CLOAK is the first publicly available knowledge base on cybercriminal concealment measures. CLOAK is the result of qualitative scientific research and has been inspired by the famous MITRE ATT&CK™ framework. CLOAK has been developed by analyzing over 200 Operational Security (OpSec) guides from both the clear- and darkweb. CLOAK's main objective is to contribute to combating cybercrime better and has been made publicly available to allow improvements to be made together with the cybersecurity community. CLOAK's initial version (January 2025) already identified 13 tactics, 109 techniques, 679 sub-techniques, and 586 procedures. Which comes down to a total of 1.387 unique TTP's! For an interactive version of CLOAK please see https://opsectechniques.com. Technical TTPs have been marked red, Behavioral TTPs orange, and Physical TTPs Blue. Unfold the tactics (TA) and discover how they relate to techniques (TE), subtechniques (ST), and procedures, and vice versa.
Recording of the talk about CLOAK at SANS DFIR Summit Prague 2025 (slides)
The CLOAK dataset has been updated to ensure full coverage and correct rendering of all TTPs. 60 TTPs have been added.
- Added search function
- Added short introduction
- Added amount of TTPs
- Added 60 new TTPs (see table)
- Updated README.md
More TTPs will be added once I've made more progress. If you notice inconsistencies or have suggestions, feel free to open an issue or contact me (cloak@opsectechniques.com).
The following TTPs were added:
Added TTPs based on remaining documents:
| Techniques | Sub-techniques | Procedures |
|---|---|---|
| Avoid leaving DNA | Random hostnames | dark.fail |
| Compartmentalization | Add cryptocurrency to darknet market account | tor.taxi |
| Selfeducation | Avoid package tracking official USPS website | DNSCrypt |
| Anonymous traveling | Third party package tracking | dnscrypt-proxy 2 |
| Avoid exchanges | ADHOC S2 | |
| Fake or hollow walls and floors | ADHOC S3 | |
| Open package in public place | FoxyProxy | |
| Avoid bookmarked darknet markets | Greasemonkey | |
| Act if car GPS is being tracked | Dash | |
| Remove car microphone | SOCKSchain | |
| Keep evidence minimal | Cryptostorm VPN | |
| Avoid saving customer addresses | Fedora | |
| Alter browser habits | Thinkpad X1 Carbon 5th generation | |
| Encrypt DNS | Thinkpad T560P | |
| Avoid roads with toll | Thinkpad 450S | |
| Only travel with burner devices | CanvasBlocker | |
| Avoid cars with radio frequency communications | KeePassX | |
| Avoid Tor over Tor | Wickr | |
| Avoid using anonymously bought devices within CCTV storage window | ||
| Offline notes | ||
| Offline spell checker | ||
| Multiple translations | ||
| Generate PGP keys regularly | ||
| Carry external media with you | ||
| Carry transmitting devices with you | ||
| Limit number of installed applications | ||
| Set homepage to Google | ||
| Change download folder to encrypted location | ||
| Disable search history | ||
| Private browsing mode | ||
| Close and clean | ||
| Avoid advertisements | ||
| Avoid ignoring warnings | ||
| Avoid downloading from untrusted sources | ||
| Show punycode | ||
| Disable browser PDF reader | ||
| Certificate pinning | ||
| Disable beaconing | ||
| Disable prefetching | ||
| Disable browser pings | ||
| Password policies | ||
| Avoid digital and online diceware simulators |
Cybercrime is a global growing problem and concealment measures make attribution of cybercrime hard or impossible, because they provide threat actors anonymity. We tend to focus on tactics, techniques, and procedures (TTPs) with respect to cyberattacks, but focus very little on adversarial concealment measures which preserve their anonymity through and in cyberspace. Concealment measures allow cybercriminals to get away with their crimes and continue them for a longer period of time. It is therefore necessary to conduct more scientific research on this underexposed topic to combat cybercrime better.
Three types of cybercrime are distinguished: cyber-dependent crime (type I), cyber-enabled crime (type II), and crimes in the machine (type III). We mainly focus on cyber-dependent (type I) crimes, as one can notice by looking at MITRE ATT&CK. CLOAK’s focus on cybercrime broadens our current view on cybercrime by also focussing on the other types of cybercrime as well, and including the ‘before’ and ‘after’ phases. By doing so, it opens the door for other approaches in combating cybercrime. For example the ability to identify gaps in countermeasures and detection capabilities, or the ability to fingerprint threat actors based on the concealment measures they apply, instead of their deployed TTPs during cyberattacks.
The findings of the qualitative scientific research showed that concealment measures are taken in three levels: technical, behavioral, and physical. To achieve the best possible level of anonymity, cybercriminals must take measures in all three levels. The role each level plays with respect to concealment and the most mentioned measures have been briefly described below. For more information about concealment measures and how they are interconnected, please see CLOAK. A scientific article about CLOAK is expected to be published later this year.
The technical measures are the most important for becoming anonymous. The most important technical measures are The Onion Router (TOR), Virtual Private Networks (VPN), encryption, isolation, anti-fingerprinting, wiping traces, and hardening.
The behavioral measures are the most important for staying anonymous. The most important behavioral measures are remaining silent about illicit activities, avoidance of sharing personal details, compartmentalization, threat modeling, risk management, unique credentials, public Wi-Fi, and applying deception.
The physical measures are necessary in conjunction with technical and behavioral measures for continuity, detection and evasion of law enforcement agencies. The most important physical measures are faraday cages, physical destruction of hardware, tamper detection, paper wallets, data leak prevention, and removing or covering unnecessary components.
CLOAK provides oversight of and insight into cybercriminal concealment measures from a technical, behavioral, and physical perspective, and thus provides a better understanding of cybercriminal behavior and how those measures are interconnected. CLOAK is therefore suitable to raise awareness about cybercriminal behavior.
CLOAK could be leveraged by law enforcement agencies and security and intelligence services to determine their next course of action in cybercriminal investigations, and identify gaps in their countermeasure arsenal.
CLOAK could be leveraged to reference to cybercriminal concealment TTPs in a unified manner, for example in indictments and technical write-ups. This allows to speak the same language globally with respect to cybercriminal concealment techniques.
CLOAK could be leveraged to identify gaps with respect to countermeasures and detection capabilities, and thus contributes to the development or improvement of countermeasures and detection capabilities.
Some measures can be applied by individuals living in strict regimes to circumvent censorship.
There probably are even more practical use cases which are not mentioned here.
CLOAK in it's current form is far from perfect, but it's a start. By making CLOAK open source we can hopefully together enhance it further and improve its practical value. Possible enhancements are for example:
- adding countermeasures
- adding detection capabilities
- improving the TTP descriptions
- adding more TTPs which are missing
- merging/removing outdated/ineffective TTPs
- adding effectiveness of TTPs
Mick Deben holds a Master of Science (MSc) in cybersecurity and has over a decade of experience in information security and cybersecurity. CLOAK was originally developed for his master’s thesis at Leiden University titled: “Hiding through and in cyberspace: Modeling cybercriminal concealment techniques” (under embargo). Feel free to reach out to cloak@opsectechniques.com.
This project is licensed under GNU General Public License, version 2.