Concealment Layers for Online Anonymity and Knowledge (CLOAK)
Concealment Layers for Online Anonymity and Knowledge (CLOAK) is a knowledge base of cybercriminal concealment measures inspired by MITRE ATT&CK. This matrix-like galaxy organises concealment practices across technical, behavioural, and physical layers to support investigation, common referencing, gap analysis, and defensive planning. The source project describes CLOAK as derived from qualitative research over more than 200 OpSec guides and its initial public version as containing 13 tactics, 109 techniques, 679 sub-techniques, and 586 procedures.
Matrix view
This view groups clusters by matrix phase for quicker navigation.
Authors
| Authors and/or Contributors |
|---|
| Mick Deben |
| MISP Project |
CLOAK - Anonymous browsing
Browse or access Internet resources while reducing attribution to a subscriber, device, location, or identity. Includes anonymous Internet connections, privacy search engines, Tor/I2P routing, pluggable transports, anti-censorship transports, and public-network usage.
Internal MISP references
UUID 594c1b33-aac8-5cfd-83db-fc46aeb26ed7 which can be used as unique global reference for CLOAK - Anonymous browsing in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| attribution | This MISP galaxy is based on Concealment Layers for Online Anonymity and Knowledge (CLOAK) by Mick Deben. The MISP Project converted and summarised the source material as a matrix-like MISP galaxy; some descriptions are expanded to provide operational context where the source JSON contains sparse descriptions. |
| external_id | CLOAK-TA01 |
| kill_chain | ['cloak:Anonymous browsing'] |
| layer | Technical |
| matrix | CLOAK |
| related_misp_galaxies_note | Relationships are best-effort analytical mappings to existing MISP MITRE ATT&CK attack-pattern clusters where CLOAK concealment tactics overlap with ATT&CK adversary behaviors; they are not asserted as source-published CLOAK mappings. |
| source_notes | Descriptions are derived from CLOAK README and concealment-data.json structure and expanded for MISP usability where original entries lack detail. |
| technique_examples | ['The Onion Router (Tor)', 'Invisible Internet Project (I2P)', 'obfuscated bridges', 'public Wi-Fi', 'privacy search engines'] |
Related clusters
To see the related clusters, click here.
CLOAK - Anonymous communication
Communicate without exposing durable identity, social graph, message metadata, or contact-discovery information. Includes encrypted messengers, disposable mail, aliases, anonymous voice/SMS, sealed sender patterns, and compartmented accounts.
Internal MISP references
UUID ca88752b-3083-5683-9b49-6cf8e4286816 which can be used as unique global reference for CLOAK - Anonymous communication in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| attribution | This MISP galaxy is based on Concealment Layers for Online Anonymity and Knowledge (CLOAK) by Mick Deben. The MISP Project converted and summarised the source material as a matrix-like MISP galaxy; some descriptions are expanded to provide operational context where the source JSON contains sparse descriptions. |
| external_id | CLOAK-TA02 |
| kill_chain | ['cloak:Anonymous communication'] |
| layer | Technical/Behavioral |
| matrix | CLOAK |
| related_misp_galaxies_note | Relationships are best-effort analytical mappings to existing MISP MITRE ATT&CK attack-pattern clusters where CLOAK concealment tactics overlap with ATT&CK adversary behaviors; they are not asserted as source-published CLOAK mappings. |
| source_notes | Descriptions are derived from CLOAK README and concealment-data.json structure and expanded for MISP usability where original entries lack detail. |
| technique_examples | ['encrypted messaging', 'disposable email', 'email aliases', 'anonymous phone numbers', 'metadata-minimising contact discovery'] |
Related clusters
To see the related clusters, click here.
CLOAK - Anonymous financial transactions
Acquire, move, store, or spend funds while reducing direct attribution. Includes cryptocurrency privacy practices, wallet segmentation, mixers/swaps where legal context permits, paper wallets, and transaction timing or amount discipline.
