You know, when you look at cybersecurity, it really feels less like some orderly game like chess and more like this, I don't know, this endless game of hide and seek, but with really high stakes.
Yeah, it's a constant push and pull, isn't it a real cat and mouse situation between the attackers trying to breach systems and the defenders, you know, scrambling to keep.
Them out exactly, And it goes way beyond just the tech, the firewalls and stuff. It's so much about strategy, deception and just trying to adapt faster than the other side.
It really is a continuous loop, like attackers find a new way in, defenders build a patch or a detection for it. Then the attackers have to tweet their method, maybe bypass the new defense, and the whole cycle just speeds up.
And really getting inside that dynamic understanding how it works. That's what we want to do in this deep dive. We're pulling insights directly from the book Adversarial Tradecraft and Cybersecurity Offense Versus Defense, and well specifically focusing on the parts about practical techniques and the sort of the ideas driving this conflict.
Right The author Dan Boris. He brings this really interesting mix of experience. He's worked in the real world, you know, places like uber Mandy and CrowdStrike, but he also has deep experience in those big collegiate cyber competitions like CCDC and CPTC, so he's seen it all from multiple angles.
Yeah, and that perspective shows the book seems aimed at practitioners, people actually doing the work, maybe folks starting out who might need to google a few things, up to say intermediate level people. It shows how lessons from those competitions really do apply to real world enterprise security absolutely.
So our mission here really is to give you a shortcut. We want to distill the key takeaways, the most important bits from this source material to give you a clearer picture of the strategies, the tools, the techniques attackers use.
And then how defenders try to counter that, and how each side is constantly reacting to the other.
Exactly understanding that interaction is key.
Okay, let's unpack this. The source starts by laying out some foundational building blocks for information security. Talks about the CION attributes.
Ah, yes, CIAN that's confidentiality, integrity, availability, authentication, authorization, and non repudiation. Right, think of these as the sort of fundamental qualities of data and systems. They're what the attackers are trying to undermine and what the defenders are desperately trying to protect.
And the Source really highlights non repudiation because of the defender's eyes and ears. What does that mean? Practically speaking?
It basically means logging, good logging, creating solid, ideally unchangeable records of who did what, when they did it, where they did it from. If you don't capture that information, especially stuff that only happens in memory and disappears, well it's just gone pretty much. It's the main way defenders can piece together what happened after an incident or spot something shady going on.
So if an attacker can mess with those logs, can erase their tracks effectively like blinding the defenders.
Oh yeah, right. Beyond those basic attributes, the Source digs into several key principles of this computer conflict ideas that seem to guide the strategies for both sides. What are some of the big ones.
Well, the principle of deception seems huge.
Oh, absolutely, It's all about making abnormal things look totally normal. For an attacker, this is critical. If they can blend in, they can operate for much longer without getting caught.
Like hiding in plain sight. And you can't really talk about this stuff without bringing in the human factor, right, the principle of humanity.
Definitely, there's always a person involved somewhere targeting people, you know, social engineering, phishing emails that can often bypass even the best technical defenses. The source mentions that old classic getting a password off an employee at a bar faily works huh surprisingly often. Yeah. Then there's the principle of physical access. This one's pretty fundamental.
Meaning if you can actually touch the machine, or if.
You own the management interface for cloud stuff like AWS or the hypervisor like ESXi. If you have that level of a control, you generally win. You can dump the memory, reinstall the OS, just walk away with the hardware. Sometimes it usually trump's purely digital.
Remote access makes sense total control versus like partial access through the network. Planning also seems key, oh for sure.
The principle of planning. The book quotes sense, you know, plan for what is difficult while it is easy. You've got to have a plan, write it down, even practice it. If you can identify the weak.
Spots, and that applies to both guides.
Absolutely offense planning their attack path, defense planning their detection and response strategy. It's crucial for everyone.
And then there's timing, the principle of time.
Yeah, timing is critical in strategy. The source makes a good point about how the environment changes things. Short competitions like CCDC might allow for really noisy, aggressive tactics because time.
Is limited, but in the real world.
In the real world, attackers often need to be much more patient, slow, and low, you know, to maintain access long term without tripping alarms. Defenders, on the other hand, use time to build up those complex layered defenses we talked about gotcha.
