들고, 테스트를 하고, 필요한 정보가 있다 하면 보내는것 아니면 폐기.

    Stealth

    Assure 단계에서 가장 마지막에 고려되며, 초기 접근과 Assurance 활동의 들킴을 방지한다

    잠행은 공격적/방어적 인 방법이 있는데, 방어적은 은엄폐를 통해서, 공격적은 상대방의 센서능력의 하락을 통해서 이루어진다

    방어적 장행

  • 위장과 엄폐를 사용한다

  • 엄폐는 감시 능력 밖에 위치하거나, 들킬만한 것들을 제외 함으로써 가능하고

  • 위장은 들키더라고 안걸리고 넘어가는것

  • 타켓 네트워크와 시스템이 자연적 위장을 가능하게 해준다 (즉 그 상황을 사용)

    공격적 잠행

    최후의 보루로, 높은 위험성을 내포하지만 같은 결과를 도출함 (즉 걸리지만 않으면 좋음)

  • 상대방 감지 능력 감소를 야기함

  • 감지를 직접적으로 공격하거나, 간접적으로 공격함

  • 직접적인 방법은 disablement or reconfiguration

  • 간접적인 방법은 chaff - deploying more observable to attract (즉 함정 쓰는거) 디코이

Assurance를 디자인 하는것인 작전 결정이며 목표와 키 위험성을 고려해야한다

• 다른 단계에 비해 가장 높은 위험성을 내포하고 있고 (위험 메니지먼트에 가장 크게 의존함)
• 두가지 성질에 의해 measure 가능하다
  • Operational Equities: Customer owned. Wider investment in operational
    outcomes. Affects stakeholders.
  • Capability Equities: Internally owned. Investment in infrastructure, tools and
    tradecraft.

단계별 관계도

1. Resilence (복원력) 는 모니터링의 요구도를 줄일 수 있다. 하지만 모든 Resilence 메카니즘이 모니터되는건 아님 (즉 요구도를 줄이지만 없애지는 못함)
2. 좋은 모니터링과 반응은 light resilence를 커버할 수 있다. 하지만 모니터링은 alert to resilence mechanisms 할수 있다
3. 모니터링 행동은 잠행 기회들을 발견 할 수 있다, 하지만 모니터링은 타겟 시스템에서의 활동을 늘린다
4. 잠행은 발견 확률과 모니터링 요구도를 줄일수 있다. 하지만 잠행을 늘리는것은 모니터링의 감소를 필요로 한다 (시간은 유하니까)
5. 발견 안되면 지우지 못함 (내가 있는지 모르니까), 하지만 이러한 잠행 기술들은 표식을 남긴다
6. 내 활동들이 중간에 방해되지 않으면, 잠행을 덜 필요로 한다. 하지만 resilence의 증가는 시스템 활동을 늘리고 잠행을 줄인다.

Leverage : activities achieving operational objectives

Pillage (약탈하다) 상대방의 시스템에 접속해 정보를 약탈하는게 우선순위.

다른 감염된 호스트들 (감염시킨) 을 통한 pivoting 을 하여 접근한다.

약탈을 하는 목적에는 두가지가 있는데

1. 관련된 요구 지식을 충족하기 위해서
2. 네트워크와 시스템 접근과 assurance를 가능하기 위해서.

• 네트워크는 보통 라우터에 의한 서브넷, 그리고 스위치에 의한 가상랜으로 나뉘어져있다.
• 그 네트워크의 단절성을 통과하기 위해 피벗팅이 필요 할 수 있다.
• 한 시스템은 여러 가상랜위에 존재 할 수 있다 (회사 백엔드, 혹은 관리자 시스템) - 즉 가상랜을 통해 시스템 접근가능

Pillage

• 복사: 보통 유저 라이브러리, 로그, 비밀번호 해쉬등을 복사하며, 이 정보를 빼내기 위한 exfiltration 방법은 FTP, SCP, Netcat등 세션에 달려있다.
• 쿼리: 호스트나 해당 네트워크에 관한 정보를 생성함. 시스템에 특정 질문을 해서 (command) 관련 정보를 빼내는방법. 보통 > >> 같은 명령어로 txt 파일로 옴겨서 추출함
• 캡쳐링: 컴퓨터에 저장되지 않는 동적인 정보들을 캡쳐하는것. 서류 스크린샷, 키로깅, 네트워크 스니핑 (오고가는 데이터들 중간에 가로채는것 - 사이트/시스템 비밀번호 같은것들 포함)

