vimwiki/tech/cia-do-dont.wiki

80 lines
3.4 KiB
Plaintext

= Cia Do and Donts =
This is the CIA list of dos and donts.
== General ==
* DO obfuscate and encrypt strings; Deobfuscate in memory when needed
* DO wipe deobfuscated strings once done
* DONT decrypt string data upon execution
* DO remove encryption keys, shellcode, etc from memory
* DO utilize deployment time unique key for deobfuscation of data
* DONOT rely on OS to cleanup strings for you
* DO strip all debug symbols, build paths, dev usernames, etc from binary
* DO strip all debug output from final build of tool
* DONOT import/call functions that are not consistent with tools cover usage
* DONOT export sensitive functions names, use benign cover names
* DONOT generate crashdumps or signs of error when crashing
* DO attempt to crash a program during a unit test
* DONOT perform operations that will make a computer hang
* DO make all effort to minimize binary size without the use of compression
Less than 150kb is ideal for a full tool
* DO provide a means to uninstall tools and all artifacts
* DO document all artifacts of program and how to undo it
* DONOT leave dates and times like compile timestamps, access times, etc that
relate to your time zone
* DONOT leave data in the binary that indactes you
* DONOT leave data that has "dirty words" (hacker terms) in binary
== Network ==
* DO use E2EE for network comms
* NEVER use network protocols that break E2E principle with respect to
encrypted payloads
* DONOT rely soley on SSL/TLS to secure data in transit
* DONOT allow network traffic to be replayable
* DO use ITEF RFC compliant network protocols as a blending layer. The actual
data should be tunneled through a well known, standard protocol like HTTPS
* DONOT break compilance of an RFC protocol being used as a blending layer
* DO use variable size and timing jitter of packets, beacons, and
communications
* DONOT send data with fixed size and timing
* DO properly clean up network connections
== Disk I/O ==
* DO document disk forensic footprint that could created by tool
* DONOT read, write, or cache data to disk for no reason
* DONOT write plain text collected data to the disk
* DO encrypt all data written to disk
* DO utilize a secure erase when removing a files from disk that also wipes
filename, datetime stamp, and contents
* DO perfom at least a single pass of zeros over the content of the file
* DONOT perform disk IO operations that will make the system unresponsive
* DONOT use a magic header or footer
* DONOT use hard-coded filenames or filepaths. These must be configurable at
deployment time by the operator
* DO have a configurable max size limit or output file count for writing files
== Dates/Time ==
* DO use GMT/UTC/Zulu
* DONOT use US-centeric timestamps
* DO use YYYYMMDD instead
== PSP/AV ==
* DONOT assume free versions of PSP is the same as retail PSP. Test on all
versions in a sandbox
* DO test PSPs with recently live internet connections when possible
== Encryption ==
* Key exchange *must* be performed via Diffie-Hellman, Eliptic Curve
Diffie-Helmen, or RSA.
- ECDH, the prime must be 256 bits
- DH and RSA primes must be *at least* 2048 bits
- DH and ECDH is prefered for perfect forward security
* Authentication *must* be done with TLS 1.2, Elliptic curve DSA, DSA, or RSA
- Asymmetric keys *must* be at least 2048 bits (Elliptic curve, 256 bits)