Internal MISP references
UUID 6967b507-8fec-5d04-a7b0-2b78afd20928 which can be used as unique global reference for CLOAK - Anonymous financial transactions in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| attribution | This MISP galaxy is based on Concealment Layers for Online Anonymity and Knowledge (CLOAK) by Mick Deben. The MISP Project converted and summarised the source material as a matrix-like MISP galaxy; some descriptions are expanded to provide operational context where the source JSON contains sparse descriptions. |
| external_id | CLOAK-TA03 |
| kill_chain | ['cloak:Anonymous financial transactions'] |
| layer | Technical/Behavioral |
| matrix | CLOAK |
| source_notes | Descriptions are derived from CLOAK README and concealment-data.json structure and expanded for MISP usability where original entries lack detail. |
| technique_examples | ['wallet segmentation', 'privacy coins', 'paper wallets', 'transaction delay', 'anonymous payment cards'] |
CLOAK - Anonymous hosting and infrastructure
Host services, store data, or operate infrastructure while limiting exposure of operators, providers, payment trails, or backend origin systems. Includes offshore/privacy-preserving hosting, onion/I2P services, proxies, VPNs, reverse proxies, and short-lived infrastructure.
Internal MISP references
UUID 79ea4d13-82b7-5139-8d0f-e940ac1226f9 which can be used as unique global reference for CLOAK - Anonymous hosting and infrastructure in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| attribution | This MISP galaxy is based on Concealment Layers for Online Anonymity and Knowledge (CLOAK) by Mick Deben. The MISP Project converted and summarised the source material as a matrix-like MISP galaxy; some descriptions are expanded to provide operational context where the source JSON contains sparse descriptions. |
| external_id | CLOAK-TA04 |
| kill_chain | ['cloak:Anonymous hosting and infrastructure'] |
| layer | Technical |
| matrix | CLOAK |
| related_misp_galaxies_note | Relationships are best-effort analytical mappings to existing MISP MITRE ATT&CK attack-pattern clusters where CLOAK concealment tactics overlap with ATT&CK adversary behaviors; they are not asserted as source-published CLOAK mappings. |
| source_notes | Descriptions are derived from CLOAK README and concealment-data.json structure and expanded for MISP usability where original entries lack detail. |
| technique_examples | ['onion services', 'I2P eepsites', 'offshore hosting', 'proxy chains', 'short lifetime attack infrastructure'] |
Related clusters
To see the related clusters, click here.
CLOAK - Anonymous identities and accounts
Create and maintain personas or accounts that cannot easily be linked to a real-world identity or to each other. Includes alias generation, unique credentials, account segmentation, reduced personal disclosures, and controlled profile consistency.
Internal MISP references
UUID e36c8bb4-3c6e-5cd0-b8bd-61342557d286 which can be used as unique global reference for CLOAK - Anonymous identities and accounts in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| attribution | This MISP galaxy is based on Concealment Layers for Online Anonymity and Knowledge (CLOAK) by Mick Deben. The MISP Project converted and summarised the source material as a matrix-like MISP galaxy; some descriptions are expanded to provide operational context where the source JSON contains sparse descriptions. |
| external_id | CLOAK-TA05 |
| kill_chain | ['cloak:Anonymous identities and accounts'] |
| layer | Behavioral |
| matrix | CLOAK |
| related_misp_galaxies_note | Relationships are best-effort analytical mappings to existing MISP MITRE ATT&CK attack-pattern clusters where CLOAK concealment tactics overlap with ATT&CK adversary behaviors; they are not asserted as source-published CLOAK mappings. |
| source_notes | Descriptions are derived from CLOAK README and concealment-data.json structure and expanded for MISP usability where original entries lack detail. |
| technique_examples | ['personas', 'unique usernames', 'unique passphrases', 'identity segmentation', 'avoid personal details'] |
Related clusters
To see the related clusters, click here.
CLOAK - Anonymous operating environment
Use operating systems, devices, virtual machines, boot media, and hardened configurations designed to minimise leakage and support compartmented activity. Includes live systems, security-focused distributions, hardened mobile platforms, VM chains, and verified layered setups.
Internal MISP references
UUID 94f326f4-57e9-5502-a08e-ad21b4907c8b which can be used as unique global reference for CLOAK - Anonymous operating environment in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| attribution | This MISP galaxy is based on Concealment Layers for Online Anonymity and Knowledge (CLOAK) by Mick Deben. The MISP Project converted and summarised the source material as a matrix-like MISP galaxy; some descriptions are expanded to provide operational context where the source JSON contains sparse descriptions. |
| external_id | CLOAK-TA06 |
| kill_chain | ['cloak:Anonymous operating environment'] |
| layer | Technical |
| matrix | CLOAK |
| related_misp_galaxies_note | Relationships are best-effort analytical mappings to existing MISP MITRE ATT&CK attack-pattern clusters where CLOAK concealment tactics overlap with ATT&CK adversary behaviors; they are not asserted as source-published CLOAK mappings. |
| source_notes | Descriptions are derived from CLOAK README and concealment-data.json structure and expanded for MISP usability where original entries lack detail. |
| technique_examples | ['Qubes OS', 'Whonix', 'Tails-like live environments', 'hardened mobile devices', 'layered VPN/Tor setups'] |
Related clusters
To see the related clusters, click here.
