CNA Tactics: a first proposal

(Editor’s note: this post was originally published in the Spanish version of Security Art Work on 11th November 2019)

Today we have a doctrinal and somewhat metaphysical article… I.e., something dense. Be warned :)

Within CNO (Computer Network Operations) we find three types of capabilities or actions: CND, CNA and CNE (Defense, Attack and Exploitation respectively).

While CND obviously deals with the defense of technological environments against attacks also technological —not against a missile that hits a Datacenter—, CNE operations and capabilities focus on the acquisition and exploitation of information through networks and computers: what we currently call cyberspying. For its part, CNA, Computer Network Attack, refers to what is often identified with purely destructive operations (the famous “4D”: disrupt, deny, degrade and destroy).

Any actor that executes CNO operations develops TTP (Tactics, Techniques and Procedures) to achieve its objectives; without going into the more formal definitions of the US military literature, tactics specify what an actor does, techniques specify how a tactic is implemented and procedures define a particular implementation —depending even on the person who applies them— of that tactic; this approach, from the higher level to a more operational level, models the behaviour of an actor, something similar to what is usually called its modus operandi.

As these TTPs are critical in modelling threats, for example APTs, thus facilitating their understanding —and the attribution of their actions— much work has been done to identify and structure TTPs (actually, more with regard to the two ‘T’s than the P). Undoubtedly the greatest effort, or one of the greatest, is linked to MITRE ATT&CK, a public source of information on the techniques and tactics of advanced hostile actors.

But this effort, including the enormous work carried out by MITRE, has been focused more on the tactics and techniques linked to CNE than on those linked to CNA. In fact, until this year, ATT&CK barely referred to the latter, and currenty only one tactic is identified, called “Impact”, which groups together all the destructive techniques identified, from defacement to wiping or destruction of information.

What could be the reason for this lack of attention to “destructive” tactics and techniques? Perhaps two reasons justify it: the first, that most of the actions linked to advanced actors refer to cyber espionage, CNE, and the second, that almost any serious CNE operation requires a prior CNE operation in the target, to steal information and adquire knowledge to increase the potential damage. However, especially during the last few years, CNA operations by advanced actors —for example, APT28— are coming to light and becoming increasingly important, especially if we take into account the attacks against systems essential to society, including control systems capable of causing severe physical impact on the target.

It is necessary to identify and structure the tactics and techniques linked to CNA operations, as in the CNE field. Very little work has been performed in that regard, at least in comparison with CNE tactics and techniques, being sometimes necessary to resort to work related to electronic attack (EA), a capability within Electronic Warfare, a discipline at the same level as CNO (Computer Network Operations) within the field of information operations.

We can start with the simplest part: the tactics. Which are the tactics linked to CNA? Earlier we talked about the “4D”: degradation, disruption, denial and destruction. The degradation of a target denies its access or operation up to a certain level, usually represented by a percentage; if that percentage is 100%, we speak of interruption, a complete but temporary denial of access or operation. For example, a distributed denial of service against a web server may simply degrade access to it or interrupt it completely, but when the attack ceases the server can be accessed again (hence the time factor in the definition); conversely, a destructive attack against a target denies access or operation completely and irreparably: it cannot be returned to its correct state without completely rebuilding it.

Where is, then, the “denial” tactic within CNA? Modern doctrines no longer consider this “D” as a tactic, but a sort of metatactic, an objective to be achieved thanks to other tactics; in other words, we can deny the access or operation of a target by degrading it, interrupting it or destroying it. Denial is thus an “umbrella” term for the pure tactics within CNA: degradation, disruption and destruction.

Apart from these “3D”, again according to the most recent doctrine, an additional tactic appears for CNA operations: manipulation, control or alteration of information, the systems that manage it or the target’s networks, in such a way that it supports the attacker’s needs (in this case, denial in any of its modalities: destruction, interruption or degradation).

What is the difference, then, between a manipulation that degrades and a degradation? Very subtle: mainly, the manipulation is not immediately perceptible, it is not easy to detect. A distributed denial of service (interruption or degradation) or the irreversible encryption of files (destruction) is identified by the victim almost immediately… if the tactic used by the attacker had been manipulation, the impact would certainly have been more prolonged and difficult to perceive, and therefore a priori much more harmful.

In summary, when we talk about CNA operations or capabilities we have four major tactics to consider: degradation, disruption, destruction and manipulation. And the techniques to execute each of them? The study is now more complex, with even fewer references and, therefore, a work in progress for a next post…

See also in: