vimwiki/tech/cia-do-dont.wiki

= Cia Do and Donts =

This is the CIA list of dos and donts.

== General ==

* DO obfuscate and encrypt strings; Deobfuscate in memory when needed
* DO wipe deobfuscated strings once done
* DONT decrypt string data upon execution
* DO remove encryption keys, shellcode, etc from memory
* DO utilize deployment time unique key for deobfuscation of data
* DONOT rely on OS to cleanup strings for you
* DO strip all debug symbols, build paths, dev usernames, etc from binary
* DO strip all debug output from final build of tool
* DONOT import/call functions that are not consistent with tools cover usage
* DONOT export sensitive functions names, use benign cover names
* DONOT generate crashdumps or signs of error when crashing
* DO attempt to crash a program during a unit test
* DONOT perform operations that will make a computer hang
* DO make all effort to minimize binary size without the use of compression
  Less than 150kb is ideal for a full tool
* DO provide a means to uninstall tools and all artifacts
* DO document all artifacts of program and how to undo it
* DONOT leave dates and times like compile timestamps, access times, etc that
  relate to your time zone
* DONOT leave data in the binary that indactes you
* DONOT leave data that has "dirty words" (hacker terms) in binary

== Network ==

* DO use E2EE for network comms
* NEVER use network protocols that break E2E principle with respect to
  encrypted payloads
* DONOT rely soley on SSL/TLS to secure data in transit
* DONOT allow network traffic to be replayable
* DO use ITEF RFC compliant network protocols as a blending layer. The actual
  data should be tunneled through a well known, standard protocol like HTTPS
* DONOT break compilance of an RFC protocol being used as a blending layer
* DO use variable size and timing jitter of packets, beacons, and
  communications
* DONOT send data with fixed size and timing
* DO properly clean up network connections

== Disk I/O ==

* DO document disk forensic footprint that could created by tool
* DONOT read, write, or cache data to disk for no reason
* DONOT write plain text collected data to the disk
* DO encrypt all data written to disk
* DO utilize a secure erase when removing a files from disk that also wipes
  filename, datetime stamp, and contents
* DO perfom at least a single pass of zeros over the content of the file
* DONOT perform disk IO operations that will make the system unresponsive
* DONOT use a magic header or footer
* DONOT use hard-coded filenames or filepaths. These must be configurable at
  deployment time by the operator
* DO have a configurable max size limit or output file count for writing files

== Dates/Time ==

* DO use GMT/UTC/Zulu
* DONOT use US-centeric timestamps
* DO use YYYYMMDD instead

== PSP/AV ==

* DONOT assume free versions of PSP is the same as retail PSP. Test on all
  versions in a sandbox
* DO test PSPs with recently live internet connections when possible

== Encryption ==

* Key exchange *must* be performed via Diffie-Hellman, Eliptic Curve
  Diffie-Helmen, or RSA.
  - ECDH, the prime must be 256 bits
  - DH and RSA primes must be *at least* 2048 bits
  - DH and ECDH is prefered for perfect forward security
* Authentication *must* be done with TLS 1.2, Elliptic curve DSA, DSA, or RSA
  - Asymmetric keys *must* be at least 2048 bits (Elliptic curve, 256 bits)
* Authentication via TLS 1.2 *must* include the use of certs by both parties
* Authentication via TLS 1.2 *must* validate the cert utlized by both parties.
  If the cert is invalid, they should terminate the connection. This guidance
  referes to the inner cryptosctream which may be masked by HTTPS, this doesn
  no apply to the outer stream
* Tools must support unique certs and CAs for network auth for each deployment
* Integrity must be provided HMAC with a key size of 256 bits
* Confidentiality must be provided by AES with minimum key size of 256 bits.
  The cipher must be operated in Galois/Counter Mode, Counter Mode, or Chipher
  Block Chaining
* Messages *must* come with a digest