Visit our GitHub Repo: https://github.com/darkquasar/AIMOD2
What is Adversarial Interception Mission Oriented Discovery and Disruption? #
Adversarial Interception Mission Oriented Discovery and Disruption Framework, or AIMOD2, is a structured threat hunting approach to proactively identify, engage and prevent cyber threats denying or mitigating potential damage to the organization. The core concepts that structure AIMOD2 are:
The framework has cyber conflict at the center of its constitution, as such, it strives to think of and model cyber threats from both the point of view of the attacker and the defender. The ability to model attack paths (as described by frameworks like MITRE Attack Flow) and incorporate adversarial tradecraft into the conceptualization of threat hunt missions helps hunters stay focused on contextually relevant objectives. The adversarial aspect of the framework is enhanced when adding a threat simulation or purple team approach to the missions.
Mission Oriented #
Everything in AIMOD2 is a mission. A Threat Hunt Missions is a semantic and operational unit of work that structures threat hunting efforts around a topic, theme, threat actor, etc.
The goal of disruption is to break the patterns that the adversary has memorized, either through purposeful training or repetition arising from environmental constraints. Disruption is the act of employing manoeuvres to destabilize the opponent to a degree that dismembers their formation leading to imminent defeat. In cyber operations, disruption takes place when the adversary’s capabilities are so impaired that they are forced into a zone of confusion which imposes a high cost of operations whilst attempting to get back into balance. This state of confusion opens a window of opportunity to achieve defensive mission objectives.
Interception refers to a type of interference in the trajectory or course of action of an agent or an object. It assumes that there are patterns that threat actors employ, since no one is exempt from them, which end up becoming tendencies that shape a specific course of action. As such, interception aims to stop or interfere with the progress of that chain of events. This can be done in various contexts, such as intercepting an encrypted message being transmitted by a C2, or intercepting a phishing campaign on the build in order to frustrate its success.
The continuous synthesis of information into different layers of abstraction to help develop contextual awareness and insight. The discovery domain is characterized by the simultaneous scouting of known and unchartered territory. Discovery activities involve data analytics.
AIMOD2 draws from the approaches described in “The Threat Hunting Shift Part 3: Adversarial Framework for Tactical Cyber Defense Operations”