Company offensive operation guide

From low complexity 、 Low business risk and mobility , We have ：

• Local spoofing ： All network spoofing that can be implemented within the corporate environment , For example, honey coin 、 Honeypot 、 Honey network 、 Canary token 、 cheating / Fake network, etc , To lure opponents into a highly controlled environment and monitor their behavior . Activities , and / Or rapid detection and rejection / Interrupt its operation .
  • Offensive action ： Entice an opponent into action , Give you the tactical advantage of detecting and responding .
  • Complexity ： low / in
  • Business risk ： slight （ Since all these deceptive operations are kept secret , This may have a negative impact on employees / perception , And complex processes within the security team ）
• Infrastructure demolition ： That is, report and request the removal of malicious infrastructure through the service provider or directly through the hosting company . This includes a request to delete the phishing domain 、 Malware hosting server 、 E-mail accounts, etc .
  • Offensive action ： According to the demolition , This may be a downgrade of the competitor's infrastructure 、 Refuse 、 To interrupt or sabotage an action , This leads to the cost of rebuilding their infrastructure .
  • Complexity ： low / in
  • Business risks ： secondary . The process needs to be clearly defined , To avoid any problems , For example, it is required to delete the legal infrastructure 、 Ask the affected companies to raise legal issues 、 Avoid disclosing sensitive information about deletion requests, etc .
• Indirect public disclosure ： Some Threat Intelligence providers and countries CERT Allow anonymous reports / Public disclosure of intelligence reports . This feature allows companies to publicly disclose details , Otherwise, these details may lead to the following “ Public disclosure ” Operational risks .
  • Offensive action ： Force the opponent to change their TTP（ This leads to cost and operational delays ）, Let the world know what competitors have done and how to do it , This can enable national state actors or other companies to use these public materials as supporting evidence in more aggressive offensive actions .
  • Complexity ： low
  • Business risk ： Discreet anonymization is less .
• Active dark network monitoring ： I said This term refers to any type of operation , To gain access and monitor the opponent's communication channels （ for example Telegram group 、 Dark network forum, etc ）, To learn about any attacks against your business as early as possible and take appropriate measures . For most companies , This is usually achieved through Threat Intelligence providers .
  • Offensive action ： Infiltrate the opponent's communication platform and collect intelligence about its activities .
  • Complexity ： low / in
  • Business risk ： Smaller when completed by supplier . Medium in internal development , Because it requires strict discipline 、 technological process 、OPSEC measures 、 Legal and privacy sign off, etc .
• Cooperate with the authorities ： That is, actively contacting law enforcement and / Or intelligence agencies , To help them take action against specific opponents . for example , Give them evidence 、 Only the information owned by your company .
  • Offensive action ： The possibility of nation-state action against your opponent , For example, Sue 、 foreign / External action 、 Sanction 、 Covert operations, etc .
  • Complexity ： secondary
  • Business risks ： There are obvious risks , That is, enterprises and specific governments and / Or political affiliation , Accidental involvement in unrelated government issues , Become a partner with your authorities “ The agent ”, Other countries regarded as agents of the nation state / Government, etc
• juridical action ： This involves any kind of legal action that your company may take against your competitors , E.g. stop and termination letters 、 Seizure of malicious infrastructure 、 A criminal complaint against a particular opponent 、 Sanctions, etc .
  • Offensive action ： A positive and open method of sabotaging and destroying confrontational activities by legitimate means .
  • Complexity ： in / high
  • Business risks ： in / high . This will require experienced investigators 、 Having actual laws / Digital forensics expert with prosecution experience 、 Establish a criminal case and evidence management process 、 Experienced legal resources 、 Interest in public exposure , Of course , You also need to accept that your opponent now knows what you know , And you are always likely to lose the case when it reaches the court .
• Public disclosure ： This is the foreign policy tool of many nation-state actors , It can also be implemented in private companies . By letting everyone know who is targeting you , In particular, national state actors , Supply ammunition to the world , Let any other nation-state use this information against your opponent , Without your direct involvement .
