I have written previously about how you could quantify ranks of ‘stealth ability’. You may find that post here: https://blog.benpri.me/blog/2022/01/07/ranking-stealth-ability/. In this last post I discussed primarily ‘physical’ stealth. Most specifically, the ranks I wrote were written with ‘in-nin’ or night/shadow stealth in mind. This post will be a follow up to apply the rankings I created to a hacker’s stealth ability.
Remaining stealthy is a necessary skill if one wants to hack successfully. Now I primarily write this blog post with legal and ethical hacking operations in mind. If you’re reading this I kindly ask that you please consider carefully using any skills you learn through this blog for constructive and ethical purposes. Let’s get started.
The Cyber-Objective Framework
When I wrote before I described ‘The Objective Framework’. This was a way to attempt to be as objective as possible about the stealth ability of a person. It’s hard to be objective about stealth. When we’re looking at avoiding detection, we’re talking about something inherently subjective. You are hoping to remain out of the subjective view of those you’re intending to avoid. So putting objective metrics to this is incredibly helpful. Being as ‘objective’ as we can helps us make sense of the stealth skill someone has.
For the previous objective framework we described the following ranks:
- Recon – S1
- Escape & Evasion – S2
- Maneuver – S3
- Close Contact – S4
- Ghost – S5
If you want to know more about what each of these ranks mean, please check out the original post here. For the Cyber Objective Framework, we will use the following ranks instead:
- Recon – C1
- Counter Tracking – C2
- Perimeter Attack – C3
- Core Contact – C4
- Ghost – C5
These ranks closely mirror the night stealth ranks above. But refer to specific skills areas crucial to the skill of a cyber-stealth operator.
If you are able to perform recon (to include any passive or active scanning) on a target network – while avoiding detection – then consider yourself having hit this rank. Remember, there are sub-ranks for every rank. You might be able to do recon on a friend’s target network with ease, but find during a real exercise against active defenders that you struggle to remain hidden. This doesn’t mean you don’t have ‘recon – C1’ stealth. You do in fact. This just means that you have the skill only in the context of friendly competition. You may still be working on hitting a professional grade with it.
Simply put, this skill is the ability to avoid detection while under active tracking by an adversary. This might come from attempts to perform recon on a target. Knowing how to avoid things like word – web – bugs are crucial. If you are able to avoid being tracked and discovered during recon or early exploitation activities then consider yourself ‘Counter Tracking – C2’ skilled.
The next rank is for those who are able to remain undetected while performing exploitation on the perimeter of a target network, organization, or group. Remaining undetected in this phase means that you didn’t simply send phishing emails to everyone at the company. This means that you were able to find pathways to gain access through the perimeter all without raising the alarm. This is a critical skill for working up to the next level, and completing a hack successfully.
This is where most talented hackers who haven’t trained to be extra stealthy are going to start getting discovered. Core Contact – C4 rank stealth is the ability to exploit, pivot, and access sensitive resources (and exfiltrate them) without raising any alarm. This usually involves things like custom malware, advanced zero day exploits, or a lot of luck. You should however be consistently able to complete an entire hack without being detected before you may consider yourself C4.
Beyond completing the hack, does the target ever know at all? Are you able to remain active in the target network for years at a time? Does your malware clean itself up after you delete it? Do you leave a trace behind? If you leave a footprint, you’re not yet C5. But if there is no sign of your passing through a network – you are a Ghost.
What rank do you think you are? Remember that each rank is arguably able to be defined by sub-ranks as well. You might be a ghost when hacking with your friends, but only barely at C1 when in a professional setting (as an example). If that’s the case, that’s just fine! Consider yourself C5 for friendly settings and a C1 professional. Then get working on upgrading that professional ranking. As always if you have any feedback you can message me on Twitter @zaeyx.