We must have a different definition of advanced attackers because I can think of numerous countries that use zero days. A handful more that use COTS malware (i.e. NSO) that employs zero days.
Yes a few, very few compared to the rest. You will note I said most of them don't use 0 days and even 1 days. A lot attempt exploitation in some form of another, typically for vulns older than a few months.
It's simply too easy to use other means of delivery.
Mitre is not a complete list but they do a good job of keeping up with APT techniques. The most famous ones indeed use 0days and that is one of the reasons they're famous. But the end of the day they should be noteworthy based on damage done not "coolness" of the hack.
Software exploitation is a thing but not only is it seen less and less, modern mitigations are making a lot of the techniques obsolete. Look at the fall of exploit kits as an example.
I do not consider spear phishing an advanced attack (despite many governments doing it). Credential theft definitely is not. Malicious docs generally are not (as they are typically just macros that the user has to run).
Watering holes can be depending on how the malware is delivered once the user visits the site. If it just tries to download it and hope they click, that is not advanced IMO.
I do agree that this is what most organizations face as threats though. Resources like these are for people who want to eventually sell exploits, hunt for bugs, or learn enough to analyze them effectively. I do not think these are for teaching someone to teach corp users to not run docms.
It is the threat that is advanced not the technique. That was my whole point. If corp users with all their security teams are still victims how much more are individuals. Or does the world outside of tech bubbles not exist?
Also, macros and docm are only small vector, most non technical people for example would open say...a jar file with a PDF icon that came from an email from a compromised account of someone they know, and trust me I've seen plenty of non corp users without the typical mandatory phishing training fall victims,lose large sums of money,etc...
I have no clue why you don't think spear phishing is an advanced thechnique. Just recently I stumbled upon a word exploit being used and it was not "spear" phising just normal stuff. Does it have to be sophisticated and impressive to be advanced? Often, the most damaging exploits are the ones with minimal attack complexity (a CVE vector that adversley affects the score mind you). Regarsless of your opinion , the offensive way is to use the easiest and quietest method.
As to my comment, the author stating the material teaches people "core cybersecurity concepts" is what I disagreed with. Memory safe lanuages and exploit mitigation solutions make these software exploit techniques very difficult to pull off. Plus, any decent EDR solution easily detects and blocks exploitation of browsers,productivity apps and other well known initial access vectors, so you're basically left with mostly linux that is not hardened and even then only on servers and network devices since most people don't run Linux desktop (and to my point the post does not even touch windows).
Essentially, my point is that any infosec education that is not informed of current practical threats and attacks while very fun to go through, it may not provide as much value as you think.
Even in a tech company/startup where everyone uses linux and mac, it is much more important to have good security architecture and hygeine, do authentication properly (you're exploit proof but someone exposed their ssh private key and got you pwned),knowing risk analysis, threat modeling,incident response,etc... Is much more "core" while exploitation of software and even spearphishing are "edge" concepts.
>Does it have to be sophisticated and impressive to be advanced?
Yes. I think this is where our opinions differ. It is always a joke to be reading a blog post about an advanced attacker and the exploit is, as you say, the user clicked a jar with a pdf icon.
I agree completely about things that add value to corporations. This is why I am not working corporate security at a startup. I do not care so much about implementing U2F policies or server authentication methods, even though these are much more impactful for the business. I work for a small company, work on less impactful things (in regards to corporate security), and enjoy myself considerably more. If I could stomach the other stuff I would make more money, but I prefer to enjoy my work and hack on obscure things.
Your namesake with eternalblue is quite advanced (even though it was n-day). That stuff is interesting. Reverse engineering that stuff is interesting. I think these things prepare people to do that sort of work.
That's fine,having a specialized interest is ok,just don't say that is a "core concepts of cybersecurity".
You like impressive exploits and vulnerability research,which is good,that upstream work is useful in downstream "core" security whether it be for corporations (a 2 person startup is one) or consumers.
There are far more advanced hacking groups than there are nation states. There are likely more criminal hacking groups in each individual country than there are nation states.
There are many criminal groups, but few are advanced. It takes investment and large teams to get full chain zero days. Most criminal groups will implement n days, but they are not coming up with Eternal Blue, you know? They are just grabbing it and hitting unpatched machines. It is skilled for sure, but it is not my definition of advanced threats.
If you have some examples of criminal groups using zero days in hard targets, I'm very interested. From what I see, no one's mobile phones are getting hit with ransomware via fresh vulns. That behavior is generally reserved for nation states with the ability (financial and legal) to purchase the exploits.
