Info sources 27

[j---]

fixes #27
Because 27 is it's last part, closes #24

[cgyarbrough]

I am sure we address this elsewhere in the discussion, but what are the four Kill Chain steps as we are defining them? Others will vary. Or are we just counting the post-delivery stages of the LM Kill Chain?

[j---]

steps 1-4 of the kill chain [@hutchins2011intelligence] ... These
steps are reconnaissance, weaponization, delivery, and exploitation.

Original definition, basically. First four (of 7) stages, so it is not post-delivery. Source:

@article{hutchins2011intelligence,
  title={Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains},
  author={Hutchins, Eric M and Cloppert, Michael J and Amin, Rohan M},
  journal={Leading Issues in Information Warfare \& Security Research},
  volume={1},
  pages={80},
  year={2011}
}

The last three stages, IIRC, are installation, command and control, and action on objectives.

[ahouseholder]

Should we note that weaponization might not be strictly necessary as a positive act? I.e., "wormable" vuls turn weaponization into a development process that happens once and then exploitation of vulnerable systems is reliable from that point on. A worm seems to automate recon, delivery, and exploitation, but I'm not sure that automation of the weaponization step was necessary.

I may also be missing nuance in my understanding of how folks use the kill chain model.

[j---]

If something happens once and then can be copied repeatedly without human intervention, I think that falls under the usual definition of automation. I don't know what "positive act" means there. It was done at some point during the exploit development process. Is that not an act some how? If it can just be copied for each new target, then it's automated. Things like ASLR might interfere with automation here, but again overcoming something like ASLR can be automated.

If you want to suggest additional text for Automation, can you open a new issue?

[ahouseholder]

I think my confusion arises in that "weaponization" is a verb, but an exploit is an artifact. So automated exploitation can use the resulting artifact even if the production of the artifact (which I'm taking to be what "weaponization" means) itself was not automated.

The automation isn't necessarily doing anything to customize the exploit for the target, so it doesn't feel like weaponization is automated so much as it's just taken out of the process that needs to be automated. But yes, I acknowledge this concern is off-topic for this PR.

[cgyarbrough]

I approve this pull. Seems like for the discussions in scope that I'm good.

[ahouseholder]

I had a few suggestions as inline comments in the changes. They're open for debate though so I'd be ok if they're given consideration and declined.

[ahouseholder]

Should we note that weaponization might not be strictly necessary as a positive act? I.e., "wormable" vuls turn weaponization into a development process that happens once and then exploitation of vulnerable systems is reliable from that point on. A worm seems to automate recon, delivery, and exploitation, but I'm not sure that automation of the weaponization step was necessary.

I may also be missing nuance in my understanding of how folks use the kill chain model.

[ahouseholder]

changes in a741837 look good to me

[ahouseholder]

I think all my concerns in this one are addressed. If @cgyarbrough confirms his approval this one should be ok to merge.

[cgyarbrough]

I approve this pull.

[ahouseholder]

squashed and merged.