Imagine this: It’s 2 a.m. and hunched over a keyboard, heart pounding, sits a cyber network operator who has just deployed a purpose-built tool to collect intelligence on a foreign adversary’s very specific high-value target. If her mission succeeds, an imminent attack may be thwarted; failure carries potentially catastrophic consequences.
Now imagine you’re the one who built the tool… will it work?
This may sound like a scene from a Hollywood thriller, but it is the sort of work performed by cyber network operators, with tools developed by cyber engineers, such as those (like me) employed at Zetier.
Welcome to the high-stakes world of cyberspace operations—the domain where adrenaline junkies of the cybersecurity world thrive, and where many of the best hackers on the planet find a welcome home to make an impact. If you think cybersecurity careers are all about patching vulnerabilities, reading compliance checklists, and studying to pass the next certification exam, then prepare to be blown away! Offensive cyberspace operations (OCO) is where deep technical knowledge meets creative problem-solving in order to achieve national security objectives. In this world the stakes are measured in stealthy operational successes, not compliance audits and Splunk scans.
Despite the obvious allure of the field, however, there is still a culture among OCO practitioners of secrecy. OCO careers are plagued with obscurity, gatekeeping the work from many qualified, interested candidates. This blog post introduces OCO to anyone interested, especially talented engineers considering a career in this specialized field, and aims to demystify the domain and inspire the next generation of cyber professionals to protect national security at Zetier!
In this blog post, you’ll discover the essential building blocks of offensive cyberspace operations—from considerations for choosing technologies to target for OCO, to the steps required for fully compromising a target system in order to support mission objectives. By the end of it, you’ll have a very high level understanding of what sort of problems cyber engineers are trying to solve, and what it takes to enable effective OCO. Finally, we’ll discuss some of the requisite skills for becoming a cyber engineer.
Perhaps it should be mentioned here that the term CNO (computer network operations, which encompasses both offensive and defensive cyber operations) was in fashion recently before the more specific OCO term was introduced. We will use the latter term here. That which we call an OCO, by any other name, would smell as sweet.
Technology/Systems Selection
“If you work hard and creatively, you can have just about anything you want, but not everything you want. Maturity is the ability to reject good alternatives in order to pursue even better ones.”
Ray Dalio
Example Technologies
Computers are ubiquitous, powerful, and vulnerable so there are many options on the table when considering what to focus on for OCO. Some examples of interesting technologies include:
Enterprise servers: Computers hosting websites, internal business applications, cloud services and the like.
Planes, trains, and automobiles: Charlie Miller and Chris Valasek famously hacked a Jeep Cherokee taking complete control of the vehicle remotely as it cruised along a highway. Their talk, given at DEF CON 23, is a worthwhile watch available on YouTube.
Embedded systems: Those millions of special-purpose computers we embed in everything from refrigerators and doorbells to space heaters and video game consoles.
Mobile devices: The number of mobile subscriptions rivals the number of people on Earth. These powerful computers are trusted with a truly mind-boggling array of personal information. From banking information and sultry selfies to exact location and Google history, these absurd gadgets make for attractive targets indeed!
Military assets: Technology determines war outcomes. The most advanced militaries on Earth are considered advanced precisely due to their technological innovations, which in recent decades has largely been focused on innovation using computers. Military assets include satellite and communications systems, missile defense systems, and countless other technologies.
Constraints
Limited resources for conducting OCOs means organizations must make strategic choices about which technologies to prioritize to best achieve mission objectives. These constraints require careful consideration and cost/benefit analysis to maximize the effectiveness of OCO program budgets and talent pools. I list some key constraints below.
Cost
OCOs require significant financial investment, and budgets are finite. For example, developing a sophisticated exploit for a hardened target may require months or even years of work from a team of highly paid experts, specialized hardware, and access to expensive testing environments.
Availability of Talent
While there have been several educational programs focused on training defensive cyber professionals, the same hasn’t always been true for offensive roles. This has led many organizations, like Zetier, to invest heavily in developing talent themselves through mentorship programs and educational initiatives. There simply aren’t enough offensive cyber engineers to target everything, and often a great deal of specialized knowledge against the target of interest is required to carry out effective OCO on it. For instance, a team may have experts in Windows exploitation but lack anyone with deep knowledge of a particular embedded operating system.
