Influence Energy mappings are live!
Influence Energy mappings are live!
https://github.com/BoogleCloud/influence-energy/tree/main
These will help you determine threat mappings and ultimately what matters to your organization.
Two takeaways from this initial release:
The primary driver behind determining the energy mapping was determining the key 1-3 abilities that someone would need to have to use it. The baseline of energy level 0 is someone who knows how to do basic computer tasks like web browsing, application install, or write email but nothing further. As this person gains skill they would learn CLI at energy level 1. Before you say "oh CLI is easy" that might be because you've used it for many years. Think of your parent stumbling to type `dir /a` and that is where IE0 starts. This person would need to get comfortable with cli tools, navigating directories and how to know where to edit command arguments in order to even target a public capability. This is estimated to take 5-10 hours so IE1.
A common pattern of skill progression between public, altered and bespoke was public requiring CLI knowledge to use a script, altered requiring scripting capabilities to alter the script itself and bespoke req2uiring programming knowledge to perform the technique in a completely different manner. These three correspond to IE 1, 2 and 3 respectively.
When skill levels don't create enough differentiation, the next attribute to look at is detectability of each capability level. Part of the larger security energy framework is that public techniques should be detectable with some kind of signature or fingerprint. Note that this does not mean that such a signature exists or even that it would be useful in terms of false positive rate, just that it could exist.
Similarly, altered capabilities should be detectable with some level of behavioral analysis. The higher level capability is still doing the same "sort" of thing as a public version even if specific artifacts like IP addresses or script fingerprints changed.
Bespoke capabilities should evade both of the above. They should be some kind of novel method and/or target-specific behavior that does not match existing signatures or heuristics. Where possible, these should also include knowledge of the target environment gained through intelligence gathering efforts. These types of capabilities should only be detectable with tailored monitoring of the environment where the defender has a clear understanding of what is supposed to be present and can thus identify things that don't belong.
This helps map things like "Exfiltration Over C2 Channel" (T1041) where at first glance there is no clear distinction between "public" and "bespoke." For public, we can think about methods of packing the file into a C2 channel which would retain parameters of an open source framework.
For altered, assume any signaturable parameters are changed, but heuristics of data transfer still apply.
For bespoke, assume both the C2 parameters and the amount of data match other traffic in the environment. Detecting this would require further digging into what specifically is performing the upload, where is it going, and perhaps long term analysis of data transfer amount.
Similarly for "Transfer Data to Cloud Account" (T1537), the public capability would be some form of transfer to a known bad cloud account. This is most likely to be implemented with some kind of copy/paste command that includes the cloud account name and this command would be signaturable.
An altered form would be to change the command to use a different account and/or target data structure and evade any signatures on the known bad.
Bespoke would be to use an account and/or command form that is familiar and trusted in the target environment.
The influence energy can be determined by the skill required for each of these levels.
- Copy/paste a command - requires cli knowledge, IE1
- Using modified command - requires scripting/automation knowledge, IE2
- Target-specific command - requires scripting and target information, IE3
The attack_capabilities.csv file was generated following these principles and will be updated over time as new techniques come out and energy levels change for different capabilities.
Take a look at the repo and reach out with any questions or feedback!