Pivot

• Proxy: 클라이언트와 서버 사이에서 데이터를 전달해 주는 서버. 프록시는 패킷을 전달 받고 목적지에 전달해준다. 즉 다른 네트워크로 가는 게이트웨이 역할. 여러 프록시들이 모여서 프록시 체인을 형성하기도 한다.
• Tunnel: 프록시보다 더 복잡하다. 특정한 어플리케이션 트래픽을 만들어 내기위한 고급 방법. 터널링은 복잡한 트래픽 흐름을 만들수 있도록 조정가능하다. 한 희생양을 이용해서 목표물에 접근하는 방법.
• Shovel: 다음 작전을 위해 감염시킨 타겟에 도구들을 옮기는것. 즉 1번 타겟을 공격해서 감염시키고, 1번타겟에 도구들을 올려서 타겟 2를 공격하는것. 즉 나는 명령어를 1에 내리면 1이 2를 공격하는것. 타겟에 도구를 옮겨야 하는만큼 들킬 가능성이 높다, 대신 연결 실패할 확률이 적음 (연결 실패 확률이 적은 컴퓨터를 감염시키겠지)

Reference : Network Attacks and Exploitation by Matthew Monte

Crafting a successful strategy requires:

• A clearly defined goal; strategic collection, directed collection, non-kinetic CNA, strategic access and positional access.
• Embracing the fundamental truths of the space; three foundational principles: humanity, access, and econmoy.
• Determining and reducing the uncertainty of frictions while increasing the opponent’s.
• Determining and maximising advantageous asymmetries, while minimising the opponent’s.

Principle 1: Knowledge

• Is the in-depth understanding of the tech aspects of architecture, OS, Network, and so on as well as psychological aspects of people and organisation.
• Is the target agnostic and acquired outside of any specific operation.
• Is essential to leverage all three principles: access, humanity, economy.
• Reduces frictions - helps reduce flawed attack tool.
• It costs time and money
• Has limits of incompleteness and inaccuracy.

The best decisions are made by those that have a balance of knowledge of the thech, psychological, and social aspects of operations

Principle 2: Awareness

• Is the careful mapping of the operational domain as well as the active detection and passive monitoring of events in near real time.
• Is gleaned from the target environment and is target specific.
• Seeks to counteract the Defender’s asymmetrical advantage of turf control.
• May allow the attacker to discern when the frictions of updates and upgrades are coming where they will be deployed.
• May tell the attacker the likelihood and consequences of being caught - as can see hows the security going by humans aspects.
• Leads to the more effective deployment of tactics - as aware of the ongoing situation.
• Requires greater exposure and risk - need expansion to collect awareness.
• Too much —> may lead overconfidence or can be paralysing (too much worries).
• Buys time: to innovate, to put in redundancy, to collect data, and clean up and out.

Principle 3: Innovation

• Is the ability to create new technology, leverage existing technologies in new ways, or develop and adapt operational methods.
• Requires creativity; essential for finding flaws by divining assumptions that engineers and administrators may have not realised they were breaking.
• Is creativity brought to scale through sound engineering.
• Can improve efficiencies and decrease frictions.
• Confers a tactical advantage.

Principle 4: Precaution

Consider the effects of the Defender’s actions on the Attacker

• Is the minimisation of the effect of unwitting (자신도 모르는) actions on an operation.
• Is the strategic principle that fills the void left by the impossibility of obtaining total awareness.
• Redundancy: is establishing reasonable fail-safes, backups, and contingency methodes, network signatures.. - allows the operation lives
• Diversity: is leveraging a wide range of tools, technologies, development methods, network signatures… - prevent full operation failure.
• Redundancy - Points of acceess per seg = lg(number of devices)
• Diversity = 1 to 2 methods / platform.
• The best precaution will depend on the attacker’s level of awareness.

Principle 5: Operational Security

Consider the impact of the Attacker on the Defender.

• Is the minimization of adversarial exposure, recognition, and reaction to the existence of an operation.
• Is best defined as doing everything that prevents discovery.
• Is the twin of the principle of precaution; Precaution - the effects of the Defender’s actions on the Attacker, Operational Secu - the impact of the Attacker on the Defender.

Minimizing Exposure

• Stealthness - more than active hiding; includes being a tree in a forest.

Minimizing Recognition

• Has level of exposure to observations.
• Ensure that observable artifacts and actions are kept within an expected pattern. (behave the common pattern they do)
• Decoy - spread out anomalous actions in space and time to keep below the human thrushold of perceived cause.

Controlling Reaction

• May leave decoys that misdirect Defenders into thinking they have rooted out the problem.

Measuring

The more awareness you have, the more secure you can be. But the act of acquiring that awareness is less operationally secure.

Principle 6: Program Security

• Is the principle of containing damage caused during the compromise of an operation.
• You do not want to affect the other operation from the failure of one.

Attacker Liabilities

• Anything that can be used to impede the Atttacker’s future operations.
• Defenders will do Battle Damage Assessment (BDA) - What
  • What systems were compromised? What credit cards were exposed?
  • What user accounts? What is the value?
• Defining who and how is intensive work.
• Categories are:
  • Identity, Target Pollution, Attacker Infrastructure
  • Technical Vulnerabilities, technical tools, Operational Methodologies.

