“Adversarial tradecraft” in the context of cybersecurity refers to the tactics, techniques, and procedures (TTPs) employed by cyber adversaries, often with malicious intent, to compromise or exploit computer systems, networks, and information. It involves the study and analysis of how threat actors operate, the tools they use, and the strategies they employ to achieve their objectives. Identifying human-on-human conflicts and their relation to “computer conflict” is central to understanding adversarial tradecraft in cybersecurity.
Understanding adversarial tradecraft is crucial for cybersecurity professionals and organizations to enhance their security measures, detect potential threats, and respond effectively to cyber incidents. By studying the methods employed by attackers, cybersecurity experts can develop better defenses, identify vulnerabilities, and improve incident response capabilities.
Although it can be exciting to cover all aspects of cybersecurity (offense versus defense, network defender circumventions, the “adversarial game”, the defender’s perspective, other actors’ motivations, etc.), you will get nowhere without setting up a solid foundation. Tradecraft in cybersecurity is not an easy game to play, so identifying and understanding the core principles is the first step towards gaining an advantage in the adversarial game of computer defense in real time.
What type of human-on-human conflicts should analysts expect?
Adversarial tradecraft encompasses a wide range of activities, including but not limited to:
- Malware Development: Creating malicious software to compromise systems or steal information.
- Social Engineering: Manipulating individuals to disclose sensitive information or perform actions that could lead to a security breach.
- Phishing: Using deceptive emails, messages, or websites to trick individuals into revealing confidential information.
- Exploiting Vulnerabilities: Identifying and taking advantage of weaknesses in software, hardware, or configurations to gain unauthorized access.
- Persistence: Establishing a long-term presence on a compromised system to maintain access and control.
- Evasion Techniques: Employing methods to avoid detection by security measures, such as antivirus software or intrusion detection systems.
- Credential Theft: Acquiring usernames and passwords through various means to gain unauthorized access to systems or accounts.
- Command and Control (C2): Setting up mechanisms for remote control of compromised systems.
- Data Exfiltration: Stealing and transferring sensitive data from a compromised environment to an external location.
- Lateral Movement: Moving through a network to explore and compromise other connected systems.
Adversarial tradecraft involves the continuous development and adaptation of strategies by cyber adversaries to bypass security measures and achieve their goals. Cybersecurity professionals need to stay informed about evolving adversarial tactics to effectively defend against cyber threats. Without a solid understanding of how to approach tradecraft in cybersecurity, you may see your active defense disappear when the real computing environment takes a hit from live hackers.
What does adversarial tradecraft look like in real life?
Although it would be satisfying to think that simply specifically focusing on the types of “adversarial tradecraft” techniques would be enough to protect against even experienced hackers, we need to look at actual compromises to go beyond basic knowledge of adversarial operations and principles. Here are some real-life examples of adversarial tradecraft in action, illustrating various tactics commonly used by cyber adversaries:
- Malware Development: Stuxnet Worm
- Stuxnet is a sophisticated worm that targeted supervisory control and data acquisition (SCADA) systems. It was designed to specifically damage Iran’s nuclear program by disrupting industrial processes. Stuxnet is an example of state-sponsored malware with highly advanced capabilities.
- Social Engineering: CEO Fraud
- In CEO fraud, attackers use social engineering techniques to impersonate a company executive and trick employees into transferring funds or sensitive information. In 2016, the CEO of a social media company fell victim to a phishing attack, resulting in the compromise of employee tax information.
- Phishing: NotPetya Ransomware Attack
- The NotPetya ransomware attack in 2017 originated from a phishing campaign that targeted a Ukrainian accounting software company. The attackers compromised the software’s update mechanism, distributing malware to users who unknowingly installed the malicious update. The attack caused widespread damage globally. To this day, security operations center analysts are still wrestling with the fallout left behind by this devastating piece of malware.
- Exploiting Vulnerabilities: Equifax Data Breach
- In 2017, the Equifax data breach occurred due to a vulnerability in the Apache Struts web application framework. Attackers exploited this vulnerability to gain unauthorized access to sensitive data, including personal information of millions of consumers.
- Persistence: APT29 (Cozy Bear)
- APT29, attributed to Russian state-sponsored actors, is known for its advanced persistent threat (APT) capabilities. The group demonstrates persistence by maintaining long-term access to targeted networks. For example, APT29 was involved in the breach of the Democratic National Committee (DNC) in 2016.
- Evasion Techniques: Fileless Malware
- Fileless malware operates in a system’s memory, leaving little to no trace on disk, making it challenging to detect. In 2017, the PowerShell-based fileless malware known as “Katz” was used to target organizations in Europe, employing sophisticated evasion techniques to avoid traditional security measures.
- Credential Theft: Target Corporation Data Breach
- In the Target data breach of 2013, attackers gained access to the company’s network using stolen credentials from a third-party vendor. The stolen credentials provided initial access, and the attackers eventually compromised point-of-sale systems, leading to the theft of credit card information.
- Command and Control (C2): FinFisher Spyware
- FinFisher is a type of spyware that provides remote control capabilities. In 2014, a report revealed that FinFisher had been used by governments for surveillance purposes. The spyware allows attackers to monitor and exfiltrate data from infected systems.
- Data Exfiltration: Sony Pictures Entertainment Hack
- In 2014, Sony Pictures Entertainment experienced a significant cyber attack that involved the exfiltration of vast amounts of sensitive data, including unreleased movies, executive emails, and employee information. The attackers, allegedly linked to North Korea, used destructive malware to cover their tracks.
- Lateral Movement: WannaCry Ransomware Attack
- The WannaCry ransomware, which struck in 2017, used a leaked NSA exploit (EternalBlue) to propagate laterally within networks. Once a system was infected, WannaCry sought to spread to other vulnerable systems within the same network, causing a global impact on organizations and critical infrastructure. Advanced research has been carried out in order to help cybersecurity analysts gain a solid understanding of the long term effects of this malware, but experienced hackers tend to turn to similar but edited forms of WannaCry when engaging in real time computer conflict.
These examples highlight the diverse and evolving nature of adversarial tradecraft, demonstrating the importance of a multi-faceted approach to cybersecurity defense. Blue team techniques should be systematized and discussed with security engineers to ensure that effective principles of computer conflict can be instigated before the threat of a breach arises. For support in putting this system together, we advise using the MITRE ATT&CK framework or the Lockheed Martin Cyber Kill Chain. When you have the foundations in place, it will be easier to master cutting edge techniques that grant the research advantage to both offensive and defensive teams working in cybersecurity.
