Knowing Your Adversary
Being able to understand your adversary in all facets is imperative to achieving your mission. For the purpose of this post, adversary can be interchangeable with ‘target’.
The most important thing you can do when you are assessing your situation is to just stop and observe the atmospherics around you. By atmospherics, I mean the literal environment, the people, the actions and reactions of how they interplay together and the observable reactions of those. You can apply this concept to digital environments as well as physical; the concept is full spectrum.
The more you slip into observation mode, the less you are interacting with the environment around you. Think of the environment as a pond, the more you move, the more ripples you create. By creating ripples you are causing reactions and subsequent actions and thus again reactions. You don’t want to be creating this movement as you will be self-identifying yourself to the adversary based on your actions, reactions, and those of entities and the environment around you. When you are assessing your adversary, know that this could influence the field of play negatively.
Being able to understand how your adversary interacts with the environment and how it and other entities react to that interaction is vital. Try to approach the problem set with a systems-style framework like I’ve mentioned previously. Everything is a system of systems. There must be a reason why something is the way it is; behind a system there is a human or humans that have created the processes for which it operates. Processes are created to do an action; whether its to solve a problem(s) or create new one(s) - they have a set high-level goal.
Additionally, when attempting to understand your adversary, you may want to understand their reactionary timing and strategies they employ to when reacting to a potential threat action from an outside force. By testing these boundaries, you can start to enumerate the layers of their own awareness and defensive posture.
From a physical standpoint, if you observe an entity approaching a a secure door when they shouldn’t be and notice a physical guard presence thwart entry to the secure space and time how long it took, the numbers of the responding force and how they responded - before, during, and after target interdiction - this will be beneficial to know. Do they radio the all clear, do they remain in the area in case there are additional threats, or do they depart after the event is over?
From a digital perspective, if you are performing active reconnaissance on the perimeter of your target, are they banning IP addresses (I hope you’re using burner IP’s for this type of activity); does the firewall seem overly permissive (it could be a trap), are ports filtered? What type of server banners are returned if you do a simple curl / GET request?
Remember the ABC’s - Always Be Collecting.
Once you’ve obtained enough information to start profiling your adversary you should start organizing the data you collected into structured statements and assumptions about the entity.
A few example questions to ask yourself:
What does the data say about your adversary?
What does it say about the environment, and how your adversary interacts with it? With yourself?
What does it not say? (What’s missing?)
Do you need to collect more information?
What assumptions can you make based on the data?
What assumptions are safe?
What assumptions are not safe; and how can you collect or what can you collect to increase the probabilities of the assumption being correct?
If you can attribute your adversary; knowing historical tools, tactics, and procedures used by them you can start to enter the analytical process of understanding the motivation that drives them to operate against you and the mindset they carry with them to further their purposes. Similar to studying counterterrorism; terrorists operate under the concept of acting based on a grievance. If you can understand what that grievance is, why it was formed and why they are operating in the way they are, this will help yo understand the possibilities around either ending that grievance for the group or how to counteract the messaging around it.
Understanding why the farmer puts his vegetables for sale in the late morning, you’ll know that he harvests in the early morning. Knowing this, you can make a safe assumption that if the farmer works their own land, that they most likely go to sleep earlier than naught. This identifies loose hours of operation. If the farmer is your adversary and your goal is to steal farm equipment out of his barn, you may want to target the barn opposite of the field they are working or targeting rest hours to perform this acquisition; or even, target the farmers equipment while they are selling their goods at their vegetable stand in the late morning and not at their farm. A simplistic example, but it’s generally an easy one to relate to the concepts above.