Program Security Costs

Attacker Costs < Defender Costs is ideal.

Do following to increase the costs for defenders:

• AntiReverse Engineering - Prevent Static Analyze; Reverse Engineering - no control, but analyze and knows how does it work.
• AntiDebugging - Prevent Dynamic Analyze; Debugging - analyze with the control.
• Capability Diffusion: separate big into small segements so hard to define the links in between the programs.

— Careless increase of Defender’s analysis cost may trigger the detection and lose the superiority; with potential of decreasing the costs for them + decrease program security

• Mitigation is the cost of preventing the attacker’s actions in the first place, or cleaning up after successful attack detection. - 예방및 공격감지후 보호/정리 비용
• Distribution is the cost associated with either acquiring that knowledge or sharing with others : Computer Emergency Response Teams (CERTs)

Reference : Network Attacks and Exploitation by Matthew Monte

False Asymmetries

Cost

Cost alot for both of attackers and defenders.

Attribution

Cyber Attribution is the process of tracking, identifying and laying blame on the perretrator of a cyber attack or other hacking exploit. Finding the target and catching the attacker is pretty much the same. And even penalties different via countries.

True Asymmetries Advantage for attacker

Motivation:

Attacker: costs but there is a huge payoff potential and little risk. Gains are immediate and tangible

Defender: Nothing to gain, only something to lose. Loss is often intangible from nothing to catastrophic.

This diffrerence creates an imbalance in motivation even if the law comes in, monotony makes defender less motivated than attacker.

Initiative:

Is ability to make threats or take actions that require your opponent to react. Motivation : mental States. Initiative : measures ability. Attacker acts and Defender reacts —> means that the Attakcer can stay one step ahead.

Focus:

Attacker: has a sigle mission and point of focus. Has a feedback coming from the accomplishments and failures

Defender: Split focus between securing the network and running it. Lack positive feedback. Cannot prove a negative.

Effect of failure:

Preventing an attack may have no effect wthasoever on the attacker

Honeypot is a computer network designed to entice attackers in to trick them into exposing a larger cadre of tools and methods in the hopes of inflitcing a cost; histrically been expensive.

Attacker: loss almost non-existent; time and small amount of cost. May apply the failure to make the next step

Defender: a lot. No idea how would be the next step be.

Knowledge of Tech:

Attacker : There are but a limited number of typical setups and the Attacker has seen them all. Full time spending studying offense and even defense. Urgency for defender is different.

Defender: must learn defensive methods and tech to stay current and to maintain compliance.

The gap comes from the motivation and eagerness on learning more stuff.

Analysis of opponent:

On general, Attackers can acquire, analyze, and test against solutions of security software before deploying their attack tools,

Attacking tools cannot be purchased, but must be captured. Must detect and capture tool for analysis, but need to analyze it to detect and capture.

Tailored Software:

Attackers have an advantage in creating and deploying pointy-end software. The development cycle can be condensed and it is under their own control. However, this advantage is not inherent.

The defensive security market is actively researching and developing defensive architectures that can be
quickly tailored to specific environments under the buzzword adaptive defense. Results so far have been muted, but it is in the early stages. If and when a true adaptive defense is achieved, the Attackers’ advantage will dissipate.

Rate of Change

When software is updated, if new features are added, there’s a decent chance new vulnerabilities will be introduced.

The rate of change and the resultant shaky foundation it creates offers a renewing stream of vulnerabilities that is to the Attacker’s advantage.

True Asymmetries Advantage Defender

Network Awareness

Defender: has full access to every details such as switch, router, firewall…

Attacker: cannot acquire the same level of detail with the same level of Defender’s effort

Network Posture

microsacle ig. Address Space layout Randomization (ASLR)

Defender: has full right to construct the Network attributes from policy to technological.

Attacker: harder to target the moving object.

Advantage Indeterminate for both

Time

Attacker: time to do overall operation. However it may allow them to be exposed. It may help but hurt at the same time.

Defender: Overall maintance, upgrade, RECON, …

Efficiency

Attacker: Cost of Acquiring Information vs Value of Information Acquired

Defender: Cost of Securing Information vs Value of Information Secured

Reference : Network Attacks and Exploitation by Matthew Monte

Principle of Humanity

The Defender consists solely of the people actively or passively preventing the Attackter from completing any portion of the operational life cycle.

Humanity And Network Layout

The human inertia of “if it ain’t broke, don’t fix it” often prevents any reconsideration of security. Detailed network diagram shows how the organization grew.

Because the influences in layout and technology of a network reflects stuff which are the influences of human in nature, the network itself will have an inherent humanity.

Humanity And Security Policy

Keep things working well enough that no one complains; improve them when necessary and keep management happy.

The humanity of convenience and habit will always trump security policy.

