This next to last phase of The Online Operation Kill Chain seems to me like it belongs right at the start. If you’re up to no good, getting a grip on things seems to me to be a thing you’d do before anything else, rather than at the end. Your special forces land BEFORE the invasion begins, not after the main body has swept through the area.

Dealing with this sort of thing has been a daily part of my life for the last twelve years. There has been wisdom about countering it sprinkled all through September’s boot camp and the Tool Time posts.

Attention Conservation Notice:

I guess it can’t hurt to review this stuff, since many of you are standing on the edge of the scrum, debating stepping on to the field.

Manners of Compromise:

The actual TOOKC document bullet points the following examples of compromise.

• Phish email logins.

• Using compromised email to access social media.

• Social engineering targets to get credentials.

• Acquiring admin privileges on social media assets.

• Installing malware on victim servers.

The verbiage above the bullet points includes some other supporting activities like these. This is all very systems focused stuff, which has been addressed in a defensive manner in the Tool Time posts. Regarding Your Ass was an early appeal for those of you who are going on to the field, a recitation of the bad stuff that was visible in mid-September.

Unlike the activities in targeted engagement, these things are obviously across the line defined by Title 18 § 1030 aka the Computer Fraud and Abuse Act. The only occasion I can recall where someone got in trouble for a single account intrusion was the time when 5hm00p cracked Souljah Boy’s Twitter and announced that there was a party at Jen Emick’s house, a short drive from Detroit. But if you are a big enough nuisance, which 5hm00p certainly was, you could very well get in trouble doing such things, this is a place where an excess of success is a definite hazard.

Defense In Depth:

My role for these last many years has been defending small groups that might face stuff like this. The most aggressive things I do are in the realm of passive recon.

• Observing visitor origins in web sites I control.

• Starting to play with Canary Tokens a bit.

• HUMINT elicitation.

Recall what I said in What Hunts You? I personally expect to encounter corporate security, corrupt law enforcement, and frivolous litigation artists. The country seems to be coming to a point where the first and last will be getting worse, while law enforcement appears to be on the verge of a much needed enema.

Those of you reading this are liable to have broader, but less focused exposure. I’m a pain in the ass to get close to on a technical level and I react hard and fast to the slightest sign of trouble. You are perhaps still using a single computer with a consumer OS or maybe even your smartphone, the one that actually IS you. If you’re going to do more than just passively observe, you’ll need to get familiar with defensive measures.

The things I’ve said here about systems were current advice as of the fall and winter of 2023, but I’m taking a further step by Getting Serious About Qubes. While writing this I’ve periodically kicked off and done a half turn while rolling so I can check in on Qubes installation stuff on my spare workstation. I’ve settled my issues with 4.2.0rc5 and I’m now messing with a couple SATA drives and a couple PCIe NVMe drive carriers. Qubes security against intruders is intense, the provisions for losing a physical device are nascent at best. I’ll trust it more when I can boot from a high endurance SSD and keep all my stuff on a mirrored pair of spindles. They’re just starting to include ZFS in the base install and it’s not accessible to the point I can do this yet.

The bigger issue, which is harder, and AI is going to make it more so, is securing your wetware. I’ve written several things about this:

• Paranoia: Pathological or Professional? - if you’re in an area where you know there’s surveillance and infiltration, you have to come to a functional level of this.

• Stop Ingesting Crap - good advice, unless you’re tasked with getting at some source of crap, in which case you should forget about any factual analysis in the area.

• Angoraphobia - if you can’t stand fuzzy, let someone else do the initial collection and filtering.

It’s not a game any more, hasn’t been for years, it’s an actual conflict zone and you can either do what’s required to survive, or don’t. But rest assured your results will be, at least to some degree, based on the efforts you make.

Conclusion:

I could go on about this, but the people who are successful are engaged in mindfulness meditation, reading Richards J. Heuer and Randolph Pherson’s work, and hardening their systems. There are no shortcuts in this area, I expect AI is going to turn every outing into a trip to Praia do Norte in 2024.