Book Image

Adversarial Tradecraft in Cybersecurity

By : Dan Borges
Book Image

Adversarial Tradecraft in Cybersecurity

By: Dan Borges

Overview of this book

Little has been written about what to do when live hackers are on your system and running amok. Even experienced hackers tend to choke up when they realize the network defender has caught them and is zoning in on their implants in real time. This book will provide tips and tricks all along the kill chain of an attack, showing where hackers can have the upper hand in a live conflict and how defenders can outsmart them in this adversarial game of computer cat and mouse. This book contains two subsections in each chapter, specifically focusing on the offensive and defensive teams. It begins by introducing you to adversarial operations and principles of computer conflict where you will explore the core principles of deception, humanity, economy, and more about human-on-human conflicts. Additionally, you will understand everything from planning to setting up infrastructure and tooling that both sides should have in place. Throughout this book, you will learn how to gain an advantage over opponents by disappearing from what they can detect. You will further understand how to blend in, uncover other actors’ motivations and means, and learn to tamper with them to hinder their ability to detect your presence. Finally, you will learn how to gain an advantage through advanced research and thoughtfully concluding an operation. By the end of this book, you will have achieved a solid understanding of cyberattacks from both an attacker’s and a defender’s perspective.

Related Content you might be interested in

Current Title:

Small book image
Adversarial Tradecraft in Cybersecurity
Dan Borges
Jun, 2021 | 246 pages
Small book image
Purple Team Strategies
Simon Thoores | David Routin | Samuel Rossier
Jun, 2022 | 450 pages
Small book image
Cybersecurity Attacks – Red Team Strategies
Johann Rehberger
Mar, 2020 | 524 pages
Small book image
Malware Analysis Techniques
Dylan Barker
Jun, 2021 | 282 pages
Table of Contents (11 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
1
Theory on Adversarial Operations and Principles of Computer Conflict
Theory on Adversarial Operations and Principles of Computer Conflict
Adversarial theory
Principles of computer conflict
Summary
References
Free Chapter
2
Preparing for Battle
Preparing for Battle
Essential considerations
Defensive perspective
Offensive perspective
Summary
References
3
Invisible is Best (Operating in Memory)
Invisible is Best (Operating in Memory)
Gaining the advantage
Offensive perspective
Defensive perspective
Summary
References
4
Blending In
Blending In
Offensive perspective
Defensive perspective
Summary
References
5
Active Manipulation
Active Manipulation
Offensive perspective
Defensive perspective
Summary
References
6
Real-Time Conflict
Real-Time Conflict
Offensive perspective
Defensive perspective
Summary
References
7
The Research Advantage
The Research Advantage
Gaming the game
Offensive perspective
Defensive perspective
Summary
References
8
Clearing the Field
Clearing the Field
Offensive perspective
Defensive perspective
Summary
References
9
Other Books You May Enjoy
Other Books You May Enjoy
10
Index
Index