Principle of Access

It is attacker’s comfort, it is the Defender’s daily struggle; need to conduct all the jobs while keeping out the attacker.

Principle of Least Privilege: limit access to documents, DB, and etc. —> It requires seeking out feedback via the constant testing of security boundaries and the monitoring of access.

Access denied —> users notice —> complains.

Access mistakenly granted —> not notice / no problem with it —> no complaints —> not able to fix within close dates unless reported.

The Principle of Access gurantees the Defender will always be vulnerable.

The Defensive Life Cycle

The Offensive Life Cycel is : Start → Targeting → Inintial Access → Persistence/Access Expansion/Exfiltration → Detection

The Defensive Life Cycle is: Start → Privacy → Prevntion → Prevention/Constraint/Obstruction → Detection →Response

1. Privacy : the management of the publishing of information used for targeting (기업구조 차트, 파트너십 계약 등) ; marketing may want to tout this info.
   • Difficult to manage but can be an important counter to targeting.
2. Prevention: can stop the Attacker from gaining initial access or persistence.
   • Firewalls, spam filters, browser security setting …
   • Also exercised via less technical means such as creating a sane network architecture, consistent updates, or training users.
3. Constraint: limiting of lateral movement within a network. Counters access persistence and expansion.
   • can be thought as an insider mitigation, except the case attacker pretend being an insider.
   • Requiring most users to use nonadmin accounts is a good one
4. Obstruction: hard for attacker to get data back out of the network.
   • called Data Exfiltration prevention or data loss prevention.
   • Imposing bandwidth quota is a simple example of limiting attacker’s ability to move the data.
5. Detection: catchcall for finding and recognizing the Attacker during any part of the operational life cycle.
   • No fixed way to ensure detection.
6. Response: Action the Defender takes once realize the compromise.

Principle of Economy

Dynamism : the economy of resources will affect the administrator base (the true defender who is directily responsible for security). The people are inevitably tasktd with upgrading hardware, …. overall IT stuff.

Money may cost alot, but the benefits is not readily apparent untill after a robbery.

Risk-based decision : one that should be based on actual risk and not legal requirements, but a decision nonetheless.

This principle ensures that Defender will never devote as much time and attention to security as wanted.

The helpful Defender

• Targeting: 이메일 주소의 형식화. 이로 유저 계정 유지에 도움이 되지만, 공격자 입장에서도 도움이 됨
• Access : Ensuring compatibility and reliability while postpone the software update makes it vulnerable for a longer period of the time.
• Persistence: Upgrading on a fixed schedule. 유저와 공격자 모두 대비 가능
• Expansion: Centralizing administrative authority to a few users → may help lock down insider access, 이 계정이 뚫리면 엑세스 다 허용됨
• Exfiltration: 사람들에게 인터넷 접근 허용은 생산성 증가, 공격자와의 통신채널을 줄 수 있음.

Reference : Network Attacks and Exploitation by Matthew Monte

Life Cycle of an Operation - Principle of humanity

1. Targeting (continual process - back up, seeking another way…)

   1. Identification of the target (which bank to rob)

      1. hard to be alerted (although the best defence is countersurveillance)

   2. Attack strategies and tactics to exploit the network (how to rob)

      1. make the tactic first and seek for the vulnerable network → Strategic Access Operation (look for unspecified target)
      2. At this time, objectivity is onset (as not know what will get)
      3. Any behaviour or information that are for the intrusion are considered as targeting process.

      eg. 어플리케이션 취약점 확인, 이를 사용하는 기업들을 찾아봄, 2009년에 서브웨이가 걸림

      당한 당사자가 아니더라도, 이를 통해 취약점 확인, 보완 하는 방법으로 접근해야 한다.

2. Initial Access - usually from user level (where it gets most monitored)

   1. Penetrating any defensive security.
   2. Gaining Initial Access
      1. Often the easiest and shortest stage
      2. focus of much of the security industry.
      3. Trends shows that there are constant supplies of this stage in the field.

3. Persistence: turning initial access into reoccurring access that sustaining an operation possible.

   1. First defensive action of attacker → consolidation and securing of future access.
      • As the vulnerabilities are 1) unknown for the duration 2) not always work.
   2. Backdoor (attacker’s own form of persistence) are for
      • Normal usage; system restarts; reliable command and control channel.
   3. For elimination of breaking the system again (lower the risk)

4. Expansion (to a target network) - area for defensive network

   1. to establish a persistence (initial access are most monitored access point)
   2. to locate and access wanted data. (as often initial access does not contain the worthy data)

5. Exfiltration (몰래 빼오기) - retrieval of wanted data

   1. ultimate measure of success for strategic and directed collection operations.
   2. Hard for defender as it is subtle to differentiate between normal action and carefully managed malacious action.

