WIXLIB

NSA CYBERSECURITY REPORTNTCTF V2 STAGE AND OBJECTIVE DEFINITIONSPRESENCEEFFECT LATERAL MOVEMENT MODIFYAdversarial activities to propagate through the victim environment. An adversary may useinformation from internal reconnaissance to identify and compromise additional networks, hosts,and connected networks. Within this objective, the adversary may attempt establishing new usercredentials to further propagate on the network. These activities that an adversary performs onthe victim network support traversing the network to achieve objectives.Activities to modify target systems, networks, resources, or information. These modifications could bechanging configuration files, removing data files, sending unauthorized email from a target account, orinstalling additional malicious files. PERSISTENCE DENY DESTROYActivities performed to maintain presence on the system, device, and/or network. Activitiesinclude creating legitimate credentials, installing rootkits, establishing remote access tools, etc. Itis important to note that once initial access is gained to a target, persistence may be establishedat any time and may consist of multiple techniquesActivities that result in the denial of targetsystems, networks, or other resources, aswell as denying access to information. Theseactivities may be the result of Denial ofService attacks, or by virtue of modifying ordestroying components of the target.Activities to destroy target systems, networks,resources, or information. Attacks cause a wide rangeof consequences ranging from minor to significantdamage to the target.EFFECTANALYSIS, EVALUATION, AND FEEDBACKAdversary activities involved in the manipulation, disruption, denial, degradation, or destruction ofcomputers, information or communications systems, networks, physical or virtual infrastructurecontrolled by computers or information systems, or resident information. Outcomes of threat actoractions on a victim's physical or virtual computer or information system(s), network(s), and/ordata stores.Activities to continually analyze, evaluate, and update the operation to best perform their mission at anypoint in the target operation activities. This activity is a similar concept to the Observe Orient Decide Act(OODA) loop for the adversary. MONITORCOMMAND AND CONTROLActivities such as maintaining presence on a host, establishing a compromised host as a listeningpost, identifying health and status of the host, and waiting to perform additional operations.Activities to direct and receive information from a victim. Activities include the transmission of location,health, or operational status of persistent access capabilities and the remote tasking of accesscapabilities.PP-18-0844NOVEMBER 20188

NSA CYBERSECURITY REPORTNTCTF V2 STAGE AND OBJECTIVE DEFINITIONS EXFILTRATEEVASIONActivities to collect and transmit information from a target that enables operations, fulfills taskingrequirements or meets mission objectives. Observable activities include gathering files, internallystaging those files, obfuscating file types and formats, compressing into archive files, andtransmitting files. Transmission could occur through standard protocols, remote access tools, or avariety of other methods such as email, chat, cloud services, and more. The method used willvary based on the adversary, their collection requirements and urgency.Activities to minimize the risk of being caught within a victim host and their environment. An adversaryis likely to employ forms of evasion across the various stages of their standard and targetedoperations. Evasion techniques can vary, based on the stage, particular Tactics, Techniques, andProcedures (TTP), and sophistication of the adversary. Some examples include saving malware withlegitimate file types, using encryption or covert channels for communications, or performing commandand control using social networking sites.NTCTF V2 ACTION DEFINITIONS AND KEY PHRASESADMINISTER PLANNINGAnalyze operationIssue operational directiveReceive approval to execute operationsSteps taken by a threat actor (individual, team or government-sponsoredagency), their sponsor, or leadership to establish the overall strategy for,policy limitations of, and the requisite resources and capabilities neededto conduct the intended malicious cyber activity, along with the criteriafor evaluating the eventual success or failure of the activity.Steps taken by an individual cyber threat actor, their sponsor, orleadership to decide to execute a planned cyber threat operation.Threat actors receive approval from their leadership toexecute operations against identified targets.Determine strategy and goalsProduce operational plansSelect intended victimsSteps taken by a threat actor, their sponsor, or leadership to determinethe portion(s) of national strategy and/or interests that will be supportedby the intended cyber activity, or to justify that activity. This includesthreat actor perception of programmatic or operational goals,environmental changes, or outcomes that contribute to the overallsuccess of the threat activity.Steps taken to integrate known information on the target,capabilities, and intended outcome into a plan for how to mosteffectively conduct intended cyber activity.The initial step in the planning process that produces a listof intended victim(s), and defines the intent for and desiredoutcome of the malicious cyber activity.Gather informationIdentify capability gapsIdentify information gapsThreat actor actions taken to compile and analyze all availableinformation on potential targets.Threat actor actions to establish requirements for tools, includingmalware, needed to develop capabilities and/or conductoperations.Threat actor actions to determine the utility of availableinformation related to a potential target and to documentintelligence gaps. RESEARCHPP-18-0844NOVEMBER 20189