Access to Targeted Hardware or Software
It is often difficult to gain access to closely guarded targets, such as military equipment, to perform the required research for enabling successful OCO. Generally, one can’t purchase, say, an adversary’s latest and greatest satellite technology from eBay. Even commercial devices can be region-locked or require special authorization to purchase.
Diplomatic Implications
A target may be highly attractive, but a failed offensive cyber operation against it could significantly harm our nation’s interests, reputation, or diplomatic relations. For example, a failed operation against a critical infrastructure target could be attributed through forensic analysis, intelligence collection, or operational security failures, resulting in diplomatic fallout, economic sanctions, or military escalation by the targeted nation.
The constraints often interact. For example, a lack of talent may increase costs, or limited access to hardware may require creative approaches that increase risk. There are many more constraints to consider, and some are only revealed after a target has been chosen for exploration. Things change, and so do the tradeoffs involved in cyberspace operations.
Ultimately, targeting decisions tend to be made based on national security objectives weighed against cost and constraints. The role of the cyber engineer and those organizations providing cyber capabilities in this process is often to propose potentially interesting target technologies, assess technical feasibility, and provide cost estimates to decision makers. With targeting decisions made and resources allocated, the real technical work begins. Moving from “what should we target” to “how do we actually compromise it” requires some understanding of the mechanics of offensive cyber operations.
Let’s next explore the technical building blocks that cyber engineers use to turn targeting decisions into operational reality.
Elements of OCO: Execution, Escalation, Exfiltration, Oh My!
After decision makers determine what will be targeted, cyber engineers and operators enable OCO against them. Here we discuss broad details of how that is accomplished.
Initial Access
Computers run (that is, execute) instructions often referred to as code. In the OCO world, gaining initial access tends to mean gaining the ability to make the target execute instructions of your choosing.
One way to gain execution on a target, such as a mobile phone, might be to get physical access to the target device in an unlocked state and install/run an application or program that you choose.
Commonly, however, there is a requirement to gain execution without physical access to the target. This is referred to as remote code execution, or RCE.
One unsophisticated way to achieve RCE in the case of a smart phone might be to get the user to click a link that directs him to a website that causes the browser in his phone to execute code of one’s choosing. Many targets, however, require more sophisticated methods because user interaction is undesired or because no user interaction occurs at all, such as with a satellite.
In these cases, teams must leverage a security vulnerability in the target system. This is roughly analogous to picking a lock—or even entering via an unlocked back door—when trying to gain access to a building. We’ll revisit this building analogy later.
A Very Short Primer on Vulnerabilities
What Are Vulnerabilities?
Because computer systems tend to be very complex, consisting of many technologies combined or stacked on top of each other, the designers, engineers, and operators of computer systems often make security-relevant mistakes that go unnoticed until something goes wrong, or something happens to draw attention to the mistake. Such mistakes are called vulnerabilities, or bugs.
These vulnerabilities often exist in software and, when they’re discovered, the software developer or vendor usually issues a patch or update to fix them. When the operating system on your computer updates, or the apps on your phone update, these updates are often issued to address security relevant bugs, not only to add new features and functionality.
N-days vs. Zero-days
When a vulnerability is known to the system vendors, its designers/engineers, or to the public, it is referred to as an n-day vulnerability, where n represents the number of days since discovery. Such vulnerabilities are distinguished from zero-day vulnerabilities, which are those vulnerabilities that are not yet known publicly or to anyone who might issue a fix.
Both n-days and zero-days have their advantages in the context of enabling OCO. Zero-days, for instance, tend to offer the benefit that they will be available on all systems running the software and have no deployed signatures but require significant upfront investment. N-days are significantly cheaper to leverage (especially if publicly available CVE’s or YARA signatures are available), but may only run on select versions of target software. However, zero-days may require significant investment to be discovered, whereas n-days are already known.
