Today’s post is a doctrinal and metaphysical one… really, it’s a pain. You’ve been warned 🙂
While talking about Computer Network Operations (CNO) we consider three capabilities or actions: CND, CNA and CNE (Defence, Attack and Exploitation respectively); while CND is obviously about technological defence of IT infrastructures against also technological attacks -not about a missile destroying your datacenter-, CNE operations and capabilities are focused on information gathering and exploitation through computer networks: we call it nowadays cyber espionage. On the other hand, Computer Network Attack refers to purely destructive operations, the famous “4D”: disrupt, deny, degrade and destroy.
Every actor that performs Computer Network Operations develops TTP (Tactics, Techniques and Procedures) to achieve its goals; without discussing formal definitions from US military references, tactics specify what an actor is doing, techniques specify how a tactic is implemented and procedures define a particular implementation of a given technique; this approach, from a high level to an operative one, defines the behavior of an actor, very similar to what we usually call its modus operandi.
As these TTP are crucial to threat modeling, for example to APT modeling, helping analysts to know its actions -and its attribution-, much work has been done to identify and structure TTP (really, much work has been done to identify tactics and techniques, not procedures, which depend even on the operator or analyst); without any doubts, the biggest (or at least one of the biggest) efforts is MITRE ATT&CK, open source of information about tactics and techniques of advanced hostile actors. But this effort, including the enormous work done by MITRE, has been focused mainly in tactics and techniques linked to CNE, more than to CNA; in fact, until this year, ATT&CK did not reference CNA ones, and now they only identify a tactic named “Impact” that groups all the -more or less- destructive techniques, from defacement to wiping or information destruction.
What could be the cause of this inattention about destructive tactics and techniques? In our opinion, there are two reasons: the first one is that most actions linked to advanced actors are CNE operations, cyber espionage; and the second one is that almost any serious CNA operation requires a previous CNE activity against the target, in order to steal information and get knowledge about its processes, which let them cause a major impact. But during last years, CNA operations from advanced actors -for example, APT28- are arising, especially if we consider attacks against essential systems, including control ones, which may cause a severe physical impact in its target and in the society.
In this way, it’s mandatory to identify and structure tactics and techniques linked to CNA operations, at least as it is while talking about CNE ones; few work has been done in CNA area, specially while comparing to CNE, and sometimes it’s necessary to look at doctrine developed regarding Electronic Attack, a capacity inside Electronic Warfare, which is at the same level than CNO inside Information Operations.
We can begin with the easiest task: the tactics. What are the tactics linked to CNA activities? Earlier in this post we have referred to “4D”: degradation, disruption, denial and destruction. Degradation of a target denies its access or operation at certain level, represented by a percentage; if this percentage is 100%, we talk about disruption, a denial of access or of operation full but temporary. For example, a distributed denial of service (DDoS) against a web server can degrade its access or can disrupt it, but when the attack stops the web server can be accessed without any problem (look at the temporary factor of the definition); in the other hand, a destruction attack against a target denies its access or operation completely and irreparably: it cannot perform any function or be restored to a usable condition without being entirely rebuild.
So, where is denial as a tactic inside CNA? Modern doctrines don’t consider this “D” as a tactic, but as a kind of metatactic, a goal to be performed, that can be achieved by the other three “D”; in other words, we can deny the access or the operation of a target degrading, disrupting or destroying, so denial can be seen as an umbrella term to refer to pure tactics inside CNA: degradation, disruption and destruction.
Apart from these “3D”, and also in modern doctrines, there is a four tactic in CNA operations: manipulation, to control or to change information, the systems that support it or the target’s networks in a manner that supports the attacker’s objectives (in this case, denial in all of its modes: degradation, disruption and destruction). So, which one is the difference between a manipulation that achieves a degradation or a direct degradation as a tactic? It’s a very subtle one: mainly, manipulation refers to a manner that is not immediate apparent or detected. A DDoS (degradation or disruption) or a ransomware attack (destruction) are immediately identified by the victim… if the tactic was manipulation, the attack wouldn’t have been immediately detected, and would extend in time, so impact would have been higher a priori.
In summary, while talking about CNA capabilities or operations, we identify four big tactics to be considered: degradation, disruption, destruction and manipulation. So, where are the techniques linked to each of them? This work is more complex and with less references, so it’s an ongoing work for a new post…