For these reasons, they are not easily detectable via conventional cyber means for most private organizations. They are very non-technical, and are often reflective of the adversary's (or their handler's) true intentions (and strategies for fulfilling those intentions). The important distinguishing factor about Goals (DML-8) and Strategy (DML-7) is that they are largely subjective in nature. Compromise these organizations via cyber attack, and exfiltrate data from the systems containing the information necessary to fulfill this goal.įor less targeted attacks, the strategy may be completely different, with shorter durations or different objectives. Implant physical persons into the companies that produce this technology, in positions with physical access to the information necessary to fulfill this goal.Ģ. If the adversary's high level goal is to "replicate Acme Company's Super Awesome Product Foo in 2 years or less" their supporting strategies might include:ġ. I anticipate less than a handful of organizations truly operate at this level, consistently, against the threat actors they face because it’s nearly impossible to detect based on goals alone. data stolen, directories listed, employees or programs targeted, etc). Short of that, it’s guessing at what the adversary’s true intentions were based on behavioral observations made at lower DMLs (e.g. "Who was it and why?" These kinds of questions can never truthfully be answered unless you’re operating at Detection Maturity Level 8 against your adversary and can prove reliably that you know what their goals are. Goals are nearly impossible to detect (directly) but they’re almost always the toughest question C-level leaders ask about post-breach. In cases of non-targeted threat actors, this may be much less organized or distributed.
Depending on how organized and sophisticated the adversary’s campaigns are, these goals may not even be shared with the operator(s) themselves. If the actor is part of a larger organized operation they may be receiving their goals from a higher level source or handler.
interactive-cyber-training-technical-setup.
0 kommentar(er)
