- Use Ultimates/Don't use (we've already won/lost)
- Fight (We have a chance top win!) or Run/Die on Purpose (We have lost, time to regroup)
- Status of enemy cooldowns, location of important enemies (such as snipers)
- Target focus (Roadhog is alone!)/Healing focus (Our Reinhardt needs heals!)
This has direct analogies to cyber operations. I know right now military people are nodding about the ooda loop, but people always focus on the "action" portion of the ooda loop, whereas in cyber, you gain your advantage from speeding up the analysis portion.
To give you an example, let's say you ssh into a box with a stolen key, and then you notice the admin is on the box poking around. You have a set up choices. Do you immediately log out, and hope the admin doesn't notice the logs you have left by logging in? Do you root the box with an 0day, then clean up the logs, then leave immediately? Do you just continue on your mission as if they were not there, since you are probably in and out before they can figure out what's going on?
|Ana (who is usually the shotcaller)'s seated pose is from Carlos Norman Hathcock's pic...|
A lot of people will say "This is what the operator does" but the decisions you make here affect your global scope. If you try your 0day on boxes where you are likely to get caught, that 0day can easily be burned. But if you log off immediately, your stolen key will likely be burned. If you root the box to clean up, but don't finish your mission, then they may patch or secure the box before you can get back in. A good shotcaller is NOT TOO PARANOID because the question of "Have we been found?" is a very hard one to get right and extremely high consequence.
In other words, the decisions of a shotcaller in a cyber operation (or a penetration test) are the same as in Overwatch. When to go in, when to get out, when to use which tools, where to be persistent and where to leave alone. This is different from your operational planner, which is going to be more tightly connected to your development arm and decide which tools to build and how to tie them together to get an operational capability.
Since this blog is for policy people I want to also point out the policy implications of the Persistence part of APT. Persistence induces many additional risks, especially when done in the face of an active attempt to remove you from a network. There are opsec risks, of course, but what I want to focus on are the risks to the target network.
In order to remove a persistent threat, the target is going to have to rip up large portions of their network, and the attacker is going to have to use techniques that have a chance of causing permanent damage to hardware or causing downtime. If, say, the Chinese QWERTY PANDA group's policy is to stay resident on the DNC's network even after being found, that introduces an escalatory problem first for the DNC, and then for the US.
Most government have a default policy of "If you get caught, get out" for opsec reasons only. I would argue that it makes sense as a norm for other reasons.