Today\u2019s post is a doctrinal and\nmetaphysical one\u2026 really, it\u2019s a pain. You\u2019ve been warned \ud83d\ude42<\/p>\n\n\n\n
While talking about Computer Network\nOperations (CNO) we consider three capabilities or actions: CND, CNA and CNE\n(Defence, Attack and Exploitation respectively); while CND is obviously about\ntechnological defence of IT infrastructures against also technological attacks\n-not about a missile destroying your datacenter-, CNE operations and\ncapabilities are focused on information gathering and exploitation through\ncomputer networks: we call it nowadays cyber espionage. On the other hand,\nComputer Network Attack refers to purely destructive operations, the famous\n\u201c4D\u201d: disrupt, deny, degrade and destroy.<\/p>\n\n\n\n
Every actor that performs Computer\nNetwork Operations develops TTP (Tactics, Techniques and Procedures) to achieve\nits goals; without discussing formal definitions from US military references,\ntactics specify what<\/strong>\nan actor is doing, techniques specify how<\/strong> a tactic is implemented and\nprocedures define a particular implementation of a given technique; this\napproach, from a high level to an operative one, defines the behavior of an\nactor, very similar to what we usually call its modus operandi<\/em>.<\/p>\n\n\n\n As these TTP are crucial to threat\nmodeling, for example to APT modeling, helping analysts to know its actions\n-and its attribution-, much work has been done to identify and structure TTP\n(really, much work has been done to identify tactics and techniques, not\nprocedures, which depend even on the operator or analyst); without any doubts,\nthe biggest (or at least one of the biggest) efforts is MITRE ATT&CK, open\nsource of information about tactics and techniques of advanced hostile actors.\nBut this effort, including the enormous work done by MITRE, has been focused\nmainly in tactics and techniques linked to CNE, more than to CNA; in fact,\nuntil this year, ATT&CK did not reference CNA ones, and now they only\nidentify a tactic named \u201cImpact\u201d that groups all the -more or less- destructive\ntechniques, from defacement to wiping or information destruction.<\/p>\n\n\n\n What could be the cause of this\ninattention about destructive tactics and techniques? In our opinion, there are\ntwo reasons: the first one is that most actions linked to advanced actors are CNE\noperations, cyber espionage; and the second one is that almost any serious CNA\noperation requires a previous CNE activity against the target, in order to\nsteal information and get knowledge about its processes, which let them cause a major impact. But during last\nyears, CNA operations from advanced actors -for example, APT28- are arising, especially\nif we consider attacks against essential systems, including control ones, which\nmay cause a severe physical impact in its target and in the society.<\/p>\n\n\n\n In this way, it\u2019s mandatory to\nidentify and structure tactics and techniques linked to CNA operations, at\nleast as it is while talking about CNE ones; few work has been done in CNA\narea, specially while comparing to CNE, and sometimes it\u2019s necessary to look at\ndoctrine developed regarding Electronic Attack, a capacity inside Electronic\nWarfare, which is at the same level than CNO inside Information Operations. <\/p>\n\n\n\n We can begin with the easiest task:\nthe tactics. What are the tactics linked to CNA activities? Earlier in this\npost we have referred to \u201c4D\u201d: degradation, disruption, denial and destruction.\nDegradation<\/strong>\nof a target denies its access or operation at certain level, represented by a\npercentage; if this percentage is 100%, we talk about disruption<\/strong>, a denial of\naccess or of operation full but temporary. For example, a distributed denial of\nservice (DDoS) against a web server can degrade its access or can disrupt it,\nbut when the attack stops the web server can be accessed without any problem\n(look at the temporary factor of the definition); in the other hand, a destruction<\/strong>\nattack against a target denies its access or operation completely and\nirreparably: it cannot perform any function or be restored to a usable\ncondition without being entirely rebuild.<\/p>\n\n\n\n So, where is denial as a tactic inside CNA? Modern\ndoctrines don\u2019t consider this \u201cD\u201d as a tactic, but as a kind of metatactic, a\ngoal to be performed, that can be achieved by the other three \u201cD\u201d; in other\nwords, we can deny the access or the operation of a target degrading,\ndisrupting or destroying, so denial<\/strong> can be seen as an umbrella term to refer to\npure tactics inside CNA: degradation, disruption and destruction.<\/p>\n\n\n\n Apart from these \u201c3D\u201d, and also in\nmodern doctrines, there is a four tactic in CNA operations: manipulation<\/strong>,\nto control or to change information, the systems that support it or the\ntarget\u2019s networks in a manner that supports the attacker’s objectives (in this\ncase, denial in all of its modes: degradation, disruption and destruction). So,\nwhich one is the difference between a manipulation that achieves a degradation\nor a direct degradation as a tactic? It\u2019s a very subtle one: mainly,\nmanipulation refers to a manner that is not immediate apparent or detected. A\nDDoS (degradation or disruption) or a ransomware attack (destruction) are\nimmediately identified by the victim\u2026 if the tactic was manipulation, the\nattack wouldn\u2019t have been immediately detected, and would extend in time, so\nimpact would have been higher a priori.<\/p>\n\n\n\n In summary, while talking about CNA\ncapabilities or operations, we identify four big tactics to be considered:\ndegradation, disruption, destruction and manipulation. So, where are the\ntechniques linked to each of them? This work is more complex and with less references,\nso it\u2019s an ongoing work for a new post\u2026<\/p>\n","protected":false},"excerpt":{"rendered":" Today\u2019s post is a doctrinal and metaphysical one\u2026 really, it\u2019s a pain. You\u2019ve been warned \ud83d\ude42 While talking about Computer Network Operations (CNO) we consider three capabilities or actions: CND, CNA and CNE (Defence, Attack and Exploitation respectively); while CND is obviously about technological defence of IT infrastructures against also technological attacks -not about a […]<\/p>\n","protected":false},"author":6,"featured_media":675,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[21,17,20,19,18,16],"tags":[],"class_list":{"0":"post-674","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-apt","8":"category-cna","9":"category-cne","10":"category-cno","11":"category-cyberattack","12":"category-ttp","13":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/11\/work-933061_1920-600x400.jpg","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/11\/work-933061_1920-600x600.jpg","author_info":{"display_name":"Dex","author_link":"https:\/\/lab52.io\/blog\/author\/dex\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/674"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=674"}],"version-history":[{"count":1,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/674\/revisions"}],"predecessor-version":[{"id":676,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/674\/revisions\/676"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/675"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=674"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=674"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=674"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}