  • Offensive action ： Expose an action intended to conceal , Urge the opponent to change strategy , And give opponents the opportunity to use the disclosed materials against them .
  • Complexity ： in / high
  • Business risks ： in / high . Such disclosure may bring a lot of negative news , It will also reveal what you know . This means that these opponents may use more advanced technology the next time they attack your company . Besides , The nation state may request your support in legal proceedings . For less risky approaches , Please check “ Indirect public disclosure ” operation .
• Remote passive SIGINT（ Intelligence signals ）： This means through third parties （ Such as data brokers or Threat Intelligence providers ） Get the signal （ It is usually the original network traffic or the original communication ）, This can help you proactively identify confrontational activities .
  • Aggressive action ： Examine data collected outside the organization , To proactively identify and reject any confrontational activities against your company .
  • Complexity ： secondary
  • Business risks ： slight . The only risk is to ensure that you do not use any illegal or suspicious Services , Instead, it relies on industry standards and well-known suppliers .
• Remote spoofing operation ： Such operations include creating false information about your company 、 False public service 、 False disclosure documents with tracking tokens, etc . This will be discussed later “Sting operation ” The lighter version of .
  • Offensive action ： Chase an opponent by luring him with false targets , In order to catch them before they target the real assets of the company .
  • Complexity ： secondary
  • Business risks ： slight . Mainly around having a strong process to avoid security errors , This could jeopardize your safety , And keep these processes well managed , But also run on the basis of what you need to know .
• Data leakage data utilization ： This means taking data from data breaches and using them to detect adversarial activities or intelligence , This will help you proactively protect your company . Examples include proactive discovery of infrastructure for malicious purposes 、 Accounts used by competitors 、 De anonymization, etc .
  • Offensive action ： Use data that was originally kept secret from the organization that owns it , To get a better understanding of your competitors .
  • Complexity ： secondary
  • Business risks ： secondary . There are many legal and ethical debates about data disclosure and data utilization , This may have some business impact on the company . Besides , The processing of this kind of data is in access management 、 Who did what and why did it auditable 、 There are some complexities involved in aspects such as retention policies , This means that additional resources may be required 、 Technology and processes .
• False flag operation ： An advanced offensive technique , You can entice your opponent into the thinking process to take advantage of their actions . for example , Make the opponent seem to have leaked information about them , Or make them believe that their opponents have broken their systems .
  • Offensive action ： By forcing opponents to believe what is happening instead of what they see , Dynamically 、 Actively change your opponent's TTP.
  • Complexity ： in / high
  • Business risks ： in / high . These actions require very careful planning and discipline , And it's easy to backfire in a variety of ways , Including negative media attention , Shift your competitors to more advanced technologies , Government agencies take legal action , You may have interfered with their actions , It has the opposite effect , wait .
• CNA operation ： Computer network attack (CNA) Operation is anything that will lead to the degradation of the opponent's infrastructure and resources 、 Activities that are interrupted or disrupted . Examples include denial of service attacks 、 Take their resources 、 Drown their resources （ For example, mass mailing 、 Automatic call, etc ）、 Create countless fake accounts on their platform 、 spam 、 Provide them with false data, etc .
  • Aggressive behavior ： Make your opponent focus on responding CNA Operationally , Instead of carrying out its intended malicious activities .
  • Complexity ： high
  • Operational risk ： high . This is a very gray area , May cause the company to be regarded as a criminal entity . About how these activities will 、 why 、 who 、 When and where , Very thorough legal and business consistency is required , And in most cases , Most companies （ Legal ） It is not possible to perform such operations .
• Stinging action ： ad locum , Defenders can try to infiltrate a group by pretending to be criminals , Or set up a fake website to recruit cyber criminals , And other similar actions , The ultimate goal is to penetrate the opponent's entity .
  • Offensive action ： Proactively identify adversarial plans and reject them by applying appropriate security controls .