And finally, innovation non negotiable.
The source quotes the MMA fighter Georgia Saint Pierre basically saying standing still is asking for failure. Both sides have to constantly adapt, create new techniques, find ways around existing.
Ones, because as soon as your trick is known.
It's effectiveness drops sometimes to zero. So if your tool gets detected, you need a plan B, maybe a Plan C. You have to pivot fast. That constant need to innovate really drives this whole adversarial game.
Okay, that gives us a really solid strategic foundation. Now let's get into the specifics. What does the offensive playbook actually look like? How do attackers get in, and maybe more importantly, how do they stay hidden? The source mentioned a big shift away from like traditional disc forensics.
Yeah, that's a really key point. For a long time to defenders could often find attacker tools and evidence by analyzing the hard drive after the fact. You know, dead disc forensics. Right, So attackers adapted. They started moving their operations beyond the disc. They operate live in memory in RAM, and the big difference there is volatility. When the malicious process stops or the computer reboots, poof the evidence in
RAM is gone. This makes life much much harder for defenders relying only on those older disc based methods.
Wow, operating purely a memory that sounds like a defender's nightmare. What kind of techniques do they use for that?
Well, process injection is a really common one. The basic idea is to run your malicious code, often something called shell code, which is just low level machine instructions inside the memory space of a completely legitimate, trusted process that's already running.
So instead of running like Evil dot ex. They sneak their code into something that looks normal. Maybe explore dot ex on Windbows exactly.
That. The whole point is deception. It makes the malicious activity look like it's part of a normal, trusted program, so it's way harder for security tools to flag it. S suspicious. Very common on Windows, and there are different ways to do it, like DLL.
Injection DL injection.
Yeah, injecting a malicious dynamic link library a DLL file into another process is memory space, so that process loads and runs the malicious code.
Okay, so they're hiding where their code is running, but they still need to communicate back home right to their command and control server, their C two. How do they hide that?
Ah? Right, that's where covert C two comes in command and control. They need to maintain that connection for instructions and sending data back, but without their network traffic setting off alarms. So they try to make it blend in.
Oh, by using protocols you'd expect to see anyway.
Precisely tunneling their C two data over common stuff like ICMP, which is normally used for ping requests or DNS, the Domain Name lookup system, the source mentions tools like ikempdoor, or how the popular C two framework Sliver can use DNS for its C two channel.
There was that specific example, and the source about Sliver and innovation wasn't there.
Yes, good point. It mentions that Sliver's default setting for checking in over DNS might be, say, every second, which is pretty frequent. Potentially noisy on a network.
Could get spotted. Good.
Yeah, But because Sliver is often open source, an attacker can just go into the code and change that interval, maybe make it check in only every sixty seconds or even longer. Slower, but stealthier, much stealthier. It's a perfect example of that principle of innovation in action, taking an existing tool, tweaking it slightly based on defensive knowledge, and making it way harder to detect.
That's fascinating. Such a small change, big impact. Okay, so they're in their communicating stealthily.
Yeah.
What about covering their tracks after they've done something on a system?
Yeah, this is crucial if they want to stick around. Remember non repudiation, the logs being the defender's eyes. Will attackers know that? So clearing logs is a fundamental offensive technique.
How do they do that? Just delete the files?
Sometimes it's that crude, but smart attackers use more sophisticated methods, especially on Windows. Tools like event cleaner might use Windows API functions to manipulate the event log files directly, sometimes bypassing the usual ways files are locked, making it harder to spot the tampering. The source even mentions older techniques that could modify specific records or fix id numbers to make it look.
Seamless, wow actually rewriting the history inside the logs, but the source said defenders can sometimes still spot this often.
Yes, if you look closely, you might see gaps in record numbers, or the file size or modification times might look weird. On Linux, maybe they just pipe logs through e repdac V to filter out their activity, but that can leave traces.
Too, So a more subtle.
Way, the source suggests backdooring the service that creates the logs in the first place, like using a modified Apache web server module. A patchy to backdoor mod is mentioned that just doesn't write log entries for the attackers' specific actions.
Ah, so the incriminating log entries never even created. Much harder to find what.
Isn't there exactly, and that leads into the last big hiding technique mentioned root kits.
