Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often

tl;dr

Today we’ve released a whitepaper on the key techniques that continue to enable us to breach the largest and most sophisticated organisations on the planet. Organisations that prioritize these areas, and the mitigations we outline, will thwart attacks while making threat actors work harder and ultimately fail more often.

Objective

The purpose of this paper is to assist organisations in prioritising their security activities, to thwart attack techniques successfully utilised during Red Team engagements and other offensive operations by real-world threat actors in the most efficient way possible.

Our recommendations are born out of experience from real-world offensive campaigns and those things that make our operatives lives more stressful, less likely to succeed, take greater risks and be overall less effective.

What we cover

Each stage of an attack is described with a reference to the respective Mitre ATT&CK technique for further reference. In reality, the attacker wins most of the time because of poor operational hygiene inside and outside of the organisation in relation to digital assets.

This poor hygiene provides the window for initial compromise coupled regularly with an inability to detect, contain or effectively respond to a breach.

  • The reconnaissance phase
    • Information is everywhere (ATT&CK TA0015, TA0016, T1526)
  • In Phase
    • Exploitation of Vulnerabilities (ATT&CK T1190)
    • External Authentication Exploitation (ATT&CK T1078)
    • Phishing & Vishing (ATT&CK T1192, T1193, T1194, TA0003)
    • Using Internal Information Repositories (ATT&CK T1213, T1039, T1081)
    • Maintaining and Elevating Access Through Movement (ATT&CK T1075, T1076, T1028)
    • Using the Access Already Secured (ATT&CK T1078)
    • Exploitation of Centralized Identity and Access Managemet (ATT&CK T1078)
  • Out Phase
    • Securing the Required Access (ATT&CK T1078)
    • Objective Actions

Getting the Paper

You can download the paper here which is part of our bi-monthly Insight Space covering a range business and technical cyber security issues.

Feedback and Further Discussion

If you have feedback or would like to discuss further you can e-mail me on ollie.whitehouse[@]nccgroup.com or get me @ollieatnccgroup on Twitter.

Thanks

Thanks to the numerous people across our global offensive and defensive capabilities who contributed their insights and wisdom.