DETERMINACIÓN DEL ÁREA REQUERIDA

The analysis of the raw dumps of the NSA and CIA tools and documentations provides a useful starting point for information security researchers to conduct further research into attacker tactics and techniques employed by highly resourced attackers.

9.2. CONTRIBUTIONS OF RESEARCH 116 The deep dive into the Unix and SWIFT network intrusions provide details of the tech- niques and tactics used by attackers to break into and spread laterally before exltrating data. This can be used by defenders to inform their defensive strategy by considering what tactics would be required to defend against these and newer attack types such as leless malware.

Many of the exploits and attacks that are performed by nation state actors are well within the reach of skilled individuals. These actors actively seek out research from security researchers and malware authors to reuse for their own purposes. The converse also holds true, as evidenced by the approach used in this thesis, where defenders can learn from attackers.

Attackers place great emphasis on maintaining covertness as being discovered would likely cause the achievement of their goals to be denied. A further downside would be unwanted attention via attribution which attackers seek to mitigate through obfuscation and mis- direction so that attacks are incorrectly attributed to third parties. Defenders should be aware that the perceived source of the attack is easily manipulated through falsifying forensic artefacts and using third party networks to launch attacks. A defence based on blocking attacks based on the source networks is trivial for any but the most inept attacker to overcome.

By understanding the tactics and techniques of attackers rather than the specic imple- mentations thereof, defenders are able to take action against both known and unknown attacks. There is not a one-to-one mapping of attacks to defences but rather a many-to- one mapping. One attack can be used across multiple technology areas. Fortunately, as discussed in this research some defences, e.g., network monitoring, can be used to against many types of attacks.

Tools, be they technologies, implementations or approaches, can be used for both defence or attack. For example, encryption can be used by defenders to protect against intercep- tion by attackers who can in turn ensure secrecy of their communications by the same means. Legal restrictions on encryption would result in the law-abiding people being at greater risk than before while not impacting those who are unwilling to comply with the law or are outside the law's jurisdiction.

One of the key conclusions of the research is that in the face of superior attacker tech- nology, i.e., the zero-day exploit of an unknown vulnerability, the defender has to resort to tactics to negate the technological and knowledge advantage. Such tactics can include

detecting and alerting on the attack or slowing down the attacker through the use of com- partmentalization for example, network segmentation, and misdirection. This increases the chance of detection and the amount of time available to react.

Many attacker techniques and defender tactics are discussed in Chapters 5 and 6 respec- tively with Chapter 8 describing considerations such as the lower start-up cost of attackers due to modern technology.

Additional tactics available to defenders include capturing malware samples for analysis. These can be analyzed in-house or made available to security researchers. By making analysis of malware public, defenders can pool their resources to blunt the eectiveness of attacker techniques. This also reduces the return on investment into vulnerability and exploit research by attackers by reducing the number of times it can be reused.

Attackers also employ tactics such as circumventing or bypassing security controls rather than defeating them outright. These tactics range from malware development techniques, to using OS functionality and operating out of memory to deny PSPs the ability to analyse their les residing on disk.

Defenders should not rely on attackers maintaining past behaviour to detect their actions. They should instead control their landscape so that when the attacker makes changes, even if they are ephemeral in nature, they can detect them. Similarly, by creating external observability of a system attackers will not be able to hide their actions should they succeed in compromising the system.

How air-gaps are defeated by electromagnetic emanations is described along with measures to defend against such air-gap hopping attacks. Similarly, the generic problem of side- channels is considered and deemed to be due to unintentional design oversights that allow information regarding secrets to be leaked or deduced.

Defenders can dramatically increase the risk for attackers by causing the attacker's suc- cessful access of decoy information to reveal their attack. This can be done through the use of honeytokens in, e.g., databases, DNS and directory systems, which have no legiti- mate use and raise alerts when accessed. By exploiting the asymmetry in information as to what should and should not be accessed, defenders are able to increase the diculty for attackers to remain undetected.

By not relying on a single type of security control and putting in place policies and procedures that require and reward sta for agging suspicious behaviour the chance of prevention or detection and damage limitation are increased.