6. Detection - occurs when an operation is exposed to the target.

   1. Once the tactic is found, all the efforts made it into are gone.

Principle of Access

The approach the Attacker takes to gain initial access depends on the connectivity of the target network which are:

1. Inbound Access (Can initiate a connection into the network from outside)

   • Public

   • Restricted

     • know: password; VPN key; mouse movement etc.

     • have: physical item - key, cell phone. The possession of the item (such as a random confirmation code via text) 인증서 같은거

     • virtual Location: allowed network address - 지정된 장소에서만 접속가능

       — Above are impersonating “legitimate access”

     • Illegitimate access - Circumvent the application (snapchat - collect other users information)

2. Outbound Access (make user inside the network to do something)

   1. Email-attack

      • Attachment
      • Attack the email system (ideal attack) - only require user to preview or view the email.
      • malicious links - 브라우저/플러그인 을 통한 방법. 현재 시스템들은 취약점이 많아 이 방법에 약하다 (하지만 눌러야 가능)

   2. Website Hijack Attacks (Positional Access Operation)

      • Take over the website and implement some code for the users
      • Cross-site-scripting (XSS) (https://ko.wikipedia.org/wiki/사이트간스크립팅)
        • 웹페이지에 악성 스크립트 삽입
      • Domain name stealing
      • Advertisement Filtering 파고들기

   3. Circumventing Outbound Restirctions

      1. Software running on the host computer

      2. Software/hardware running on the network (difficult as the attacker must gain the access itself)

         —> Even though the attacker has the access key and stuff, it does not mean the attacker has the access to it. Outbound access means the attacker needs to find a way to build the communication channel to access the internal network.

   4. Bidirectional Access - Some user group has access to the network

   5. No Outside Access - Physically separated from the outside (need the breach)

Principle of Economy

1. Time - the most important constraint
2. Targeting Capabilities - 타켓에 대한 이해도
3. Exploitation Expertise - need for initial access, persistence, and expansion
4. Networking Expertise - require through operation but most important during initial access, expansion, ande exfiltration.
5. Software Development Expertise - to create robust attack, data collection, and analysis tool. The programs are
   1. Fault tolerant to the extreme - 문제생기면 재부팅 불가능
   2. Highly efficient ane consume few computing resources or bandwidth
   3. Often explicitly breaks or circumvents OS and program norms
   4. Should work against its counter program
6. Operational Expertise
7. Operational Analysis Expertise
8. Technical Resources

Attacker Structure

1. Targeting - 전체적 작전 지휘 간부진들
2. Door kicking Team - Initial Access 담당 들어가서 커뮤니케이션 설계
3. Rapid analysis team - 들어간 후 정보 분석 (빠르게 진행)
4. Networking Team - 장기적 지속성을 위한 확장및 정보추출 (네트워크로 뺴내야 하니까) + 상쉬 보안 뚫기
5. Maintenance Team - 현재까지 만든것들 관리
6. Infrastructure Team - 이메일, 도메인 등의 정보 추출 통로 포인트 유지 관리

Reference : Network Attacks and Exploitation by Matthew Monte

Mistakes:

Fail Open: Fail to remove a user - leaving an avenue for unauthorised access.

Fail Secure: Fail to add a user.

For security, the trick is to minimize the number of potential systems and processes that fail open and to develop a response plan for those that remain.

Flawed Software:

Coming from mistakes, from the overall design structure, omission.

Inertia:

It requires force to change, where force is the resources and motivation to change and the knowledge that is necessary.

The Security Community:

In finding flaws and fixing them, the security community can make the Attacker’s job paradoxically easier. Patch released —> analyze the patch —> attakc before IT updates the systems.

Complexity:

Complex program, structure makes hard to fix, detect, analyze and implement.

Users:

Hard to deal with people who does not know about the IT

Bad Luck:

yeet

Reference : Network Attacks and Exploitation by Matthew Monte

Failed Tactics

Antivirus and Signature Based Detection

Antivirus: Attacker can buy and test against it.

1. Don’t be on the bad list: if the program not on the antivirus list, theres no code signature.
2. Can avoid doing bad behavioul: thhrough trial and error or reverse engineering.
3. Be stealthy

Signature Based Detection: it does not encounter any strategic principle

1. Information of product Defender use can be obtained easily; by release of partnership companies, or through the access, posititon recruiting.
2. Predictable schedule of updates sequenece (once a year…)

Password Policies

Both ignore the foundational principle of humanity.

1. Choos a strong password - humans are terrible at choosing random passwords (predictable)
2. Avoid reusing passwords - no way to enforce and check among users.

User Training

Unless there are real consequnces to user mistakes, it wont work.

Crafting a Defensive Strategy

1. Avoid recreating the wheel - Start with following the guides
2. Know yourself - what is truly essential.
3. Develp data classification system - apply rist management mentality to what is important (determine value, how much worth to spend on it…)
4. Prioritize the user base by the sensitivity of the a data they can access.
5. Prioritize systems according to how they interact on the network.

