Adversary interaction: Indicators of sophistication

There are no absolutes including the absence of absolutes. As such any discussion of adversary sophistication is whimsical at best and likely reliant of chains of logic subject to breaking at their weakest link. If you can handle that then consider the following.

1) You will see on a network what an adversary does based on the tools and techniques of the adversary.

2) An unsophisticated adversary will leave a trail of bread crumbs to be followed.

3) A sophisticated adversary will leave a trail of bread crumbs to be followed.

The difference between point #2 and point #3 is that the unsophisticated adversary legitimately is operating at the edge of their capability. The sophisticated adversary will selectively exhibit particular behaviors to draw attention to particular procedures and tools.

Similar to this is the escalation ladder of adversary behavior. One of the reasons the kill chain isn’t as disruptive as some hope is that adversary sophistication operates around the nuances of network capabilities. The adversary will use the lowest level most commodity tools possible. As sophistication of the adversary or resources for the adversary grow the ladder of capability (secondary and tertiary attack techniques) will grow.

If I see a low-brow drive by attack on a highly vulnerable browser I have little to go on. If I see a reverse proxy attack on a crypto algorithm from a state-owned network node (looking at you great firewall!) I have an entirely different level of sophistication to think about.

Why do we care?

If adversary motivation and capability is an important part of threat hunting and evaluation of risk to the network we really do care. We care because the first actual exploitation attempts will almost always be low brow, but adversary escalation is an important indicator of capability and persistence. This is one reason why attribution matters. I need to track adversary classes of individuals as much as possible to identify and track in case they do breach the sanctuary of the network.

Knowing what they used to get in is one part of the problem. Knowing how to kick them back out is another part. Knowing at least broadly who they are will determine the blood and treasure I will expend to kick them out and make sure they never return. There is a big difference between lucky to have got in, and a slow crawl into the network with sophistication.

The big difference isn’t in the attack strategy it is in the impact both short and long-term to my enterprise, business, or even nation-state.

Leave a Reply