NSA CYBERSECURITY REPORTNTCTF V2 ACTION DEFINITIONS RESOURCE DEVELOPMENTAcquire operational infrastructureDevelop capabilitiesSeed supply chainSteps taken to acquire the facilities and infrastructure required toconduct the intended cyber activity during targeted operations.Steps taken to define, develop, acquire, and test thetechnology, processes, and tools required to conductthe intended cyber activity.Threat actor action to place compromised software, hardwareand/or firmware on partner or organic supply chain.Build alliances and partnershipsObtain financingStaff and train resourcesSteps taken to establish relationships with individuals, groups orgovernments; to acquire or provide co-production and/or contractdevelopment of technology, processes and/or tools for use in theintended cyber activity; and to provide support to compromise victimsupply chains.Steps taken to identify and employ viable sources offinancial support required to support staff, infrastructure,and other expenses that occur while conducting cyberactivities.Steps taken to select and train the people required to conductintended activity in areas such as cyber activities, targeting, anddata analysis.Conduct social engineeringMap accessible networksSelect potential victimsPsychological manipulation of people by threat actor into performingactions or divulging information.The sending of transmissions to the network's possiblenodes, examining the responses they receive identifythe existence of nodes on the network. The resultspotentially provide insight to identify security systemsand policies on the network.Actions taken by a threat actor to identify aspecific target or targets from a broader listof potential targets.Gather credentialsScan devicesSurvey devicesActivities to obtain credentials of unknowing users for the purpose offuture engagement.Active or passive actions taken by the adversary inorder to determine the software or firmware currentlyused by a target, versions of software or firmware, atarget's patch status, and configuration (e.g., portsopen).Threat actor actions to collect intelligence derived from thecollection, processing, analysis, and exploitation of data andinformation pertaining to an identified target.Create botnetActions taken to establish a virtual network of target computer orinformation system resources for use in conducting threat actoractivities.PREPARATION RECONNAISSANCEPP-18-0844NOVEMBER 201810

NSA CYBERSECURITY REPORTNTCTF V2 ACTION DEFINITIONS RECONNAISSANCEIdentify crosstalkScrape websitesUse social mediaAny phenomenon by which a signal transmitted on one circuit or channel creates anunintended effect on another circuit or channel that is not physically connected.The gathering of information about a potential targetby searching open source information such as publicforums, conference announcements, bulletin boards,or distribution lists looking for victim information;includes the use of automated tools to overcomeprotection measures.The gathering of information about a potential target bysearching public social media sites. STAGINGAdd exploits to application data filesCreate midpointsInfect or seed websiteAltering the content of data files to exploit a weakness in the application that parsesthat type of data file. The change causes that application to perform unintendedactions, usually code execution or revealing sensitive information.Configure, acquire, compromise, or develop one ormore intermediate nodes between source anddestination for data exfiltration and command andcontrol.A website that has been created or modified by a threatactor to include malicious code, which can subsequentlybe used in phishing attacks, drive-by attacks andwatering hole attacks.Allocate operational infrastructureEstablish physical proximityPre-position payloadThreat actor actions taken to put in place facilities and associated infrastructureneeded to support development of capabilities for and to support conduct of threatactivities.Threat actor actions taken to obtain facilities andinfrastructure in close physical proximity to identifiedtarget's computer or information systems, networks,and/or data stores.Pre-positioning of threat actor capabilities on threatactor internally owned/controlled storage locations.Access via wirelessInfect via websitesTraverse CDS or MLSWireless access to network communications or a device connected to the network.Adversaries embed malicious code into a websitethat a user visits that infects the computer thatconnects to it.Usage of cross domain solutions (CDS) or multi-levelsolutions (MLS) to maliciously transfer content, or allowadversarial movement from one network to another,whether in a manual or automated manner (throughtrusted services).ENGAGEMENT DELIVERYPP-18-0844NOVEMBER 201811

