Jiu Jitsu vs InfoSec: Setups & Stagers
This is a continuation of my series comparing Jiu Jitsu with CyberSecurity. You can start from the beginning here.
Having trained jiu jitsu for a number of years now, I recently marveled: “I’m at the unhooking EDR stage now.” As a white belt, I assumed the path to jiu jitsu was just learning a large collection of positions and techniques, and that I’d be learning new techniques all the way to Black Belt. But over time, I find it’s about revisiting over and over again many of the same positions and techniques I was exposed to as a White Belt, adding subtlety and nuance to them. Adjusting grips, changing pressure by adjusting angles, recognizing potential danger from my opponent, etc. Eventually as you progress in jiu jitsu, there comes a time when you start to chain together techniques. Maybe this is conscious effort at first, but if so, it won’t be fast and windows of opportunities will be missed. Eventually, some of these sequences become muscle memory. One early example for me was grouping the Americana, straight arm lock, and Kimura from mount — whichever finish I used wasn’t up to me, it was up to my training partner and his choice of the angle of his elbow.
Eventually, some of these A-B-C sequences can be setup on purpose. The best jiu jitsu players will “bait” the setup, e.g. maybe when in the bottom of mount, they’ll dangle an arm out for the top opponent to go for the Americana and time their movements with an elbow escape back to guard. They’ll risk something to get a big reward. The bigger the risk, the bigger the reward (if executed perfectly!). Or maybe they’ll feint a first move to get the desired reaction, such as pushing when you want to pull, or pulling when you want a push. The first direction causes the opponent to counter-react, which creates the desired opportunity to execute the “payload” of the desired technique. Just going for the technique won’t work — a good opponent will see it a long way off, but setting it up may allow a technique learned as a White Belt to work with aplomb.
In Cybersecurity, all of this reminds me of “staging” in malware. Achieving C2 (command and control malware, in which an adversary has unauthorized remote access to a victim computer) is only as good as the setups used to get C2 malware to execute. Sophisticated malware often uses 1 or 2 (or more) stages before the final malicious payloads are deployed, to evade detection. The final stage C2 itself is actually the easiest component of the malware to develop, but the problem is the general sophistication of detection controls on the endpoint identifying malicious behaviors quickly, so the prior stages are critical.
Stagers may need to be used to identify that your malware is in a sandbox (a fake virtual assessment environment, not an actual target) so that they don’t launch the next stage which is obviously more malicious, which the sandbox may interpret the stager as “safe” to carry on to the actual victim computer. Or the stager may need to do some complex initial steps to get the final stage malware to execute, such as unhooking EDR (basically removing endpoint security control’s ability to see what the malware is doing) or manipulating memory to drop the final stage into another “legitimate” process’s memory to hide what it’s doing. These are all the setups. The actual C2 is the White Belt technique that can’t work without them.
The challenge a cybersecurity defender has is to have detections ready for variety of setups. In MITRE ATT&CK terms, this is ultimately why it’s such a challenge to have complete “coverage” for all of the techniques in the chart — certain “setups” can undermine the detections. This is also why MITRE ATT&CK is a mile deep — there are a myriad of permutations of techniques, because of subtleties to setups. The defender has to ensure detections exist for the most common ones, which is often informed by Threat Intelligence.
Study more setups!