Root kits that sounds serious It can be.
Broadly speaking, root kits are techniques designed to actively change how the operating system or defensive tools perceive the system state. Their goal is to hide the attacker's presence, their files, their running processes, network connections, you name it.
So they're not just hiding passively. They're actively manipulating what the system reports, like lying to tools like task manager or else.
That's the core idea. Whether it's deep down in the kernel or using user level tricks, the goal is deception, make the malicious stuff invisible to standard system checks. Another direct hit on that principle of deception.
Understanding all these offensive moves must be critical for the defenders.
Oh absolutely, You can't build effective defenses if you don't understand how the attackers think and what techniques they're likely to use, which brings.
Us perfectly to the defensive side of things. The source really hammers home that difficulty defenders face. They have to be right essentially one hundred percent of the time stop every attack, but the offense they just need one success one way in.
It's a fundamental asymmetry, a real challenge and That's why the source emphasizes that preparation is paramount for defenders. You have to patiently, methodically build your defenses. The analogy used is like a spider building a web, but maybe a web with many, many.
Layers, so that concept of defense in depth precisely.
The goal isn't always to prevent that initial breach, because sometimes you just can't. It's about having multiple layers of detection and control so you can spot the attacker as they try to move deeper into the network or achieve their objectives.
And preparing for the inevitable.
Yes, preparing your response processes too, because realistically you will get compromised at some point. Knowing what to do when that happens is just as vital as trying to prevent it.
Okay, so how do they build this defensive web and how do they spot the attacker moving around inside? It sounds like it all comes down to data data.
It really does. Defenders are hugely reliant on monitoring and logging, collecting as much relevant data as possible from everywhere they.
Can, starting on the individual computers, the endpoints.
YEP host based data. This is where modern EDR endpoint detection and response platforms are so important. Tools like oscary, gr Rapid Response, Wazoo, velociraptor. There are great open source options plus commercial ones.
What did These eder tools give.
You incredible visibility, detailed telemetry about processes like what programs started, what, what files did it touch? What network connections did it make? They also look at behavior spotting anomalies, and many offer live response capabilities, letting defenders investigate or contain a machine remotely.
So it's not just about looking for known bad files, it's watching what things do exactly.
Watching behavior is key and all this data is also crucial for threat hunting, where analysts proactively search through the data using hypotheses about potential threats. Looking for subtle signs of compromise that might not have triggered an automated alert.
Makes sense, but you also need eyes on the traffic between machines right absolutely.
Network based data is the other critical piece. You get this by setting up network taps or using inline devices like firewalls or intrusion prevention systems IPS. These let you see the traffic flowing across the network.
And the sorts had that analogy, Yeah, it was a good one.
Host data is like finding a needle in a haystack. Sometimes network data is more like watching the traffic on a highway. You can spot unusual patterns like unexpected connections between servers, data moving where it shouldn't, or those covert C two channels we talked about.
Okay, and the tools mentioned here were things like snort cercata Zeke for analyzing protocols, and wire shark or t shark for really deep packet inspection. Controlling those network joke points seems vital.
It really is, and you can't forget application logs either.
Logs from specific programs.
Right logs from your security tools themselves, email gateways, web application firewalls, wafs, but also so logs from your core business applications think e commerce platforms, internal APIs. These can show things like weird log in patterns, super fast browsing that looks like scraping, or other signs of abuse.
Okay, that is a mountain of data coming from endpoints, the network applications. How on earth do defenders actually make sense of it all.
That's where SIME and SORE platforms come in. SIME stands for Security Information and Event Management, SAR is security orchestration automation and response tools like Splunk or the open source ELK stack Elastic Search Logstash cabana, sometimes called HLK. They exist to pull all this diverse log data into one central.
Place, so you can actually search across everything at once.
Yes, and maybe even more importantly, you can correlate events across different data sources. A single weird login attempt from the firewall might not be alarming. But if you see that plus some strange process starting on the target machine in your EDER logs at the exact same time.
Okay, now that looks suspicious exactly.
That correlation is powerful. This is where defenders can figure alerts, often using complex logic. If you see event A and D, event boor event C, then trigger an alert.
And the sore part adds automation like playbooks.