NSA CYBERSECURITY REPORTNTCTF V2 ACTION DEFINITIONS DELIVERYAlter communications pathInject database commandUse chat servicesModify communications paths by altering cache entries orrouting tables using a variety of protocols to deliver a payload orredirect victims to fraudulent and malicious web sites andsystems.The injection of malicious SQL commands into unchecked inputfields, allowing data theft, modifications, or execution of maliciouscommands.Employ a chat communications protocol allowing the interchangeof messages and/or files between devices (mobile, computers,IoT) to communicate with a target.Compromise supply chain or trusted sourceLeverage device swappingUse compromised hostAdding malicious software, hardware, or configurations to itemsthat are trusted to be non-malicious while on their way to thetarget network.Any instance in which an information system, either unaccreditedor accredited for a specific network, is moved from said network toa secondary network without authorization. Whether the deviceswapping is accidental or purposeful, it is a cross domain violation.The process of delivering malicious code from a previouslycompromised victim host to a target within the victim's network tobe used to gain further access.Connect removable mediaSend malicious emailUse legitimate remote accessThe deployment of malicious code via removable media.Removable media can be programmed to auto-run uponinsertion of a device, causing malware to be automaticallyexecuted.Embeds malicious attachments or links within an email message,sent to a target. The user's computer can be compromised afteropening or executing the attached file, upon clicking the link, orupon loading the email itself, and potentially providing access to amalicious actor.The use of legitimate remote access capabilities without exploitinga vulnerability usually involving the reuse of legitimate credentialsthat were captured previously to gain access to internal networkresources.Connect rogue network devicesTransport via common network infrastructureUse physical network bridgeThe insertion or use of existing rogue interfaces to authorizednetwork devices.Deliver malicious content via previous adversary-compromisednetwork infrastructure that connects to or transports the targetnetwork.Networking hardware that creates an aggregate network fromeither two or more communication networks, or two or morenetwork segments. Bridging (OSI layer 2) is distinct from routing(OSI layer 3), which allows multiple different networks tocommunicate independently while remaining separate.PP-18-0844NOVEMBER 201812

NSA CYBERSECURITY REPORTNTCTF V2 ACTION DEFINITIONSENGAGEMENT EXPLOITATIONAbuse protocolsExploit local application vulnerabilityImpersonate or spoof userThreat actor use of standard target system or network protocols togain unauthorized access through unanticipated use of the protocol.Exploiting a software vulnerability in an application by having theexploit triggered locally on the host, often requiring some userinteraction to launch and usually leading to user level access on thehost. This occurs when a programming or logical error is triggeredthat causes the software to behave in an unintended and insecureway.Adversary poses as an authorized user in order to gain access to targetcomputer system.Access virtual memoryExploit OS vulnerabilityLaunch zero-day exploitAbusing physical collocation of separate/isolated virtual spaces(e.g., virtual machines, containers, processes) to compromise theintegrity or confidentiality of targeted virtual resources.Exploiting a software vulnerability in a default operating systemservice or kernel. This occurs when a programming or logical erroris triggered that causes the OS to behave in an unintended andinsecure way. Exploiting OS vulnerabilities often leads directly toprivileged access on the host.A zero-day (0-day) exploit is a vulnerability in software that is not publiclydisclosed or is unknown to the vendor, which is then exploited by thethreat actor before the vendor becomes aware and/or fixes it.Conduct social engineeringExploit remote application vulnerabilityLeverage exploit packsPsychological manipulation of people by threat actor into performingactions or divulging information.Exploiting a software vulnerability in an application by having theexploit triggered remotely over the network, often without any userinteraction and usually leading to user level access on the host.This occurs when a programming error is triggered that causes thesoftware to behave in an unintended and insecure way.Threat actor makes use of exploit packs (also called an exploit kit), atoolkit that automates the exploitation of client side vulnerabilities, usuallytargeting browsers and programs that a website can invoke through thebrowser.Defeat encryptionExploit weak access controlsLeverage trusted relationshipExploitation of cryptographic algorithms or device implementationsof cryptography, or using acquired cryptographic keys to gainaccess to or manipulate the underlying unencrypted content.Exploitation of weak, misconfigured, or missing access controls togain access to a system or data.Leverage compromise of a connected peer network or other trustedrelationship with another network.Exploit firmware vulnerabilityHijackReplayExploiting a software vulnerability in firmware to lead to access to adevice. This occurs when a programming or logical error is triggeredthat causes the software to behave in an unintended and insecureway.Hijacking is a type of network security attack in which the threatactor takes control of a communication between two entities.Threat actors conduct a network attack against a target in which a validdata transmission is maliciously or fraudulently repeated or delayed.PP-18-0844NOVEMBER 201813