References

  1. Etherpad-lite – A real-time and collaborative note-taking application that can be privately hosted: https://github.com/ether/etherpad-lite
  2. Dokuwiki – A simple open-source wiki solution that includes templates, plugins, and integrated authentication: https://github.com/splitbrain/dokuwiki
  3. EKM – Enterprise Key Management, a feature of slack that lets organizations use their own cryptographic keys to secure communications and logs: https://slack.com/enterprise-key-management
  4. A chat application that includes strong cryptographic user verification – Melissa Chase, Trevor Perrin, and Greg Zaverucha, 2019, The Signal Private Group System and Anonymous Credentials Supporting Efficient Verifiable Encryption: https://signal.org/blog/pdfs/signal_private_group_system.pdf
  5. Professional fighter Georges St-Pierre on the importance of innovation: https://www.theglobeandmail.com/report-on-business/careers/careers-leadership/professional-fighter-georges-st-pierre-on-the-importance-of-innovation/article11891399/#
  6. SANS paid for Online Cybersecurity Training: https://www.sans.org/online-security-training/
  7. Open Security Training – Free, high-quality information security courses, with college level production: https://opensecuritytraining.info/Training.html
  8. Cybrary – Free information security courses, including a skill path, with an impressive production value: https://app.cybrary.it/browse/refined?view=careerPath
  9. CrowdStrike CTO Explains "Breakout Time" — A Critical Metric in Stopping Breaches: https://www.crowdstrike.com/blog/crowdstrike-cto-explains-breakout-time-a-critical-metric-in-stopping-breaches/
  10. OSQuery: https://github.com/osquery/osquery
  11. GRR – Open-source EDR framework for Windows, Linux, and macOS: https://github.com/google/grr
  12. Wazuh – Open-source EDR framework that is an evolution of the OSSEC project. Supports Windows, Linux, and macOS: https://github.com/wazuh/wazuh
  13. Velociraptor – Open-source EDR framework, inspired by GRR and OSQuery. Supports Windows, Linux, and macOS: https://github.com/Velocidex/velociraptor
  14. Snort User Manual – Open-source network intrusion detection system for Windows and Linux: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/
  15. What is Suricata? – Open-source network intrusion and prevention system. Multi-threaded engine designed for Linux systems: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/What_is_Suricata
  16. Zeek Documentation – An evolution of Bro IDS, is a network IDS that collect logs and metrics on various protocol data: https://docs.zeek.org/en/master/
  17. Port Mirroring for Network Monitoring Explained: https://blog.niagaranetworks.com/blog/port-mirroring-for-network-monitoring-explained
  18. Tcpdump: A simple cheatsheet – a command-line tool for acquiring network captures: https://www.andreafortuna.org/2018/07/18/tcpdump-a-simple-cheatsheet/
  19. What is Wireshark?: https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs
  20. Adding a basic dissector – Wireshark includes a framework to write custom modules that can parse new protocols in Wireshark: https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html
  21. tshark Examples – Theory & Implementation: https://www.activecountermeasures.com/tshark-examples-theory-implementation/
  22. Josh Johnson, Implementing Active Defense Systems on Private Networks: https://www.sans.org/reading-room/whitepapers/detection/implementing-active-defense-systems-private-networks-34312
  23. Filebeat – A lightweight logging application: https://www.elastic.co/beats/filebeat
  24. Configure Computers to Forward and Collect Events: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)
  25. Splunk: User Behavior Analytics – A feature that allows for anomaly detection in user activities by base-lining users over time: https://www.splunk.com/en_us/software/user-behavior-analytics.html
  26. HELK, The Threat Hunter's Elastic Stack: https://github.com/Cyb3rWard0g/HELK
  27. The Elastic Stack: https://www.elastic.co/elastic-stack
  28. VAST, a SIEM for network data: https://github.com/tenzir/vast
  29. Cortex, a SOAR application to go with TheHive: https://github.com/TheHive-Project/Cortex
  30. TALR – Threat Alert Logic Repository: https://github.com/SecurityRiskAdvisors/TALR
  31. OpenIOC, an open-source alerting format with combinatory logic: https://github.com/mandiant/OpenIOC_1.1
  32. COPS – Collaborative Open Playbook Standard: https://github.com/demisto/COPS
  33. ElastAlert - Easy & Flexible Alerting With Elasticsearch: https://elastalert.readthedocs.io/en/latest/elastalert.html
  34. TheHive, an alert management system: https://github.com/TheHive-Project/TheHive
  35. MISP – Threat Intelligence Sharing Platform: https://github.com/MISP/MISP
  36. CRITS – an open-source project that uses Python to manage threat intelligence: https://github.com/crits/crits/wiki
  37. Windows Sysinternals – Advanced Windows system utilities, includes many functions and useful tools for incident responders: https://docs.microsoft.com/en-us/sysinternals/
  38. YARA in a nutshell: https://virustotal.github.io/yara/
  39. Binwalk, automated artifact extraction: https://github.com/ReFirmLabs/binwalk
  40. Scalpel, targeted artifact extraction: https://github.com/sleuthkit/scalpel
  41. MITRE ATT&CK Compromise Application Executable: https://attack.mitre.org/techniques/T1577/
  42. Redline – A free FireEye product that allows for memory capture and analysis on Windows systems: https://www.fireeye.com/services/freeware/redline.html
