Proper Planning and Preparation Prevents Piss Poor Penetrations
I was asked for good references on pre-operation phases of hacking. I recommended Matt Monte’s “network attacks and exploitation: a framework”, and Bill McRaven’s “Spec Ops: Case Studies in Special Operations Warfare: Theory and Practice”. The Monte book is the best book on cyber written so far. It covers a lot of theory and practice and first principles that few people really know or consider. McRaven’s book is the best explanation of how successful hacker attacks achieve success.
The concepts that McRaven puts forward: relative superiority, and the six key factors of operations, are basically the core of good hacking:
– PLAN: simplicity
– PREPARE: security, repetition
– EXECUTE: surprise, speed, purpose
Simplicity: A simple plan without a lot of complicated moving parts or dependencies on loads of other things all lining up just right at the right time. The recipe for success starts with a simple plan.
Security means secrecy. The knowledge of the existence of the planned op will jeopardise the op. Literally OPSEC!
Repetition: the actions to take during the op should be routine, like muscle memory. By the time actions are done live, they should be routine and practiced. This reduces the chance for delays and errors.
Surprise: the adversary should not expect to be attacked in that area at that time, obviously. Surprise allows attackers to have relative superiority over defenders, increasing the chance of success and gaining more time on target before the defenders can respond. This time on target is the period of vulnerability, so as an attacker you want to minimise this.
Speed, this comes back to the period of vulnerability. The operation is vulnerable from the moment the operators are committed (i.e. past the point of no return). From then until the objectives are complete, the operation is both vulnerable and at risk of failure. The best plans will seek to minimise this time as much as possible, in whatever manner makes the most sense. Going very slowly and keeping very stealthy to reduce risk of detection can be better than just going for speed. A long term espionage operation is an example of the former, and ransomware is an example of the latter.
Once the operators achieve relative superiority their likelihood of successfully achieving their objectives go way up. They are in the right place, they are the superior element in the area, and the defenders probably aren’t even aware that anything has happened. The operators then achieve their mission objective(s). They’re still in the period of vulnerability though, and they remain there until the operation is completed, or the goal for the operation has been achieved.
For example, the objective of the operation may be to steal the source code to Software Project A, but the goal of the campaign is to insert a backdoor to compromise the distributed program to infect specific targets via their supply chain. Thus if the attack is discovered before the backdoor has been added and the software pushed out to victims and the target infected… the campaign is a failure, so although the operation may be done, the campaign can still be in a period of vulnerability.
This extended period of vulnerability, due to the need for secrecy, is one unique aspect of cyber because so much is espionage-like. The campaign has to be secret, or it can be countered by the targets/victims.
Purpose. This is an important one because it differentiates the hackers from the kidiots. An operation has a reason, it has objectives, goals, it fits into a broader plan. The operators, when they are on target, are not confused, or curious and wandering around. They are goal oriented and driven. They know what they need to do, how to do it, and where to do it. They are focussed on achieving their objectives and completing the mission.
Hackers who have purpose will know what they are doing. Literally, they will know what actions will get them closer to their objectives and what is a waste of time (and therefore increases their stay in the period of vulnerability, jeopardising the entire campaign).
A good example here is Phineas Phisher’s hacking team hack. They had a plan: find sensitive information and leak it, with the goal of damaging the company. This gave Phineas purpose. They didn’t go wandering around just to play around with new systems. They knew they had to find and exfiltrate sensitive data. Until the data was found and exfiltrated, the operation was not done. The primary objective was to find and exfiltrate sensitive data.
Simple. Security, repetition. Surprise, speed, purpose. These are the key elements to ensuring a successful hack.