Cyber Guerilla 2016 by Unknown

Author:Unknown
Language: eng
Format: epub

n FIGURE 3.2 ■ The Pyramid of Pain. The better an organization is able to detect the types of indicators at the top of the pyramid, the more pain it causes for attackers to change their ofensive behaviors.

In the cyber defense industry, monitoring levels are typically modeled after the so-called “pyramid of pain” principle ( Fig 3.2 ). f This model shows the relationship between the specifc types of indicators the defensive teams might use to detect attackers’ activities and how much pain they can infict

76 CHAPTER 3 Organization of #operations

on the attackers when they are able to deny these indicators to them. Indica-tors can be, from bottom to top: hash values of malicious fles (computed), IP addresses used by the attacker (atomic), domain names used by the at-tacker (atomic), network/host artifacts (computed and atomic), tools used by the attacker (behavioral), and TTPs (behavioral). The better the defensive organization is at detecting indicators at the top of the pyramid, the more pain it will infict on the hacker group to change its behavior and stop gen-erating these indicators to decrease the chance of detection again. We will use the pyramid of pain model to defne the maturity levels of monitoring an organization might have:

1. No monitoring/ad hoc detection and responsive measures. Focuses on the lower part of the pyramid.

2. Limited monitoring (eg, network-based or host-based only). Focuses on the middle part of the pyramid.

3. Extensive monitoring and follow-up (eg, asset-based/data-centric).

Focuses on the top part of the pyramid.

Ad hoc detection

Obviously, attacking an entity with no or limited monitoring is not very dif-fcult. It does not require much planning and preparation other than fnding the right target within the entity and launching the initial compromise attack. Specifc TTPs can be determined during execution of the campaign. Once initial access to the target is obtained, open-source and well-known scanning and hacking tools can be used to achieve the guerilla’s goals, as it is simply not required to keep a low profle. The usage of these tools increases the effciency of the campaign, especially in larger networks where it can be very time-consuming to fnd the logical path from the initial compromised system to the goal systems. For example, consider a multinational or gov-ernment, which typically use class A-size internal networks that can contain more than 16 million IP addresses. Finding interesting systems can be hard and time-consuming if it has to be performed manually. However, in an or-ganization with limited monitoring, simple network scanning tools can eas-ily be used to fngerprint network services and determine functionality of systems. Each type of systems has its own “fngerprint” of available network services. For example, Windows domain controller systems have a specifc combination of TCP ports 88 and 389, Linux systems have TCP port 22 open, and an Oracle database system typically uses TCP port 1521. Depend-ing on the speed of the network, a class A network can easily be scanned in hours or days with such tools. Better yet, once interesting systems have been identifed,

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.