Skip to navigation Skip to main content Skip to footer

Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often

02 July 2020

By Ollie Whitehouse

Research Research Paper Cyber as a Science

tl;dr

Today we’ve released a whitepaper on the key techniques that continue to enable us to breach the largest and most sophisticated organisations on the planet. Organisations that prioritize these areas, and the mitigations we outline, will thwart attacks while making threat actors work harder and ultimately fail more often.

Objective

The purpose of this paper is to assist organisations in prioritising their security activities, to thwart attack techniques successfully utilised during Red Team engagements and other offensive operations by real-world threat actors in the most efficient way possible.

Our recommendations are born out of experience from real-world offensive campaigns and those things that make our operatives lives more stressful, less likely to succeed, take greater risks and be overall less effective.

What we cover

Each stage of an attack is described with a reference to the respective Mitre ATT CK technique for further reference. In reality, the attacker wins most of the time because of poor operational hygiene inside and outside of the organisation in relation to digital assets.

This poor hygiene provides the window for initial compromise coupled regularly with an inability to detect, contain or effectively respond to a breach.

  • The reconnaissance phase
    • Information is everywhere (ATT CK TA0015, TA0016, T1526)
  • In Phase
    • Exploitation of Vulnerabilities (ATT CK T1190)
    • External Authentication Exploitation (ATT CK T1078)
    • Phishing Vishing (ATT CK T1192, T1193, T1194, TA0003)
    • Using Internal Information Repositories (ATT CK T1213, T1039, T1081)
    • Maintaining and Elevating Access Through Movement (ATT CK T1075, T1076, T1028)
    • Using the Access Already Secured (ATT CK T1078)
    • Exploitation of Centralized Identity and Access Managemet (ATT CK T1078)
  • Out Phase
    • Securing the Required Access (ATT CK T1078)
    • Objective Actions

Getting the Paper

You can download the paper here which is part of our bi-monthly Insight Space covering a range business and technical cyber security issues.

Feedback and Further Discussion

If you have feedback or would like to discuss further you can e-mail me on ollie.whitehouse[@]nccgroup.com or get me @ollieatnccgroup on Twitter.

Thanks

Thanks to the numerous people across our global offensive and defensive capabilities who contributed their insights and wisdom.

Ollie Whitehouse

Ollie Whitehouse

Formally Group CTO for NCC Group 2017 - 2022