Cyberattack Decision Calculus
I favor the term “decision calculus” when discussing most management decisions and, notably, when evaluating cyberattacks and cyber threat actors (CTA or “threat”).
First coined by John D. C. Little at the Sloan School of Management from MIT in his 1969 paper, “Models and Managers: The Concept of a Decision Calculus,” Little said “a manager tries to put together the various resources under his control into an activity that achieves his objectives.” More recently, decision calculus has been refined as “quantitative models of a process that are calibrated by examining subjective judgments about outcomes of the process under a variety of hypothetical scenarios.”
Process. Calibration. Subjective Judgements. Hypothetical Scenarios. Enter Cyber!
Cyberattackers often follow a rubric for decision making (formal or informal); the more sophisticated the threat the more robust the inputs are for the calculation. Although Little used marketing as his example, I find it remarkable how adaptive his concept was and what he highlighted as key characteristics of decision calculus. Namely, the model should be (a) Simple, (b) Robust, (c) Easy to Control, (d) Adaptive, (e) Complete on Important Issues, and (f) Easy to Communicate with.
So how might it look if we apply this decision calculus lens to a prospective cyberattack scenario as examined by a CTA?
Scope
Let’s examine a hypothetical state actor considering an attack on a US commercial entity (target). This will inform their “Adversarial Mindset.” For the purposes of our illustration, our CTA will be a Nation-State. Per SANS:
Nation-State actors aggressively target and gain persistent access to public and private sector networks to compromise, steal, change, or destroy information. They may be part of a state apparatus or receive direction, funding, or technical assistance from a nation-state. Nation-state has been used interchangeably with Advanced Persistent Threat (APT), however APT refers to a type of activity conducted by a range of actor types.
Motivation: Espionage, political, economic, or military
Affiliation: Nation-states or organizations with nation-state ties
Common TTPs: Spear-phishing password attacks, social engineering, direct compromise, data exfiltration, remote access trojans, and destructive malware.
There needs to be more work done at an industry level in classifying Nation-States because there is a huge range. For our purposes, this CTA will be an advanced actor with significant capabilities (but not apex), willingness to use them, and a lower profile; an example might be France, Pakistan, or Singapore.
The “Flag” in this case is intellectual property data that will be provided to a well-positioned company based in the threat’s host country (HC: the CTA’s country of origin). This recipient firm will produce the technology domestically and become a potential trade rival to the target in the future. Therefore, the CTA has an economic motivation. They would be happy to score other valuable data, to include projects where the target works with their local federal government and other sensitive programs and technology; this said, these are distinctly secondary objectives.
Tabletop Exercise
After a senior manager of our CTA outlines the mission, planning commences. Our omniscience allows us to surmise that the directive has come from a Deputy Minister of Trade, who got it from his minister who was directed by the HC’s Prime Minister. This mission has come from the top.
The trade restrictions placed on this technology are frustrating. Our HC does not want to be dependent on an erstwhile foreign ally. This dependence is slowing technological advancement and the difference between what is exported to them versus what is available from the target for their local government (LG: the target’s local federal government) hamper our HC’s military. Our CTA works for a security service in their cyber component.
The number of participants is kept to a minimum during exploratory conversations. A program manager is handed over the task, an engineering team lead, operations country lead, counterintelligence, the CTA’s military liaison, and analyst. The team’s PM tries to tease information out of their military counterpart regarding capabilities and available assets, but it’s clear that the communication will be one way between the CTA and military. At this point the Ministry of Trade has bowed out and the Prime Minister has made it clear that the military will make the go/no-go calls.
Planning Commences
This is probably where the CTA’s sophistication matters most. They will want the operation itself to be as (a) SIMPLE as possible. Simplicity will look something like the least people involved to give the operation the highest likelihood of success, the fewest possible moving pieces, and the “simplest” possible solution. For example, the team will evaluate what Zero Day exploits they have in their arsenal but will be happy to see Admin/Admin works on a piece of poorly secured networking hardware. They will surely also test unpatched CVEs if they can get any evidence of systems/software in place at the target.
Now, in order to generate a (b) ROBUST solution filled with both pre-authored (d) ADAPTABILITY (Plan B, C and D) as well as begin to consider what could possibly go wrong and how to overcome it, the CTA will begin reconnaissance. This will vary widely by actor but everyone will look for Open Source Intelligence (OSINT). They will do recon as surreptitiously as possible.
