Full Report
We’re excited to be presenting our Hacking By Numbers Combat course again at Black Hat USA this year. SensePost’s resident German haxor dude Georg-Christian Pranschke will be presenting this year’s course. Combat fits in right at the top of our course offerings. No messing about, this really is the course where your sole aim is to pwn as much of the infrastructure and applications as possible. It is for the security professional looking to hone their skill-set, or to think like those in Unit 61398. There are a few assumptions though:
Analysis Summary
This article describes an advanced, hands-on training course ("Hacking By Numbers Combat") focused heavily on offensive security techniques ("pwn as much of the infrastructure and applications as possible"). It emphasizes deep technical skill, an obsession with gaining root access, and thinking outside standard automated tool usage.
Since the context *is* offensive training, the resulting security best practices focus on **Defensive posture improvement derived from understanding advanced attacker methodologies** and **Improving internal security team skillsets** to match expert threat actors.
***
# Best Practices: Advanced Threat Emulation and Defensive Skill Hardening
## Overview
These practices address the need for security professionals to emulate highly skilled, persistent attackers (akin to those referenced in the context) by mastering offensive techniques across infrastructure and applications. The goal is to proactively identify and remediate deep-seated vulnerabilities that standard, automated tooling often misses.
## Key Recommendations
### Immediate Actions
1. **Assess Core Tool Efficacy:** Immediately test current penetration testing and vulnerability scanning tools (e.g., standard Metasploit modules) against critical assets to identify weaknesses where they fail to gain initial footholds or progress past basic enumeration.
2. **Mandate Root Access Obsession:** For all internal security assessments, enforce a strict objective of achieving complete system compromise (gaining root/administrator level access), rather than stopping at lower-privilege findings.
3. **Review Incident Response Playbooks:** Examine current incident response (IR) documentation to ensure playbooks account for scenarios involving sophisticated pivoting, custom scripting, and lateral movement techniques not covered by commodity malware indicators.
### Short-term Improvements (1-3 months)
1. **Implement Adversary Simulation Exercises:** Begin conducting internal "Capture The Flag" style exercises utilizing real-world assessment scenarios (reverse engineering, crypto challenges, infrastructure exploits) to stress-test human analyst skills.
2. **Cross-Platform Exploit Proficiency:** Ensure security teams are proficient in exploiting target systems regardless of the underlying technology stack (Windows, Linux, network devices, or proprietary applications) without relying solely on automated frameworks.
3. **Establish Custom Tooling Benchmarks:** Encourage the development and adoption of security tooling written in languages such as Python or Perl (or others, depending on internal expertise), rather than relying exclusively on off-the-shelf ruby-based tools (as the article implies preference against that specific ecosystem).
### Long-term Strategy (3+ months)
1. **Develop "Unit 61398" Mindset Training:** Integrate formalized threat modeling and red-teaming curricula focused on persistent, low-observable tactics, techniques, and procedures (TTPs) designed to evade automated defenses.
2. **Infrastructure Assessment Deep Dive:** Formalize processes for assessing specialized or less-recognized infrastructure components (which are often ignored by basic scans) where deep knowledge of internal architecture is required to achieve compromise.
3. **Continuous Learning Framework:** Establish a formal feedback loop where exploitation successes and failures from internal exercises are immediately documented, shared across the security team, and used to refine defensive monitoring rules.
## Implementation Guidance
### For Small Organizations
- Focus efforts on mastering one or two non-standard attack vectors (e.g., complex misconfigurations or specific reverse engineering faults) relevant to your primary technology stack.
- Utilize open-source CTF platforms to simulate complex exploitation scenarios cheaply to build foundational offensive expertise.
### For Medium Organizations
- Dedicate specific personnel time (e.g., 10% of time) for skill enhancement focused solely on offensive techniques beyond standard scanning reports.
- Standardize on a common scripting language (e.g., Python) for security automation and custom exploit development to ensure knowledge sharing across analysts.
### For Large Enterprises
- Establish a dedicated internal Red Team function responsible for testing infrastructure and applications in a manner that mimics the "no messing about" intensity described in the course.
- Integrate security assessment findings directly into development sprints, ensuring that teams are not just patching known CVEs but building resilience against novel exploitation chains.
## Configuration Examples
*The source material does not provide specific technical configurations, as it focuses on offensive methodology rather than defensive configuration hardening.*
***Note: Advanced offensive techniques require context-specific targets (e.g., a specific application flaw or network topology). Defensive guidelines must focus on anticipating these unknown exploits.***
## Compliance Alignment
While the source material does not mention specific standards, adopting the mindset of advanced threat emulation directly supports the capabilities outlined in:
- **NIST SP 800-53 (AT-2, CM-7):** Testing and validation of security controls against advanced threats.
- **ISO/IEC 27001 (A.12.1.2):** Ensuring operational procedures address potential unauthorized access mechanisms.
- **MITRE ATT&CK Framework:** Using the framework not just for detection rules, but as a knowledge base to structure adversarial simulation exercises (Red Teaming).
## Common Pitfalls to Avoid
- **Over-reliance on Automated Scanning:** Assuming that scanners can find every vulnerability, neglecting the need for deep manual analysis and custom exploit development training.
- **Ignoring the "Hard Targets":** Focusing only on easily owned systems while ignoring complex infrastructure or niche applications where high-value data resides and sophisticated attackers focus.
- **Treating Skill Development as Optional:** Allowing security teams to become purely reactive or purely focused on compliance checklists without continuously honing the ability to "think like those in Unit 61398."
## Resources
- **Defanged Reference:** Frameworks for structuring advanced adversarial emulation exercises (e.g., frameworks emphasizing kill chains and TTP replication).
- **Defanged Reference:** Documentation detailing reverse engineering paradigms and cryptographic analysis techniques necessary for tackling complex puzzles.
- **Defanged Reference:** Documentation regarding advanced Linux/Unix command-line efficiency and scripting documentation for shell mastery.