Advanced DCO Techniques - A Different Way to Hunt

Defensive Cyber Operations have become increasingly focused on the “Hunt Methodology” - a mechanism geared towards locating an adversary in a network, as opposed to improving that network’s defensive posture. The 1CYBN began to develop the idea of “Advanced DCO Techniques” as a way to focus on securing the networks we visit, improving the capabilities of local defenders, and imposing cost on our adversaries. CPTs implement Advanced DCO Techniques during the SECURE or DEFEND phase of their operations, redesigning existing solutions or generating new use cases based on the unique characteristics of their environment. These solutions fall into two broad categories, Detective and Protective, that leverage the same core principle: engineer an environment that forces the adversary to illuminate themselves by expending resources on assets with little to no value. Detective techniques are similar to military deception operations: they do not force an adversary to do anything, but represent high-value targets where defenders can focus their observation and analysis capabilities. Protective techniques involve placing high value assets behind additional security mechanisms, further segmenting them from more exploitable areas of the network. From the defender’s perspective, detective techniques can be relatively trivial to implement, while protective techniques require a much longer period of dedicated engineering and observation to configure effectively. From the adversary’s perspective, detective techniques can be avoided even if implemented well, whereas protective techniques cannot be avoided and will consistently affect their operations. This presentation will illustrate the differences between the traditional Hunt Methodology and Advanced DCO Techniques. It will also present a use case to highlight the value of implementing Protective Techniques through a new technique called Restricted Access Domain Controllers, or RADCs. RADCs is a novel use case for Microsoft Read-Only Domain Controllers that, when combined with appropriate layer 2 and layer 3 network segmentation techniques, provides a relatively immediate no-cost security control alternative to Microsoft Enhanced Security Administrative Environment.

1LT Thomas is a graduate of the United States Military Academy with a degree in Computer Science. He commissioned into the CY branch on May 27, 2017, completed CY BOLC on May 01, 2018, and served as a CND Manager and Analytic Support Officer on 201 CPT from May 2018 to June 2020. He has experience in SIEM development, with a focus on network sensing architecture and context-based enrichments and analytics, and Active Directory and Identity Protection security mechanisms. 1LT Thomas currently serves as the Operations Support Element OIC focused on detailed analytic development, algorithm design, and solutions engineering in direct support of the CPTs of the 1CYBN.