What will they find about the target? Generally speaking, we can assume there will be some press releases discussing hardware purchases, infrastructure, and configurations either authored by the target’s vendors or their own PR team. You might find conference talks, videos, white papers, research papers from before and after target team members joined the target, etc. Our CTA will find plenty of useful details based on the actual data present on target team members’ LinkedIn profiles as well as inferences based on obvious connections (a decent percentage of your team have CISCO certs…).
Many of the CTA’s decisions will be shaped by how covert they want to keep the operation, what the timeline is, and the assets available. If they have a reasonable degree of confidence that they can hide their hand, they may run some job postings to lure applicants from your firm, from whom they can suss out more details. Our CTA will almost definitely send some job solicitation messages through a platform like LinkedIn to any of the target team members who have said they are “open to new opportunities.” Most of these measures are considered lower risk operational components and unlikely to meet much resistance from the military making approvals.
Next, the threat might find a person from their own ranks, a trusted contractor, or their military liaison to run into the target as an applicant. This is a fairly low-risk step although it does not come without any potential risk or blowback. A few audacious Red Team ops include having on-site applicants try to install a piece of malware while visiting the target. This normally comes much later because it would most likely be considered “operational” and come as an act of desperation or indication of lack of proper security practices by the target discovered during the planning phase.
The same would be said of fabricating a badge and sending someone inside a facility; this would be a clear operational act and generally reserved for when the threat “owns the turf.” However, the same HC security service or trusted liaisons from domestic law enforcement might surveil, video, tape record, wiretap and other mechanisms with little worry. If the target has an office with sensitive information in the home country and they felt they could sneak someone in and out, the CTA may, but for this exercise we’ll assume there is no such local office available for our threat to exploit.
These steps link back to SIMPLE in that the threat is trying to minimize the potential for exposure and risk to its personnel, capabilities and tools. This may sound complex, but I would argue they would be the basic steps of a mid-range threat actor. It’s ironic that the third piece of a decision calculus is (c) EASY TO CONTROL; in the standard application of decision calculus, easy to control suggests that inputs should correlate to outputs. In our cyber evaluation, we will consider EASY TO CONTROL as the desire to keep as many parts of the operation as possible left in our control, i.e. not up to chance. CONTROL often also equates to risk of exposure and a minimum number of knowledgeable individuals.
OPERATIONAL TIP TOEING
Some cyber tactics and programs could reasonably be expected during the planning phase as we transition into an operation. A more sophisticated actor will want to keep much of this to a minimum because they would not want to inadvertently tip off the target, causing them to harden their defenses. Different CTAs would consider the use of a program like Nmap an operational step, whereas others might consider it recon. Our CTA uses Nmap and similar tools as a matter of procedure when evaluating all operations after doing OSINT research. Metasploit is considered an operational act, albeit one that is routinely rubber stamped.
Based on the background outlined about our threat, one could reasonably imagine the cyber team might face some mounting pressure as time elapses. The military, who has the ear of the Prime Minister, does not like waiting and did not expect the planning for this operation to take so long. Many cyber teams might feel more like cowboys in the cyber-wild-west to managers and that can certainly be true. In this case, the threat is more conservative and wants to take a slow and measured approach. They know how effective social engineering campaigns are and consider them fairly low risk. The military, however, threatens that if they do not use Metasploit to at least evaluate config issues and unpatched CVEs, gather more info from a fake job seeker and conduct other baseline ops acts, they will start to take these steps themselves.
The threat is being threatened and the risk of the program sliding outside their CONTROL is enough to make them ADAPT. They have some preliminary information and will use a trusted pentester that reports to the engineering manager and an intern related to a high-level manager to be the fake job seeker. The PM hopes this will give them enough time to be (e) COMPLETE ON IMPORTANT ISSUES and build a robust ops strategy for the digital heist.
For the purposes of input, we will assume that some issues came up from Nmap that are not out of the norm, but might provide an opening, a few Metasploit results emerged, mostly to-be-expected just announced CVEs but one or two older ones that surprised the team. To date, everything the team has done has been external pinging and prodding, they have not tried to access or penetrate the system.