Application Whitelisting

Only allowed can play the party

Network Segmentation and Segregation

Segmentation : For attacker has two choices

1. Treat as a single network: sucks resources of attacker as it takes great amount of work by treating each segment as a network. It also dramatically increase the exposure of attacker.
2. Jump between segments: When cross the segements —> creates perfect choke point. Constraints the ability to move and obstructs attackers ability to communicate. Counters Operational security.

Log Analysis

Questionable for preventing. And attacker will sacrifice one and collect the data. And able to do sidestepping. It is good for Defender after a compromise.

Web Domain Whitelisting for All Domains

Only allowed domain can be visited

1. Limits the avenues of infiltration - less vulnerable.
2. Limits Attaker’s option for communication after establish the access.

It is against the foundational principle of humanity.

Deny Direct Accees form Workstation

Needs all outbound access through an authenticating choke point. Great for limiting attacker’s access without limiting uesrs much. It needs innovation, but once set it is good. It dircetly encounter attackers strategy on almost every level.

Reference : Network Attacks and Exploitation by Matthew Monte

If you can forsee its coming, it is not a friction but obstacles

Mistake

No matter the effort expended, mistakes will remain a source of friction.

Complexity

The complexity that makes a network harder to manage, also makes it harder to exploit.

Implementing different systems in the network requires a diff set of tools and skills (Server: Linux. DB: Oracle. Router Huawei)

Complexity requires more time, knowledge, and development to survey, understand, and circumvent. Because the
level of complexity is diffi cult to predict and can severely impact the effi ciency of an operation, it is a friction.

Flawed Attack Tools

1. Best Flaw: Not function, but maintaining persistent access/command/control
2. Loss of access: If not being noticed, it is recoverable if there is backup plan
3. Worst Flaw: Noticeable Side Effect. ig. After the update, repeatedly crashed computer —> drew the attention.

Upgrades and Updates

Upgrade: Introduces a new stuffs that replace an existing ones; may challenge the Attacker’s methods of persistence.

Update: Improvement that leaves substantial portion of the original in place; consititute a substantial threat to maintaining access for the Attacker.

Other Attackers

Other attackers may ruin the operation.

The Security Community

1. Strengthening Defense: sudden intro of new detection tech - only short period of time.
2. Weakening Offense: Google Project Zero - find and fix the vulnerabilities. Or publication of offensive methods

Bad Luck

Unnamed Frictions - anything that can be said unfortunate.

Reference :

• Network Attacks and Exploitation by Matthew Monte

• The Australian National University CECS

Adavanced Persistent Threats

• Technology is the mediunm - it originates from people
• Focus upstream away from APT signatures to APT tradecraft - Understand APT decision and where to look (위 흐름으로 어디서 부터 시작할지)
• Know the complete picture from start to end.
• Greater understanding enablse better profiling

— 즉 여태 있던 것들을 공부함 어디서 시작하는지 모델을 이해하기

• Know networking protocols
• Understand OSI, TCP/IP
• Understand logical Network segment

— 네트워크 기술에 대해 이해가 필요하다

• Comfrotable with Command Line Interface (CLI) - OS
• Understand Components - file system, registry, services…

— 소프트웨어에 대해 이해가 필요하다

Tradecraft Theory (스파이 활동에 필요한 지식의 이론)

1. Targeting: to better plan our approach to the objective.

2. Core tactics

   Leverage

   1. Pivot

      1. Proxy
      2. Tunnel
      3. Shovel

   2. Pillage

      1. Copy
      2. Query
      3. Capture

      Discover

   3. Research

      1. Harvest
      2. Mine

   4. Recon

      1. Scan
      2. Probe

Assure

1. Security
   1. Bootstrap
   2. Beacon
2. Surveillance
   1. Static
   2. Dynamic
3. Stealth
   1. Hide
   2. Clean
   3. Blend
   4. Blind

Access

1. Exploit
   1. Inject
   2. Spoof
   3. Overflow
   4. Script
2. Payload
   1. In-Line
   2. Staged
   3. Kamikaze
3. Vector
   1. Direct
   2. Intercept
   3. Redirect

Cyber Tradeoff 4Ts

1. Target: Establish a detailed model of the target space.
   1. Further analyse the existing target intelligence and derive target intelligence collection requirements. 목표정보 수집및 필요조건 수립
   2. Initial research and reconnaissance against target. 초기조사 및 정찰
   3. Construct five-level target model.
2. Tactics: Design sub-tactic objectives for each target. 목표물에 따른 상세 작전수립
   1. Introduce Discover/Access/Assure/Leverage and corresponding sub-tactics.
   2. Understand tactical goals and considerations - 작전 목표및 고려사항 이해하기
   3. Learn tactical frameworks to structure activities - 작전 체계 배움으로써 실행 구조만들기
3. Techniques: Select best one to achieve the sub-tactic objective. 작전에 따른 기술 선택하기
   1. Identify the range of technique to achieve the goal. - 사용가능 테크닉 찾기
   2. Compare and contrast techniques. - 테크닉 비교 대조하기
   3. Cosiderations in choosing one. - 테크닉 선택 고려하기
4. Tools: Select best one to achieve…
   1. Examine trade-offs between qualities of tools in flexibility and ease of use.
   2. Look at ways to systemize and automate activites (reduce potential error/efficiency…)
   3. Practice procedural use of tools. 연습하기

