Obfuscate operational infrastructure

Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. [1]

ID: T1318

Tactic: Adversary Opsec

Version: 1.0

Detection

Detectable by Common Defenses (Yes/No/Partial): Yes

Explanation: While possible to detect given a significant sample size, depending on how the unique identifier is used detection may be difficult as similar patterns may be employed elsewhere (e.g., content hosting providers, account reset URLs).

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: An adversary can easily generate pseudo-random identifiers to associate with a specific target, include the indicator as part of a URL and then identify which target was successful.

References

  1. Joe Stewart and Don Jackson, Dell SecureWorks Counter Threat Unit(TM) Threat Intelligence. (2013, July 31). Secrets of the Comfoo Masters. Retrieved March 6, 2017.