book

Adversarial Tradecraft in Cybersecurity

by Dan Borges

June 2021

Intermediate to advanced

246 pages

7h 40m

English

Packt Publishing

Read now

Unlock full access

Who this book is forWhat this book coversTo get the most out of this bookGet in touch
Adversarial theoryCIAAANGame theoryPrinciples of computer conflictOffense versus defensePrinciple of deceptionPrinciple of physical accessPrinciple of humanityPrinciple of economyPrinciple of planningPrinciple of innovationPrinciple of timeSummaryReferences
Essential considerationsCommunicationsLong-term planningExpertiseOperational planningDefensive perspectiveSignal collectionData managementAnalysis toolingDefensive KPIsOffensive perspectiveScanning and exploitationPayload developmentAuxiliary toolingOffensive KPIsSummaryReferences
Gaining the advantageOffensive perspectiveProcess injectionIn-memory operationsDefensive perspectiveDetecting process injectionPreparing for attacker techniquesThe invisible defenseSummaryReferences
Offensive perspectivePersistence optionsLOLbinsDLL search order hijackingExecutable file infectionCovert command and control channelsICMP C2DNS C2Domain frontingCombining offensive techniquesDefensive perspectiveC2 detectionICMP C2 detectionDNS C2 detectionPersistence detectionDetecting DLL search order hijackingDetecting backdoored executablesHoney tricksHoney tokensHoneypotsSummaryReferences
Offensive perspectiveClearing logsHybrid approachRootkitsDefensive perspectiveData integrity and verificationDetecting rootkitsManipulating attackersKeeping attackers distractedTricking attackersSummaryReferences
Offensive perspectiveSituational awarenessUnderstanding the systemClear the Bash historyAbusing DockerGleaning operational informationKeyloggingScreenshot spyGetting passwordsSearching files for secretsBackdooring password utilitiesPivotingSSH agent hijackingSSH ControlMaster hijackingRDP hijackingHijacking other administrative controlsDefensive perspectiveExploring users, processes, and connectionsRoot cause analysisKilling malicious processesKilling connections and banning IPsNetwork quarantineRotating credentialsRestricting permissionsChattr revisitedchrootUsing namespacesControlling usersShut it downHacking backHunting attacker infrastructureExploiting attacker toolsSummaryReferences
Gaming the gameOffensive perspectiveThe world of memory corruptionTargeting research and prepTarget exploitationCreative pivotingDefensive perspectiveTool exploitationThreat modelingOperating system and application researchLog and analyze your own dataAttributionSummaryReferences
Offensive perspectiveExfiltrationProtocol tunnelingSteganographyAnonymity networksEnding the operationProgram security versus operational securityTaking down infrastructureRotating offensive toolsRetiring and replacing techniquesDefensive perspectiveResponding to an intrusionThe big flipThe remediation effortA post-mortem after the incidentForward lookingPublish resultsSummaryReferences

Content preview from Adversarial Tradecraft in Cybersecurity

4 Blending In

In the last chapter, we saw a reaction correspondence that naturally developed when attackers realized they could circumvent dead disk forensic analysis, the established forensic method at the time. We also saw what happened when the defense reacted to this strategy, using technologies like memory scanning, EDR solutions, and network analysis. Where once attackers avoided non-repudiation by operating in memory, now defenders have logs of parent-child relationships, remote thread creations, or anomalous process memory, for example. This means attackers are not necessarily invisible when operating in memory; on the contrary, they may set off alerts if the defense is well instrumented. To counter this new reaction correspondence or ...