The Vulnerability Researcher’s Role
Vulnerabilities are critical for enabling OCO, and cyber engineers are the ones tasked with finding vulnerabilities in the OCO world. Those cyber engineers who focus on finding vulnerabilities in systems are often called vulnerability researchers. The job of a vulnerability researcher is to investigate a target to find ways the target system might be exploited with the goal of enabling OCO against it. Sometimes, this comes down to enumerating n-days to find a suitable bug, but often a vulnerability researcher spends her days hunting zero-days.
After a vulnerability researcher finds a vulnerability, cyber engineers must figure out how to exploit it and must engineer tools to do just that. This is often a difficult problem to solve, because many modern systems are implemented with protections specifically designed to make exploitation difficult. The skills to effectively exploit a vulnerability don’t tend to be taught in university, with some notable exceptions. Moreover, zero-days sometimes have short shelf lives. If the code for the software is changed, the vulnerability may go away with the changes. Perhaps the vendor will discover the bug exists, and offer a patch, rendering the zero-day an n-day that could be patched on any affected system at any time. So, zero-day vulnerabilities require effort to find and exploit, and have an ephemeral nature. Thus, there is always work for the vulnerability researcher!
As more sophisticated exploitation techniques are developed by offensive actors, additional protections are designed by defensive actors to subvert exploitation. In this way a cat-and-mouse dynamic exists between the defensive and offensive realms of the cyber world, and this dynamic keeps the job of a cyber engineer challenging, interesting, and in demand. Individuals who are very good at finding vulnerabilities, and developing exploits against the hardest of targets, put the A in APT (advanced persistent threat) and are in high demand in the OCO world.
Finally, much credit is due to defenders and security engineers. These days, thanks to all of the protections in place on hardened systems, it is often the case that several vulnerabilities, referred to as a bug chain, must be used together to achieve execution on a target.
Pivoting, Escalating, and Sandbox Escapes
The Building Analogy (Revisited): Different Levels of Security
Returning to our building analogy: After you’ve picked some lock to gain initial access, the situation is going to look one way if you’ve snuck into your neighbor’s backyard shed to determine if the secret to their unnaturally vibrant midwinter lawn is green paint. The situation will look very different if you’re James Bond having entered the lobby of some super-secure office building housing jewelry stores, banks, and shady investment firms to infiltrate a criminal empire’s headquarters.
In the first situation, you’ve got full access and simply need to snoop around, while in the second, you have a lot more to worry about, and a lot more work to do!
So it goes with computer systems. A smart toaster is unlikely to be built with a great deal of security. The same is true for a surprising number of more interesting targets. Smart phones, on the other hand, can access your bank account, browser history, messages, location history, and more. They are “hardened” against attack, because the stakes are much higher, and everyone from state actors, to cyber criminals, to crazy ex-lovers may have designs to break into a person’s smart phone. Hence, great effort is dedicated to securing mobile devices, and some vulnerability researchers find employment doing exactly that—for instance at Google Project Zero.
Hardened Targets and Least Privilege
Hardened targets implement additional security measures and tend to be secured according to the principle of least privilege. This means each user and each component of the system is only granted sufficient privileges to access those resources strictly necessary for proper function. Certain components have access to many (or all) resources, and these are considered the privileged components. Unprivileged components request access to controlled resources from privileged components, and privileged components use some criteria to determine whether access should be granted.
On a smart phone, your messaging app might be able to access your photos because sending photos is expected by messaging apps these days, but your photos app probably isn’t granted access to all your messages, because it doesn’t need such access. This illustrates the principle of least privilege.
Improving Access and Privilege Escalation
Some system components are particularly ripe for gaining initial access. Your internet browser is a great example of this, as it is meant to execute code from websites and prone to executing malicious code. Additional security controls to further restrict access are sometimes implemented around such components, and when this happens the components are said to be sandboxed. The Chrome browser on Android is an example of a sandboxed component.
Breaking out of a sandboxed component is called a sandbox escape. Moving from one unprivileged component to another unprivileged component is called pivoting, and gaining execution in a privileged component from an unprivileged component is called privilege escalation. Privilege escalation can occur by gaining additional privileges locally (that is, on the same system for which execution has already been achieved). This is termed local privilege escalation, or LPE. Otherwise, it might mean gaining execution on another system that has more privileges, such as moving from an unprivileged workstation to a privileged server on a network.