Case Studies

Black Energy - https://blog.alyac.co.kr/547

엑셀 메일첨부로, 엑셀내 메크로 실행으로 스크립트를 설치, 시스템32에 들어가 파일을 이용 exe파일을 설치및 바로가기 설정이후 스스로를 삭제. 바로가기 설정에 컴퓨터를 킬때마다 파일을 실행하는 스크립트가 시작됨 인터넷 익스프로어러 보안 셋팅을 바꾸고, 관련 웹사이트로 꾸준히 접속 연결을 시도

1. 회사 네트워크와 발전소 네트워크는 방화벽으로 인해 들어갈수 없었음
2. 몇달간동안 회사 네트워크를 스캔, 맵핑을 하고, 윈도우 도메인 컨트롤러에 접근권한을 얻는데 성공
3. 윈도우 도메인 컨트롤러에서 정보를 수집후 이 정보로 방화벽 통과 (페이즈2)
4. 공격시작
   1. 파워 서플라이 프로그램 재설정 성공 (전력 자동 재공급 무력화)
   2. 킬디스크 배포해 워크스테이션 고장 (부팅 안되게함)
   3. 직렬-이터넷 컨버터에 펌웨어 오버라이트 (원격 제어 불가능하게 함)
   4. 전화 시스템 무력화 (손님들에게 전화 안옴)
   5. 파워꺼버림.

APT28 - 러시아 정부에 대한 집단만 타게팅함

대부분의 공격을 이메일 피싱에 의존하고 있음.

1. 메일에 첨부파일 방식 2. 단체에서 제작한 웹사이트 링크걸기 3. 관계자가 자주 사용하는곳들을 감염시켜 침투하는 방법.
2. 메일에 진짜 첨부파일을 같이 보내서 의심을 줄임 (리스트 파일 원래 한개인데 두개 보내는등)
3. 가짜 웹사이트를 만들어서 링크를 타고 온 사람이 로그인을 시도하면 페이지 오류인척, 새로고침 혹은 다시 시도하면 정상 사이트로 보내 아이디 비번 뺏기
4. 가짜 웹사이트 티를 안내기 위해 주소이름이 비슷하게 지음 (폰트를 이용한 착시등)
5. 마이크로소프트 오피스 취약점을 이용하여 (매크로) 침투

이와 같은 방법을 통해 타겟 시스템에 점차적으로 침투함

APT29; Hammertoss and Seaduke

러시가 정부에 청부를 받음. 고위층 개인이나, 정부 조직, 미국및 유럽의 국제 정책및 개인 리서치를 목표

공식인정 받음 서비스들을 이용 (트위터등) 하여 보호자들이 찾기 힘들게 만듬

1. 공식 계정을 생성 (트위터) - 커뮤니케이션 채널 수입
2. 해머토스도 1번과 같이 계정을 만듬
3. 해머토스는 1번계정으로부터 명령을 받음 (안에 방문해야할 링크, 복호화 코드등이 적혀있음)
4. 링크를 타고 들어가서 트위터 사진을 다운받아, 안에 숨겨져 있는 데이터 추출
5. 추출한 데이터의 명령어 수행 (다양한 공격 수행함: 파일삭제, 파일 깃헙업로드, 이메일 통해 빼돌리기, 중요 정보 모아두기등등)
6. 클라우드 서비스로도 업로드 할 수 있었음

Network 이해하기

TCP/IP will aid troubleshooting.

• 인프라의 논리적 구조와 컴퓨터간 통신을 설명한다
• 각 모델은 레이어들의 계급구조로 이루어져 있다
• 낮은 레이어는 윗 레이어를 보조한다
• 절차가 실패했을때, 낮은 레이어부터 위로 점검/고치기 시작한다
• OSI도 좋지만 TCP/IP 가 좀더 우리의 목적에 부합하다

TCP/IP model describes how data is passed

Sending data to applications needs the support of network, internet and transport layers.