Right, If a really high confidence alert fires, a saucer system can automatically run a predefined playbook. Maybe it quarantines the affected computer off the network, blocks the suspicious IP address at the firewall, or temporarily disables the user's account, all without needing immediate human intervention.
Okay, So all this infrastructure, the data collection, the sign the alerts, it's all geared towards finding the threat. The source really emphasizes that idea, no normal find evil.
It's a fundamental concept in defense. If you have a solid understanding of what normal, legitimate activity looks like on your network and your systems, what processes usually run, who usually logs in from where, what traffic patterns are typical, then the anomalies the evil will stand out much more clearly.
It requires baselining, and once they do find a threat, The source talks about the importance of root cause analysis or RCA. Why is digging into the how so critical?
Because just kicking the attacker out isn't enough if you don't figure out how they got in originally. Was it a phishing link, an unpatched server, stolen credentials, You haven't fixed the underlying vulnerability.
And they'll just get back in the same way exactly.
You have to close the door they used, otherwise you're just playing whack a mole. RCA is about learning from the incident to prevent it from happening.
Again, and defenders use all this data and analysis to try and spot the attacker's attempts at deception, like the root kits and covert c two.
We discussed absolutely. Detecting root kits might involve looking for weird inconsistencies like a process is running but doesn't show up in task manager, or you can CD into a directory that sells claims doesn't exist. For covert C two, they might use frequency analysis on DNS requests, looking for hosts making unusually regular lookups, or analyzed traffic patterns for other anomalies.
I thought it was interesting that source also mentioned defenders using deception themselves.
Yeah, fighting fire with fire, right, Yeah, deploying deception technologies like honeypots. These are decoy systems deliberately made to look attractive to attackers, like bait exactly. They sit there looking vulnerable, and the moment an attacker touches them, alarms go off. Tools like teapotter artillery can set these up, or you can use honey tokens things like fake awskeys, fake database credentials, or even fake user accounts scattered around.
And if anyone tries.
To use them, bingo, you know someone's poking around where they shouldn't be. It turns the attacker's own methods against them.
Clever, Okay, So an attacker is found, maybe the root cause is being investigated. What are the immediate actions defenders.
Take response and containment. You need to stop the bleeding and get the attacker out. This can range from simple things like killing their processes kill nine toutch nine on Linux as the classic, or blocking their IP addresses using firewall rules like with iptables. More significant yeah like network quarantine taking the compromise machine completely off the main network.
This stops the attacker from using it to jump to other systems lateral movement while the security team investigates and cleans it up.
The source also mentioned ways to lock down files even if the attacker gets high privileges.
Right using native OS features. On Linux, there's a command chat wise plus I. Setting the immutable flag on a file means nobody, not even the root user, can modify or delete it without first removing that flag. It's a great way to protect critical configuration files.
Or logs, simple but effective, and limiting the blast radius if they do get in.
Using techniques like crute. This basically creates a little jail for a process, restricting its view of the filesystem to just one specific directory. So if an attacker compromises, say a web server running inside a cruite jail, for Verlado. They can only see and affect files within Varderdoo. They can't easily access the rest of the system.
Not perfect security, but slows them exactly.
It limits the scope of the compromise. And of course a crucial step is always rotating any passwords or credentials that might have been exposed during the incident.
Okay, we've covered a lot of the tactical back and forth, but the source also widens the lens a bit. Talks about this ongoing intelligence war.
Yeah, both sides are constantly doing research and gathering intel. For attackers, it's offensive research before they even launch an attack. They're mapping the target's network, trying to understand user privileges, figuring out the org chart for potential social engineering targets.
Why do they do that?
Tools like Bloodhound are amazing for visualizing relationships in Windows active directory environments, finding attack paths. They might scrape internal company wikis if they get access, look for leaked passwords online, or use tools like Hydra to try and guest passwords by spraying common ones across many.
Accounts, basically casing the joint before the break.
In pretty much, and defenders are doing their own defensive research and threat hunting. This involves threat modeling basically trying to think like an attacker, where are weak spots, how would someone try to.
Get in, anticipating moves right, and.
Threat hunting, which we touched on proactively searching through all that log data for signs of threats based on the latest intelligence about attacker techniques or just based on security hypotheses.