Often, you’ll gain access in an underprivileged, and perhaps even a sandboxed component. However, the goals of an OCO often require privileged access.
So, how does one improve access after gaining execution in an underprivileged or sandboxed component? The answer won’t surprise you: by leveraging additional vulnerabilities!
Why Pivoting Matters
Do not underestimate pivoting as just a lateral move. In the example above of the “least privilege” principle, consider a scenario where an attacker gains execution in the photos app. The attacker may now update photo metadata, but due to the principle of least privilege, the photos app doesn’t grant access to the user’s messages. However, suppose some vulnerability exists in the messaging app so that the next time one of these modified photos is sent, some vulnerability would be exploited to gain execution in the messaging app. This would not be an escalation directly to a fully privileged application or account but the attacker will still have gained additional privileges, namely those required to access message history.
Another utility of pivoting is to reach other vulnerabilities. Imagine you found an LPE bug in the photos app and an RCE bug in the messaging app. In such a scenario, a vulnerability that allows pivoting from the messaging app to the photos app would bridge the gap to enable privilege escalation.
For some of the hardest targets, there exist entire teams of cyber engineers/vulnerability researchers focused exclusively on privilege escalation.
Exfiltration and Effects
After you achieve initial execution and any necessary privilege escalation is successful, it is time to get down to the task at hand. Typically this amounts to running a specialized payload or implant—specifically designed to cause explicit effects or exfiltrate data—on the target.
Implants often must execute in environments in which the system designers didn’t intend for them to run. Thus OCO development brings with it unique challenges that keep the cyber engineer’s work interesting. For instance, an initial payload often gains execution inside another program. Unlike picture-in-a-picture, program-in-a-program isn’t an intended feature, and the cyber engineer has to live and build code in this interesting reality.
An implant serves many purposes—several of which I list below.
Denial of Service
A denial of service attack breaks the system so it can’t operate normally—or perhaps at all. It has the effect of denying whatever service is targeted and may be done conspicuously to send a message or achieve some effect, or more subtly/inconspicuously for other purposes. For example, a denial of service might target a communications satellite to disrupt military operations or a web server to silence a propaganda outlet.
Data Exfiltration
Want to know what your adversary’s plans are? Want a detailed understanding of his capabilities? These are legitimate and strong motivators for building sophisticated OCO capabilities to enable data exfiltration.
Data exfiltration can target a wide range of information: emails, documents, encryption keys, credentials, or even real-time video and audio feeds. The technical challenge is to move this data off the target system without detection. This may involve encrypting the data, breaking it into small chunks, using covert channels (such as hiding data in normal web traffic), or timing transmissions to avoid suspicion. For example, an implant might only exfiltrate data during normal business hours to blend in with legitimate network activity.
Other Effects
Beyond denial of service and data theft, OCO implants can be designed for a variety of effects. These might include manipulating data (for example, altering financial records), enabling physical effects (such as causing industrial equipment to malfunction), or establishing long-term access for future operations. Each effect brings its own set of technical and operational challenges, especially when stealth and reliability are required.
Putting the Persist in Advanced Persistent Threat
Some system activities, including loss of power and system reboots, may halt execution of processes. This includes execution of any OCO payloads. Often there is a need to maintain access to a system across reboots, power losses, or even to survive attempts to set the system back to a default state (such as operating system restore features).
Persistence is the term used to describe maintaining access after an event that causes an implant to stop executing. This might be as simple as modifying some file on the system that you know will execute when the system reboots as part of the normal startup process. On more hardened systems, persistence often requires sophisticated techniques involving the discovery and/or use of yet another vulnerability, or bug chain.
Protections that might need to be bypassed include write-protected disks intended to prevent modifying files that execute upon system startup or validation techniques such as code signing intended to detect when a trusted file has been altered. Overcoming such protections requires the specialized expertise of cyber engineers!