• Domain Name: Title or role assigned to computer
• Host Name: Configurable name for computer
• Port: Logical address for application data
  • 어플리케이션 상호 구분을 위해 사용 - 각 프로토컬에 맞게 따라감
  • IP 내에서 프로세스 구분을 위해 사용
  • 80: HTTP, 22: SSH, 53:DNS 혹은 임시포트로 프로세스들에게 임의 사용
• IP address: Logical address for NIC
• MAC: Physical network interface card (NIC) hard-coded ID
  • 데이터 링크 계층의 일부
  • 이더넷 기반 기기에 모두 하나씩 할당된 고유 아이디
  • 앞 24비트는 제조사 코드 뒤 24비트는 기기 고유코드

Networks are segmented physically and logically. (pg 67)

1. Subdomain/zone - controls user and system accessibility to one another.
   1. en.wiki.com 은 wiki.com의 서브 도메인이다.
2. Subnet - A sub portion of IP address (부분망).
   1. bitwise and - create prefix.
   2. subnet host num = 2^(subnet mask - 24)
3. VLAN: LAN에 흐르는 트래픽을 제한하여 불필요한 트래픽 차단
   1. 논리적인 LAN으로 주로 스위치에서 사용된다
   2. 한 장비내에서 브로드캐스트 도메인을 나누는 것
   3. 같은 가상랜 내의 노드들과 통신이 가능하다.
   4. 다른 가상랜은 트래픽을 공유하지 않는다.
   5. 네트워크 성능 효율성이 올라감 - 병목현상 줄이기.

Each Layer purpose

Layer 2 - Data Link: Can I get a past the switch? 스위치 통과 가능한가 (접근 주소 찾았나)

1. Can I see ARP (Address Resolution Protocol) broadcasts (맥-아이피) from the target
2. Am I in a vlan?

Layer 3 - Network: Can I route to the target? 타겟까지 접근 가능한가 (패킷 교환)

1. Is the target receiving my packets
2. Is the target blocking my packets

Layer 4 - Transport: Can I reach the target port? 타겟 포트 가능한가 (포트,프로토콜)

1. Is the port blocked
2. Is the protocol blocked
3. Is the port being used

Reference : Network Attacks and Exploitation by Matthew Monte

Computer Network Exploitation - CNE

• Is computer espionage; stealing of information.
• Encompases gaining access and retriev data.
• It is directed. If the action was from no intent to gather information, it is not CNE.

Comupter Network Attack - CNA

• Is akin to a traditional military attack or sabotage.
• Four Ds: disrupt, deny, degrade, destroy (회방, 방해, 효율 떨어트리기, 파괴)
• Actions and effects that range from the subtle to the catastrophic.

Non-kinetic CNA

• Subset of CNA conducted virtually; 4Ds virtually.
• Not physically initiated acts.

Computer Network Defense (CND)

• Protecting networks from being exploited or attacked.

Computer Network Operation (CNO)

• Is umbrella term of CNE, CNA , and CND.

Operational Objectives

Strategic Collection

• Collecting information for strategic reasons.
• Collection of data over time.
• Requires substantial analytic capabilities for success due to the collected information size.
• The cost is huge, often limited to nation-states or well-funded criminals.

Directed Collection

• Target the collection of information to meet an immediate objective.
• Initial intend of the operation is known from the beginning.
• It may start with short life expectancy, but successful operations will be extended over time.

Non-Kinetic CNA

• Meant to Disrupt, Deny, Degrade, Destroy the operational capability of Computer Network.
• The information is leveraged to cause the damage rather than gathering information like the two aboves.

Strategic Access

• Executed for the purpose of future flexibility
• Unlike strategic collection, it hopes one day the access becomes useful.
• It may be led to other operational categories, or do nothing; nothing defined yet.

Positional Access

• target computers and network that are not the targets but useful to furthering a different objective.
• It may begin with a intent and expect short life, however may be extended like directed collection.
• If it is exetended, it carries the most risk as it may link other operations once detected.

CNE Framework

First Principles

Humanity

• Human Nature. Don’t forget it is the human who deals with.

Access

• There is always someone with the access. It exists for someone who has the access of it

Economy

• Priority, cost and benefit to every action and to every outcome — Money driven.

Principles

Knowledge

• Broad and deep understandingy of computers, network and behavioral and psychologicas characteristics of people and organization.

Awareness

• Mapping of the operational domain, including active detection, monitoring of events in near time (updates…)

Innovation

• Ability to create new technology, leveraging existing technologies, or develop and adapt operational methods to new circumstances.

Precaution

• Minimization of the impact of unwitting actions on an operation.

Operational Security

• Minimization of defender exposure, recognition, and reaction to the existence of an operation.

Program Security

• Containment of damage caused by the compromise of an operation.

Themes

Diversity

• Leveraging a wide range of tool, tech, development methods, network sig, infra, and operational methods…

Stealth

• Leveraging tools, tech, and methods that are hidden from view or unlikely attract attention.

Redundancy

• Reasonable fail-safes, backups, and contingency plans for foreseeable setbacks, and obstacles.

Themes must be considered within the broader stretegic centext.