The job seeker had mixed results; the candidate made it through the ATS screening and recruiter screen and got interviewed by a senior engineer. The senior engineer was relatively impressed by their credentials and capabilities but found the interviewee talked too much and so the engineer couldn’t get through their interview questions in the time allotted. This candidate went back and forth with system questions to the engineer, certs that they might be prepared for in the job, and all sorts of things that didn’t especially stand out. All said, the introverted engineer felt like the person would be a pain to work with and did not select them to move forward because they couldn’t give a good write up having to omit so many questions. Meanwhile, the candidate got some useful info, not as much as they might have if they had advanced.
CYBERATTACK
With all this valuable data, OSINT, recon, fake jobs, fake job seeker, etc., the attack vectors have been outlined. The plan feels relatively ROBUST with some remaining contingencies. The final piece of decision calculus is (f) EASY TO COMMUNICATE WITH. The classic definition of this step is the ability to interchange inputs and quickly obtain outputs. In our case, it connects more closely to both the ability to brief the operation to a decision maker easily and the moving pieces need to be interchangeable. There is an obvious dependency to SIMPLE and ADAPTABLE here; keep it simple stupid (KISS) matters, especially when seeking buy-in from other stakeholders and, like a good legal argument, severability is important. Severability for our threat means if some pieces don’t work, that they can be subbed out without killing the operation as a whole organism.
After examining all the facts, the operational leadership team get together to formulate and agree on a plan. The engineer briefs that they do have Zero Days, new tools, and even replicated tools from other APTs available. The team surmises that it would be most advantageous to try to exploit a known CVE or hardware misconfigurations (in that order). They don’t want to risk hardening the system with an extensive spearphishing campaign and the military won’t wait on a slower social engineering campaign, especially given results are not guaranteed.
The details from the interview are enough to cobble together a first draft at a crucial parameter, data exfil. The CTA has a primary plan, secondary and tertiary. That said, the seniors and team are not concerned about a long term persistence in the system or being uncovered if they already captured the flag. They agree if worse comes to worst, creating a user allows them to simply email the material.
More importantly, outside factors have contributed to moving up the timetable a bit. The target is in a row with another country over similar trade policy issues and the team believes there is a high likelihood of misattribution if they act fast. The threat has decided to use a few of the TTPs associated with that group and a server in a country that is commonly used by them, potentially burning one resource. The leadership team feels it’s justified to hide their hand a little but the PM and analyst have prevailed upon the military and senior leadership to avoid letting on how closely they can mirror the APTs from the other country by just using a few tricks.
With final prep looming, the CTA ran diagnostic tools earlier in the week and confirmed the original CVEs they found still existed. On the off chance they are a honeypot, the team will launch an attack with multiple vectors (including a hardware exploit), pivot, establish credentials and escalate separate admins, and either or both will try to pull the data. If they are not caught, they will try to establish a persistence with the second and remove the first after exfil, log manipulation, etc.
The threat doesn’t want to run the risk of hardening the system or causing a close forensic examination, which is why they plan to burn the offending account and not leave it on regardless of the level of “success.” With the second in place, they will establish another persistence shortly thereafter to enable exfilling secondary target data at their leisure. The team explains all of this to their management, but as for the military, they stop short at the simultaneous attack and covering their tracks. The military liaison has agreed to let most of the people following this in their military believe the op will be over after they succeed but has briefed command that their goal is to actually remain in the system for future exploitation.
Besides all this, the operations country lead quietly tasked his team with developing an insider and believe they may be making progress with one of the applicants for their fake job. This has all been stalled until the technical operation is completed to minimize the likelihood a security examiner can create a connection. The PM agrees with the country lead that this will be way easier with an asset in place!
THE END
I will leave it to your imagination to decide what happens from here. The theoretical planning, the actors, tools, TTP, there is much more to say. I believe this is a fair assessment of a Nation State threat with a middle of the road capability. We placed some decent restrictions on them to make the cyberattack more cyber-focused. Specific to the decision calculus, you can see how a variety of elements inform decisions: capability, available resources, assets, timeline, downward pressure, threat to the threat, risk tolerance, risk of exposure, blowback, even current events to name a few. The operation is also distinctly molded by the objectives. This is how Decision Calculus might look applied to cyberattacks and why it’s a superior mechanism for cybersecurity considerations if you are part of a Blue team.