Stealth and Detection Avoidance: Playing the Long Game
It has been said that every time an OCO is detected, assumptions about Undefined Behavior will be rampant. In fact, depending on the nature of the OCO, the consequences could be much greater. Thus, great effort is often dedicated to execute OCOs without detection.
Below, I list desirable characteristics for an OCO.
Gain Execution With No User Interaction
Consider two scenarios. In the first scenario, you send a user a link via text message that when clicked will gain execution in the browser app. In the second scenario, you send the user a specially crafted message that will gain execution in the messaging app, and never even alert the user that he received this crafty message. In the first case, the user has to take action, and has knowledge of an artifact of the OCO that can be investigated. In the second case, the user is never alerted, has nothing to investigate, and is not required to do anything to enable the OCO.
Avoid Alerting Behavior
This can be harder than it seems. Something as simple as slowing down an application you’ve exploited might alert the user of a targeted system. Other behavior is more conspicuous, such as “bricking” a phone, which is an industry term for rendering a device unusable as anything other than a brick or paperweight.
Avoid Antivirus/Intrusion Detection
Traditionally, antivirus and intrusion detection systems scan files, network traffic, etc. for code patterns they consider to be potentially malicious. Successful OCO must avoid such detection. There are many techniques to go about this, including obfuscating code using encryption techniques so antivirus signatures won’t match the randomized code or hiding code in places (such as non-executable files or trusted system files) that antivirus or intrusion detection systems do not monitor.
Avoid Capture/Analysis of Implants and Payloads
When an implant is captured, signatures are written to detect it using antivirus software.
The behavior of the implant may also be studied, and incident response teams can then improve monitoring techniques for detecting current/future OCO.
Minimize Impacts of Artifacts
Artifacts are detritus left behind by an OCO. For instance, when persisting a payload, it generally must be written to disk—that is, persistent or non-volatile memory. While this can’t be avoided to achieve persistence on some targets, it is common to persist only a bare bones implant that upon gaining execution after a reboot might reach out across the internet to retrieve more sophisticated code to execute. In this way, the critical parts of the implant will not be sitting around on disk to be discovered and analyzed.
Develop/Prefer In-Memory-Only Techniques
When an implant is never written to disk, but instead is only downloaded and executed in volatile memory, it is harder to capture/detect. Thus, sophisticated OCO execution might require in-memory-only payloads.
Now that we understand what cyber engineers do, let’s explore what it takes to become one.
Essential Skills for Cyber Engineers
Having explored the high-level elements of OCO and gained a better understanding of the cyber engineer’s role, let’s now discuss what it takes to become one. The technical challenges we’ve covered require a specific set of skills that aren’t typically taught in traditional university computer science programs. In this section, we’ll examine the foundational capabilities that enable cyber engineers to tackle these complex problems. While our discussion is far from comprehensive, it aims to provide a broad sense of the basic skills that support success as a cyber engineer and point interested readers to some useful resources.
The Ability to Solve Problems With Code
Programming is the foundation that enables everything else in cyber engineering. As a cyber engineer, you’ll need to build custom exploits, develop payloads, and create tools that don’t exist yet. The ability to quickly prototype solutions and iterate on complex problems separates good cyber engineers from great ones.
You’ll spend a lot of time writing scripts to automate tasks, analyze data, or interact with target systems. For exploit and implant development, you’ll often work in lower-level languages to interact directly with hardware or operating system internals.
If you’re new to programming, you can start with any language. Python is widely used for scripting and prototyping, while C/C++ are essential for low-level work and understanding memory corruption bugs. Try to build small projects and participate in coding challenges to sharpen your skills.
Resources
- Advent of Code
An annual programming challenge event featuring daily coding puzzles throughout December, designed to build problem-solving skills through algorithmic thinking and can be solved in any programming language.
Understanding Bug Classes and Identifying Bugs in Code
Understanding vulnerability classes like buffer overflows, use-after-free, race conditions, and logic flaws is essential. You’ll need to recognize these patterns in code and understand how they can be exploited. This knowledge forms the foundation for both finding new vulnerabilities and understanding existing ones.
In practice, you’ll review source code (when available), analyze binaries, and solve capture-the-flag (CTF) challenges to hone your bug-hunting skills. You’ll also learn to write proof-of-concept exploits to demonstrate the impact of discovered bugs.