  • Complexity ： high
  • Operational risk ： high . For most companies , It is impossible to do so legally . however , Some people may be able to work with the authorities to achieve this goal . The risk is high , It involves many levels , From public relations to influencing law enforcement , Then to privacy and legal issues .
• To take over ： During takeover operation , Privatecompanies use their knowledge and resources to control the infrastructure that competitors operate . This will not only bring the cost of new infrastructure to competitors , And will reveal their TTP Details of 、 Identifiable information that links them to their true identity, etc .
  • Offensive action ： Refuse to contact your opponent , Sabotage or reduce their actions , And collect most of their digital abilities and information .
  • Complexity ： high
  • Operational risk ： high . in the past , These are very common things , But as the network becomes more and more regulated and controlled , The acquisition may have a very serious legal and public relations impact on the enterprise . Now , These are usually limited to specific companies and government entities operating in the sector . They can still be performed by others , But it's a complicated process , There are many moving parts .
• On-line HUMINT（ Human intelligence ）： The aim of these actions is both to exploit human weaknesses （ For example, social engineering 、 Recruiting internal personnel, etc ） To understand and penetrate the confrontational groups / In the network , It also disrupts their actions from within . for example , recruit （ Or become ） Influential members and create tension in the team , Shift the focus of the team from operation to internal conflict through debate , Create divisions among members, etc .
  • Offensive action ： Depending on the level , Collect information about your opponent from TTP From intelligence to active protection of your assets , Until it creates internal conflict , Eventually lead to the destruction or total destruction of a group . In some cases , These tensions may lead members to report to each other .
  • Complexity ： high
  • Operational risk ： high . These actions are usually limited to nation-state participants who have dedicated resources for such clandestine activities . It is not unheard of for private companies to support these , However, due to the potential influence of competitors and relevant authorities , So the risk is quite high .
• 3rd/4th Party Collection： Simply speaking , This can be considered as discussed earlier “ To take over ” Operation upgrade . The operation here involves not only taking over the infrastructure of the opponent , It also includes using it to collect data from places that the infrastructure can access . for example , You may have taken over a command and control server , And found some of the servers used by the threat participants VPN Connect . You use them to access and gather intelligence and / Or disrupt its operations . This can also enter multiple levels on the other side . for example , Use C&C Send commands on the infected host （ If the attacker's system is infected ） And collect data there （ Or perform other operations ）.
  • Offensive action ： Leverage adversarial infrastructure at multiple levels , Mask your activities with the system being taken over . This can be used from intelligence gathering to sabotage 、 Downgrade 、 Deny anything .
  • Complexity ： high
  • Operational risk ： high . These actions are usually limited to nation-state participants who have dedicated resources for such clandestine activities . For any private company , Trying to do this would be complex and risky , Because it involves breaking into the system at multiple levels .
• CNE operation ： This study aims to identify and exploit vulnerabilities , In order to carry out computer network development against competitors (CNE) operation . for example , Found a software vulnerability in their malware , So you can take over their C&C, Or a misconfiguration is found on their operating host , So that you can penetrate and so on . This is commonly referred to as hacking .
  • Offensive action ： Leverage adversarial infrastructure . This can be used from intelligence gathering to sabotage 、 Downgrade 、 Deny anything .
  • Complexity ： high
  • Operational risk ： high . These actions are usually limited to nation-state participants who have dedicated resources for such clandestine activities . For any private company , Trying to do this would be complex and risky , Because it involves breaking into the system .
• automation CNE： That is, to expand by automating development steps “CNE operation ”. in other words , The ability to develop not only exploits identified vulnerabilities in the adversarial infrastructure , And it can automatically （ Or on demand through automation ） Leverage all existing and newly deployed adversarial infrastructure , There is no need to （ Or at least ） Human interaction .
  • Offensive action ： Leverage adversarial infrastructure . This can be used from intelligence gathering to sabotage 、 Downgrade 、 Deny anything .
  • Complexity ： high
  • Operational risk ： high . These actions are usually limited to nation-state participants who have dedicated resources for such clandestine activities . For any private company , Trying to do this would be complex and risky , Because it involves breaking into the system .