To start, we really need to discuss mentality of various attacking parties. The old reference from the ghost in the shell series is a personal favorite of mine "a basic rule of thumb about hackers is that we live to peek at things that others have hidden, it's our nature." I note this reference because today we see many posts and references about politically based cyber attackers, motivated hackers, or apt, or blah blah blah. While there are artists who use hacking as their method of expression, and there are those who simply want to learn, the ones people care about most are the ones that impact the dollar. So, the motivations of those who people care the most about are usually business related. Go figure. You make it your business to go in every day, collect everything from coins to secret documents, spy on your enemies because boss man said to. Then you go home and do what you do and come back to do it again. But what about those who really just like to pry? A paid spy will sit around only so long as it may prove beneficial to the goals, even then they will dump everything when they're done. Someone who enjoys it however, will dig through everything they can, because they enjoy it. In many ways, these are your stereotype 90s hackers. You know, nerds who probably got picked on in school, not really popular but just popular enough to stop from being the outcast, etc... The reason why these make such good candidates for this is largely because of the nature of bullying in society. I'll give an example. Lets have a kid named timmy. Timmy goes to school and enjoys it but doesn't make friends very easily. After a couple years of school, timmy notices that people are trying to pick on him more and more. When timmy brings this up to the people in charge he's shown that the people in charge do not care. That's step one. Breaking down the illusion of authority. Timmy then proceeds to get picked on and aggravated by siblings and the parents simply consider it kids being kids. This is step two, breaking down the illusion of close relationships. Once he has these two ideas shattered, most probably between the ages of 7-13, is the best time to introduce ideas such as hiding information or un-hiding information. In many ways, we see this play out in the sense of cartoons and comic books. Back at school, his grades will slip because he sees the institution as problematic for personal growth. With access to criminalized information such as the anarchist cookbook, weapons training, or biochemical engineering, Timmy sees an escape window in finding information regardless of boundaries. Timmy is now ready to begin his journey as a spy.
For those with a psych degree, this is also often the way sociopathy is found in the wild. Sort of irrelevant to the topic though. So now that we have some understanding and I made this into a story line for entertainment purposes, lets move forward with the assertion that stories help people who would otherwise not care feel a part of something and continue reading. People often argue if data can have ownership. There are laws against knowing certain things, such as having ready access to another person's social security number is a crime in america yet knowing they're just organized numbers is okay. you can study the pattern of a social and recognize it by that, but you cannot recognize it by it being recorded as a social. Call it "factor x" instead of social security number and you're reasonably safe unless you associate that with other factors in which makes it a doxing case. Knowing the law seems useless to most who don't commit crimes, knowing how to skirt the law is how you make lawyers, mobsters, and the guys you generally want helping you. Just in case. Timmy has the option to be all three. But regardless, he needs to spend his time learning does he not? well then, lets say he spends a few years, maybe until he's 14, learning what he can and using whatever techniques he can to get through it. There is little doubt with the current usage of the internet that timmy will either hit on piracy, hacking, or otherwise accessing data illegally. He's okay with it. He meets some people on an online game he's playing and decides to take their advice and start breaking into stuff. After just a short while, he's gone through all sorts of tools, techniques, and skills otherwise expected of professional pentesters. This gives him a means of socializing after everything else broke down. This is now his life and he starts showing off his skills to get more of a social applicability. He's quickly shut up in some groups because he went too far and didn't say the right things. He was put in his place. However, as with most people, this encouraged him to get better, prove his points. After some back and forth with this, he created his own hacker group with a couple of gamer friends. We'll call his group, level7.
At first, level7 started out with everyone joining together to break into a few websites, inject code on some blogs here and there, but it soon became not enough for Timmy. He felt like having more access. So he quickly found a tutorial on how to make malicious bots, trojans, and scripts. Since Rats are the most common today, lets dive into how he sets up his rat. He starts by seeing lots of coding projects that seem really advanced or really well planned. He didn't have time for all that, he just wanted to explore after all. So now he's stuck facing code chunks from several different programs. He smashes together what he likes and abandons everything he doesn't. He now has yet another zbot clone. Surprise surprise. He learns quickly which ones do and do not get flagged by antiviruses and happens to realize that his school is using one of the antiviruses that don't flag this particular method immediately. Still, he's too concerned so he researches how to hide malware from being detected. This immediately shows up with crypters, out dated binding techniques, and process injection techniques. Now, he doesn't have a lot of coding experience, but he also feels he doesn't need it. The code is out there if he wants, he'll just smash it together and see what happens, if it fails he'll try another until he gets it. A master of the learning process we all go through for everything we do. What timmy finds out from it all is that he can use another process to load his process so it never appears valid. He also finds, since this is modern day timmy, that he can load this stuff from a webpage. So he gets a loader, he gets his zbot panel, he breaks into a site and drops the zbot malware, then sends the loader to his targets. He had read recently about setting up port forwarding and using free vpns to help with controlling traffic without showing who he is so no need to worry, he's safe. Now, mind you, his level7 group still expects him to keep up with breaking into more websites as part of what they do together. He doesn't want to miss socializing with them. So he begins work on automating his tasks so he can goof off while still getting results. He knows not to make it go too fast or it will look like he wasn't doing anything. So he sets up his scripts to hit a few websites a week.