Getting started is as simple as reading about common vulnerability types and practicing with CTF platforms or specially designed, broken programs that allow users to safely test hacking techniques.
Resources
The Art of Software Security Assessment
This book, authored by Mark Dowd, John McDonald, and Justin Schuh, is still available in Kindle format. I think it is out of print for paperback, unfortunately.picoCTF
A free, online cybersecurity competition aimed at middle and high school students, offering educational content and challenges to learn security concepts.OverTheWire Wargames
A series of security wargames that help you learn and practice security concepts in a hands-on, shell-based environment.Exploit Education
Educational resources focused on binary exploitation, vulnerability research, and low-level software security techniques.
Reverse Engineering
For many targets, access to source code is impractical or impossible. Learning the basics of reverse engineering is essential for vulnerability research, malware analysis, and understanding target systems.
You’ll use tools like disassemblers and debuggers to analyze binaries, reconstruct program logic, and identify vulnerabilities or interesting behaviors.
Start with simple programs and gradually work your way up to more complex targets. Practice by reversing small utilities, participating in reverse engineering CTFs, or analyzing open-source binaries.
Resources
Reversing: Secrets of Reverse Engineering
Authored by Eldad Eilam, this foundational book covers computer internals, operating systems, and assembly language with practical techniques for software reverse engineering.Practical Reverse Engineering
Written by Bruce Dang, Alexandre Gazet, and Elias Bachaalany, this book provides hands-on coverage of x86, x64, and ARM architectures along with Windows kernel reversing, obfuscation techniques, and practical reversing tools.Bomb Lab
A reverse engineering training exercise originally created at Carnegie Mellon University where students disarm a “binary bomb” by solving six phases through assembly analysis, teaching pattern recognition for loops, arrays, recursion, and other code structures.Ghidra
A free, open-source software reverse engineering framework developed by the NSA featuring disassembly, decompilation, scripting, and graphing capabilities across multiple platforms and processor architectures.
Operating Systems Principles
Understanding how operating systems work under the hood is fundamental to cyber engineering. You need to know how memory management works, how processes communicate, how the kernel handles system calls, and where the security boundaries exist.
You’ll use this knowledge to find privilege escalation vulnerabilities, understand where systems are vulnerable to attack, and develop reliable exploits. You’ll also need to navigate different OS architectures and security models.
To get started, read OS textbooks, experiment with Linux or Android internals, and try building or modifying simple kernel modules.
Resources
Operating Systems: Three Easy Pieces
A free online textbook by Remzi and Andrea Arpaci-Dusseau covering OS fundamentals through three core concepts (virtualization, concurrency, and persistence), also available in print and enhanced PDF formats.Linux
The official Linux kernel repository maintained by Linus Torvalds, providing the complete source code for the core of the Linux operating system and serving as a reference for kernel developers, security researchers, and systems programmers.Android Internals
A comprehensive book series by Jonathan Levin exploring the undocumented internals of Android’s frameworks, native libraries, and kernel with detailed coverage of hardware, security, and system architecture across multiple volumes.
Building these essential skills should put you well on your way to breaking into a career as a cyber engineer. The above resources are only a small sample of the learning materials available. As you learn and do more, you’ll find more resources, and have more questions. Stick with it, and you’ll be enabling new and exciting OCO yourself in no time!
Conclusion
The field of offensive cyberspace operations demands technical excellence, continuous learning, and innovative problem-solving. It offers unique challenges at the intersection of national security and cutting-edge technology, where success requires mastery of vulnerability research, exploit development, and system internals.
For those interested in pursuing this path, focus on building core competencies in:
- Low-level systems programming
- Vulnerability research and exploitation
- Reverse engineering
- Operating system internals
Organizations like Zetier seek engineers who can tackle these complex technical challenges while maintaining the highest standards of professionalism and ethics. The field continues to evolve, driven by advances in both offensive and defensive capabilities.
Visit Zetier’s career listings to learn more about opportunities in offensive cyber operations.
Content by Zetier, Illustration by Inkinetic Studios.