  43. The Sleuth Kit, an open-source framework for forensic analysis of disk images: https://www.sleuthkit.org/
  44. Volatility Framework - Volatile memory extraction utility framework: https://github.com/volatilityfoundation/volatility
  45. BLUESPAWN, a defender's multitool for hardening, hunting, and monitoring: https://github.com/ION28/BLUESPAWN
  46. BLUESPAWN: An open-source active defense and EDR solution: https://github.com/ION28/BLUESPAWN/blob/master/docs/media/Defcon28-BlueTeamVillage-BLUESPAWN-Presentation.pdf
  47. PE-Sieve, an in-memory scanner for process injection artifacts: https://github.com/hasherezade/pe-sieve
  48. Viper, a Python platform for artifact storage and automated analysis: https://github.com/viper-framework/viper
  49. Cuckoo Sandbox, a dynamic sandbox for teasing out executable functionality: https://github.com/cuckoosandbox/cuckoo
  50. BoomBox, an automated deployment of Cuckoo Sandbox: https://github.com/nbeede/BoomBox
  51. INetSim, a fake network simulator for dynamic sandbox solutions: https://github.com/catmin/inetsim
  52. VirusTotal – An online application that offers basic static analysis, anti-virus analysis, and threat intel analysis on a particular file: https://www.virustotal.com/gui/
  53. JoeSecurity – A commercial online dynamic sandbox application that offers rich executable information: https://www.joesecurity.org/
  54. ANY.RUN –A free dynamic sandboxing application for Windows executables: https://any.run/
  55. Hybrid Analysis – A dynamic sandboxing solution with both free and paid offerings, supports CrowdStrike intelligence: https://www.hybrid-analysis.com/
  56. CyberChef, an open-source, data sharing and transformation application: https://github.com/gchq/CyberChef
  57. Pure Funky Magic – An open-source data transformation application written in Python: https://github.com/mari0d/PFM
  58. What is Maltego?: https://docs.maltego.com/support/solutions/articles/15000019166-what-is-maltego-
  59. Security Onion 2 – An evolution of Security Onion, designed to support signal generation, log aggregation, and full SIEM like capabilities: https://www.youtube.com/watch?v=M-ty0o8dQU8
  60. 14 Cybersecurity Metrics + KPIs to Track: https://www.upguard.com/blog/cybersecurity-metrics
  61. Carloz Perez, Are we measuring Blue and Red Right?: https://www.darkoperator.com/blog/2015/11/2/are-we-measuring-blue-and-red-right
  62. John LambertTwitter quote on offensive research: https://twitter.com/johnlatwc/status/442760491111178240
  63. AutoRecon, automated scanning tools: https://github.com/Tib3rius/AutoRecon
  64. Scantron, a distributed scanning solution with a web interface: https://github.com/rackerlabs/scantron
  65. nmap vulners, an advanced vulnerability scanning module for nmap: https://github.com/vulnersCom/nmap-vulners
  66. OpenVAS, an open-source vulnerability scanning solution: https://github.com/greenbone/openvas
  67. Metasploit, a modular, open source scanning, exploitation, and post exploitation framework: https://github.com/rapid7/metasploit-framework
  68. Metasploit Resource Scripts – A type of scripting for automating the Metasploit framework, including post-exploitation functionality: https://docs.rapid7.com/metasploit/resource-scripts/
  69. PowerView: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
  70. BloodHound – A tool for querying Windows domains and mapping their trust relationships in a Neo4j graph database: https://github.com/BloodHoundAD/BloodHound
  71. CobaltStrike – A popular commercial command and control framework, that includes a GUI and a scripting language called Aggressor Script: https://www.cobaltstrike.com/
  72. Empire – A popular open-source command and control framework, supports both Windows and macOS, includes many post-exploitation features: https://github.com/BC-SECURITY/Empire
  73. Burp Suite – The defacto web proxy for web application hacking, includes a free version and a commercial version with advanced features: https://portswigger.net/burp
  74. Taipan – Web application vulnerability scanner, includes both a community version and a commercial version: https://taipansec.com/index
  75. Sqlmap – Automated vulnerability scanner focused on SQL Injection: https://github.com/sqlmapproject/sqlmap
  76. Jeff McJunkin's blogpost on measuring Nmaps performance and improving it with Masscan: https://jeffmcjunkin.wordpress.com/2018/11/05/masscan/
  77. EternalBlue: https://en.wikipedia.org/wiki/EternalBlue
  78. Gscript, a cross platform dropper in Go: https://github.com/gen0cide/gscript
  79. Garble, a Go based obfuscation engine: https://github.com/burrowers/garble
  80. Operations security: https://en.wikipedia.org/wiki/Operations_security
  81. Fat Rodzianko's blog post on domain fronting in Azure: https://fatrodzianko.com/2020/05/11/covenant-c2-infrastructure-with-azure-domain-fronting/
  82. The C2 Matrix – An open-source collection of various command and control frameworks comparing their features: https://www.thec2matrix.com/matrix
  83. Sliver, an open-source C2 framework written in Go: https://github.com/BishopFox/sliver
  84. Cracklord, an application for managing hash cracking jobs, written in Go: https://github.com/jmmcatee/cracklord
  85. CeWL – Custom Word List generator: https://github.com/digininja/CeWL
  86. Kali Linux – A collection of offensive security tools in a bootable Linux distro: https://www.kali.org/
  87. Red Team Metrics Quick Reference Sheet: https://casa.sandia.gov/_assets/documents/2017-09-13_Metrics_QRS-Paper-Size.pdf
Previous Section
End of Chapter 2
Next Chapter