Unit 5: Offensive Countermeasures

This unit develops the skills and knowledge required to build a cyber security team capable of disrupting cyber-attacks through the creation, planning and execution of offensive countermeasures programmes.

It applies to individuals, employed or contractors who are working in positions of authority and are approved to implement change within a department or across the organisation. They will have responsibility for directly supervising others.

No occupational licensing, certification or specific legislative requirements apply to this unit at the time of publication.

1.1 Establish countermeasures programme goals through consultation with senior management or client

1.2 Conduct analysis to determine capabilities required to achieve programme goals

1.3 Establish adversary simulation goals and human, technological, equipment and time resource requirements to execute adversary simulations

1.4 Establish offensive countermeasures thresholds and “guard rails” to prevent escalation of violence with adversaries

1.5 Establish a communication and approval process with senior management or the client

1.6 Establish communication procedures when communicating and negotiating with the adversaries

1.7 Develop offensive countermeasures policies, procedures, methodologies, operational security standard and supporting documents

1.8 Define and communicate roles and responsibilities to team establish clear accountabilities

1.9 Consult with senior management or client and obtain approval to proceed with the business case

2.1 Assess potential risks of the offensive countermeasures mission and establish the potential impact on business if action taken and recommend mitigation strategies

2.2 Draft a countermeasures mission plan and obtain senior management or client approval to execute

2.3 Allocate tasks to team members and monitor completion of development of hacking and intelligence tools identified within the plan

2.4 Lead testing of hacking and intelligence tools against operational security requirements

2.5 Review test outcomes and make adjustments to ensure operational security requirements are met

3.1 Lead execution of countermeasures mission plan ensuring adherence to communication and approval process at all stages

3.2 Conduct ongoing reviews, adjust the plan as required

3.3 Ensure security of information sensitive and confidential information

3.4 Maintaining reports and logs according to established procedures

3.5 Update with senior management and key stakeholders regarding the status of current offensive security missions, their effectiveness, and their risks

Evidence of the ability to complete tasks outlined in elements and performance criteria of this unit in the context of the job role, and:

• Effective use of verbal and nonverbal communication to extract information from range of people and clearly communicate with senior management, clients, stakeholders and team members
• Language skills to translate technical findings to be understood by business and lay persons
• Run a minimum of two countermeasure missions
• Demonstrate ability to avoid detection and attribution

The learner must be able to demonstrate essential knowledge required to effectively do the task outlined in elements and performance criteria of this unit, manage the task and manage contingencies in the context of the work role. This includes knowledge of:

• Legal and ethical boundaries
• Operational Security techniques:
  • Obfuscation of computer executables
  • USB and cloud based operating systems
  • Finance anti-tracing
  • Encryption
  • Anti-computer logs
  • Network connection tunnelling:
    • Proxies
    • SSH tunnels
    • Shodan
    • Chaining cloud providers
    • Chaining social media accounts
    • Virtual private network
    • TOR
• Rules of Operation
  • The two-man rule
  • Encryption-everywhere rule
  • No-logs-anywhere rule
  • Attack-from-many-countries rule
  • Make-it-look-like-someone-else-did-it rule
• Malware Development Concepts and Techniques
  • Basic malware writing using:
    • Autoit
    • Batch files
    • Self-extracting RAR files
    • Visual basic
    • Powershell
    • Bash
    • PHP
    • Golang
  • Advanced malware writing concepts:
    • Command and control infrastructure
    • Writing and deploying extension modules over the Internet in real time
    • Encrypting network communications and data at rest
    • Exfiltration techniques:
      • ICMP tunnelling
      • DNS tunnelling
      • HTTP/S tunnelling
      • Using online services
• Anti-Reverse-Engineering:
  • Packing and obfuscation
  • Removing metadata
  • Placing decoy data
• Counter-Attacking:
  • Establish adversary’s infrastructure and capabilities
  • Discover vulnerabilities and penetration into adversary’s systems
  • Disrupt or deceive adversary
  • Destroy adversary's IT systems
• Espionage:
  • Capturing keystrokes
  • Capturing webcam feeds
  • Monitoring file system changes
  • Recording the microphone
  • Turning key members of the adversary group into informants
• Disruption:
  • Reverse engineering the adversary’s tools and publishing their source code
  • Publishing the adversary’s zero-days
  • Publishing the adversary’s identities
  • Publishing the adversary’s techniques, tactics and procedures
  • Installing backdoors into the adversary’s tools
  • Turning key members within the adversary group against themselves
  • Sending a cease and desist letter to the adversary
• Deception:
  • Uploading misleading files onto adversary’s computers
  • Anticipating adversary’s goals and making them fall into traps
• Negotiation:
  • Contacting the adversaries
  • Building a communication channel
  • Starting a negotiation
  • Reaching an agreement
  • Enforcing the agreement

Assessment may be in the form of:

• work samples
• written assignments
• theoretical examination
• observation

Both practical skills and knowledge must be assessed.

Assessor requirements

No specialist vocational competency requirements for Assessors apply to this unit.