The source had that example of the University Virginia CCDC team building their own tool, blue Spawn.
Yeah, that's a perfect illustration. They were in these competitions, they saw common attack techniques and they used their research time to build a tool specifically to detect that stuff automatically. That's defensive innovation driven by understanding the offense, and.
That innovation cycle just keeps spinning, right. The source mentioned that rocket Chat zero day from the CPTC competition.
Oh yeah, that was wild. It showed how valuable research during downtime can be. Some students basically found a brand new vulnerability, a zero day in the rocket Chat software by digging into an API function and finding a flawed assumption the developers made and.
They use did during the competition against.
The competition's own infrastructure. Yeah, it was a powerful demo of deep research finding unexpected flaws. The source also brings up things like dependency hijacking or supply chain attacks like that work by Alex Persan exactly. He showed you could sometimes trick companies internal build systems into pulling malicious code from public package repositories like piper I or NPM, just by giving your malicious package a higher version number than
the real internal one. Now defenders use tools like repodiff to try and spot suspicious changes in dependencies.
It shows attackers are looking at every single step in the process, not just the final application. The source also touched on more advanced ways attackers hide where they're coming from.
Yeah, going beyond just basic VPNs or tour we're talking about building complex anonymity networks, chaining multiple encrypted tunnels through different cloud providers for instance.
Why has that helped them.
Because no single provider sees the whole picture. The entry point doesn't know the final destination and the exit point doesn't know the original source. It makes tracing the traffic back incredibly difficult.
And those specialized competition networks like CCDC's grid.
That simulates millions of fake Internet addresses in a real attack that could be like using a massive botnet. It just overwhelms simple defenses like IP address blocking. It forces defenders to look beyond simple indicators like IPS and focus more on behaviors.
And even hiding data within other data stiganography.
YEP, hiding messages or code inside image files, maybe by slightly altering the color values of pixels a significant bit or LSB stignography, or even hiding commands and seemingly innocent text files using whitespace or special control characters. The tool packet whisper was mentioned using DNS combined with a cipher to hide stuff in subdomain lookups.
So many layers of hiding. Okay, Finally, the source talks about what happens after an incident is over the aftermath, right the post mortem.
This is absolutely crucial, and the source stress is it's not about blaming people. It's a structured review of what happens.
That's the goal.
To map out the timeline, confirm the root cause analysis super important again, to prevent it from happening again, and identify areas where processes or tools could be improved. It should be a brainstorming session learning from the experience, and.
The source also highlighted publishing results sharing the intel.
Yes, this is huge for the whole community. It connects to that military concept the F three eight cycle. Find, fix, finish, exploit, analyze, and crucially disseminate. Share what you learned, like.
The FireEye example after Solar.
Winds perfect example. When FireEye shared the technical details, the indicators of compromise IOCs, and the attacker techniques they discovered, it allowed thousands of other organizations worldwide to check their own systems. It created a kind of herd immunity, uncovering related compromises and massively boosting collective defense. Sharing makes everyone stronger.
That makes total sense. Wow. Okay, that really was a deep dive into this world of adversarial tradecraft. Pulling directly from this source material, we've seen the core principles, the offense trying to get in and hide, the defense trying to detect and respond, and this constant intelligence battle driving innovation.
It really hammers home just how dynamic cybersecurity is, doesn't it. It's not static. Both sides are constantly learning, adapting, pushing the boundaries. You really have to understand your opponent's likely moves their playbook, whether you're trying to build defenses or well test them, and.
Hopefully getting this clearer picture of the strategies, the specific techniques, and those underlying principles gives you, our listener a better framework, maybe helps you cut through some of the jargon, understand the news reports about breaches a bit better, and just appreciate the complexity behind the headlines.
Yeah, and thinking about that relentless cycle, the innovation, the adaptation, and you know, just the raw human creativity involved in both breaking systems and defending them, it kind of leaves you with a big question, doesn't it.
What's that? Well?
How do organizations, how do we make sure our defenses can actually keep pace, not just with the threats we already know about, but with the completely unpredictable innovative stuff that attackers will inevitably come up with next. What does that constant pressure to adapt really mean for how we allocate resources, how we build our defensive strategies in the real world. It's a tough one.