NSA CYBERSECURITY REPORTNTCTF V2 ACTION DEFINITIONSPRESENCE INSTALLATION & EXECUTIONCreate scheduled taskReplace existing binaryUse OS APIsTask scheduling is used to execute programs on a scheduledbasis to persist adversary code or gain SYSTEM privileges.Task scheduling requires administrator privileges, but tasks maybe configured to run with SYSTEM privileges, representing anescalation of privilegeThreat actor actions taken to replace a legitimate or pre-existingbinary with a malicious executable in a commonly trustedlocation, from a legitimate source, or named with a commonname to bypass tools that trust executables by relying on filename or path.Adversary tools directly use an operating system (OS)application programming interface (API) to execute binaries.Use remote servicesInvoke individual commands from the command line to runexecutable code. This can be done locally or remotely - andinteractively. Commands that are executed run with currentpermission level of the command line.Use remote administrative services to perform executionremotely, or other running services that have implied trust orauthentication that can be leveraged by the adversary tomaneuver through the network. With valid credentials and theability to remotely access the features, remote services can beused to read or modify system configuration and data and/orcause code to execute.Execute via third-party softwareRun commands in shellUse trusted application to execute untrusted codeAdversary uses pre-existing third-party applications to executecode within the targeted environment.Invoke individual commands from the command line to runexecutable code. This can be done locally or remotely - andinteractively. Commands that are executed run with currentpermission level of the command line.Adversary indirectly executes code through a trusted applicationand avoids triggering security tools.Injecting malicious code into an existing legitimate process.Running code in the context of another process provides manybenefits such as access to the process's memory, permissions,and identity. Code injection masks the malicious activity fromcasual inspection of the task list.Run fileless payloadStore binary data on a disk or network share to be used in furtheroperations.Leverage authorized userUse interpreted scriptsActions initiated by an authorized user that enable theinstallation and execution of code.Utilizing a scripting language, adversaries use scripts to executecode in a number of different ways, either with script files orscript commands fed directly to the script interpreter.Run commands in shellExecute via service controllerExecute a binary via the service controller or other methods ofinteracting with services.Inject into running processPP-18-0844NOVEMBER 2018Run fileless payload only in memory without an executable fileor script on disk.Write to disk14

NSA CYBERSECURITY REPORTNTCTF V2 ACTION DEFINITIONSPRESENCE INTERNAL RECONNAISSANCEEnumerate accounts and permissionsEnumerate OS and softwareMap accessible networksAdversaries attempt to get a listing of all local or domainaccounts and their permissions, including reviewing logins or filemodification times to identify primary users. Adversaries get alisting of all local groups and their permissions and members.An

Jul 16, 2019 · techniques. Social engineering is defined as the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the person to perform an action. Social engineering techniques are often employed when constructing messages used in spear-phishi