Now we're getting to the good stuff. A few more years go by and he's developed quiet the nack for ratting and botting systems. But he wants to start diving into better architect schemes for his botnets. As a 17 year old, almost out of high school, he's left to wonder: well, what else have other people done. He digs through all sorts of documents from tor and i2p services up through using public images to transfer between infected systems and a controller. He also looks at enterprise solutions and tries to identify tricks they do. But with all that time studying how people act and how people react, he learns a few key notions. Like people ignore what they find common, and random callback times that can last days or weeks or even months help prevent destruction of the malware before data is provided. He also learned about the cost of cloud computing around this time. Especially on pay by the hour plans, or container based computing. This opens up whole new worlds because he can sell pirated software and music for money, or he can just go work at a local convenience store for the money. It doesn't matter, just enough to get a couple systems once in a while for a few hours. So, to put it bluntly, he has the understanding of long term study and short term infection/update/exposure. This is easily achieved in modern attacking structures based on the availability of cloud platforms for the rapid infection and thanks to generation and injection techniques for the long term study. But still something is missing. He needs a way to dive back in years later if so needed to catch up on whats what. Especially to feed his eagerness to learn. Hard to learn if you just sit back all the time and not get messy. At the same time, his friends over in level7 stopped wanting to be a part of it. He got upset with them and threatened to dox them. He's an uppity teen what did you expect? So to react to his actions, his team said they won't bother doxing him, they'll crash every end of his botnets and won't stop until every tie is broken.
We come now to a critical part of the story because to protect his own architecture and shut down any they make, as well as protecting against the people he hacks from finding out, he really needs to step up his game. He can't stick to childish shit like web hacks forever. Taking a deep dive into obscurity there are a few things to know about being in an attack-attack scenario. First off, security professionals for some reason appear scared of the term hack-back. Hack-back architectures are designed for this exact scenario, not your corporate bullshit. As an acting party, you have the ability to attack anyone who dares try to stop you. Now, normally this scenario only means silly things like escaping a docker instance and hanging out taking with russians via wall, or logging into the same windows server as 30 other people. You are likely to be attacked because of the notice that you've entered the game. In a more realistic set, what you need for your daily operations for this cloud structure, a means of firewalling, log analysis, pcap/packet replay, spinning up and down services, antiforensics for when completed with each remotely launched script or container... or both (bail script?), script to compile or re-configure malware, script to launch malware, and script to launch additional attacks. Luckily you can do most of those with any scripting language (perl, python, php, ruby, etc...) and these are supported by most cloud services. But that only gets you technical sides. You also need strong opsec. Wasting custom made malware is tiresome, so you launch ones that are well known to ensure infections first, then upgrade those later to your custom malware when needed. Need a domain under your control: don't worry, people don't shut down domains even if they're involved with malware if they don't resolve to identifying something malicious. Such as, a domain that's just set to 0.0.0.0 until someone decides to use it, instead of because the no-ip site decided they were abusive, or domains you hijacked from someone else that you can change the resolution for whenever you want. These techniques help you hide your resources for domain usage. You can also hide your resources for ip usage by frequently changing ips on a domain you are actively using. Just accepting the risk of 20 successful callbacks out of 20,000 is a hard task, but when you do it, it becomes a lot easier. It's also safer to keep with your 20 and use them the best you can first. Then bail on each of them you can't use for a long period of time.
You may have noticed I went away from the story to just tell you information. That's because all you have left to know is why it's all important. A single individual can play these large scale numbers games that other people are still associating to apt groups. A single individual can clone the samples and internal techniques of some of the malicious acting parties (such as apts) to mask their own intentions. They can even go as far as to say that a 30 second docker instance can infect 20,000 hosts, which you can accept just getting a smaller amount of and moving along. On top of this, we can look at domains that have been zeroed out by admin or by registration timeout, and take over domains other people left behind. What's that, njrat from 2013? let me start my njrat panel... aaaaand now you have the people someone wanted to impact before you took their domain. granting you access into another person's botnet structure, again able to mask your own. Again talking to russians because lol.
The key to living this life, is by all reasons, applying the lessons of the art of war. But that's the problem everyone misses these days. Hacking, in any respect, is leveraging what you have to make something else. So the art form, regardless of subpart, is the leveraging. Techniques and tools come later.