CLOAK - Anti-forensics and trace removal
Reduce or remove local, remote, or metadata traces that could identify activities after the fact. Includes secure wiping, metadata removal, log reduction, encrypted containers, hidden volumes, and limiting host-OS artefacts.
Internal MISP references
UUID d79be067-ae89-57a4-9e29-c538b3e68f9d which can be used as unique global reference for CLOAK - Anti-forensics and trace removal in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| attribution | This MISP galaxy is based on Concealment Layers for Online Anonymity and Knowledge (CLOAK) by Mick Deben. The MISP Project converted and summarised the source material as a matrix-like MISP galaxy; some descriptions are expanded to provide operational context where the source JSON contains sparse descriptions. |
| external_id | CLOAK-TA07 |
| kill_chain | ['cloak:Anti-forensics and trace removal'] |
| layer | Technical |
| matrix | CLOAK |
| related_misp_galaxies_note | Relationships are best-effort analytical mappings to existing MISP MITRE ATT&CK attack-pattern clusters where CLOAK concealment tactics overlap with ATT&CK adversary behaviors; they are not asserted as source-published CLOAK mappings. |
| source_notes | Descriptions are derived from CLOAK README and concealment-data.json structure and expanded for MISP usability where original entries lack detail. |
| technique_examples | ['metadata removal', 'secure erase', 'hidden volumes', 'host artefact reduction', 'encrypted containers'] |
Related clusters
To see the related clusters, click here.
CLOAK - Avoid detection and monitoring
Avoid surveillance, fingerprinting, malware, scams, telemetry, traffic analysis, and other collection that can expose an operator. Includes anti-fingerprinting, ad/tracker blocking, MAC/hostname randomisation, avoiding CCTV and monitored networks, and security updates.
Internal MISP references
UUID 1d6a1bf1-edbc-59f5-b9e4-ad659015f7b3 which can be used as unique global reference for CLOAK - Avoid detection and monitoring in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| attribution | This MISP galaxy is based on Concealment Layers for Online Anonymity and Knowledge (CLOAK) by Mick Deben. The MISP Project converted and summarised the source material as a matrix-like MISP galaxy; some descriptions are expanded to provide operational context where the source JSON contains sparse descriptions. |
| external_id | CLOAK-TA08 |
| kill_chain | ['cloak:Avoid detection and monitoring'] |
| layer | Technical/Behavioral |
| matrix | CLOAK |
| related_misp_galaxies_note | Relationships are best-effort analytical mappings to existing MISP MITRE ATT&CK attack-pattern clusters where CLOAK concealment tactics overlap with ATT&CK adversary behaviors; they are not asserted as source-published CLOAK mappings. |
| source_notes | Descriptions are derived from CLOAK README and concealment-data.json structure and expanded for MISP usability where original entries lack detail. |
| technique_examples | ['anti-fingerprinting', 'MAC randomisation', 'hostname spoofing', 'avoid CCTV', 'software updates'] |
Related clusters
To see the related clusters, click here.
CLOAK - Compartmentalization and isolation
Keep identities, activities, credentials, browsers, devices, wallets, keys, and data separated so compromise or observation of one compartment does not expose another.
Internal MISP references
UUID 0bbcbb12-dd33-5164-93c2-3ec167d6487c which can be used as unique global reference for CLOAK - Compartmentalization and isolation in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| attribution | This MISP galaxy is based on Concealment Layers for Online Anonymity and Knowledge (CLOAK) by Mick Deben. The MISP Project converted and summarised the source material as a matrix-like MISP galaxy; some descriptions are expanded to provide operational context where the source JSON contains sparse descriptions. |
| external_id | CLOAK-TA09 |
| kill_chain | ['cloak:Compartmentalization and isolation'] |
| layer | Behavioral/Technical |
| matrix | CLOAK |
| related_misp_galaxies_note | Relationships are best-effort analytical mappings to existing MISP MITRE ATT&CK attack-pattern clusters where CLOAK concealment tactics overlap with ATT&CK adversary behaviors; they are not asserted as source-published CLOAK mappings. |
| source_notes | Descriptions are derived from CLOAK README and concealment-data.json structure and expanded for MISP usability where original entries lack detail. |
| technique_examples | ['compartmentalize identities', 'compartmentalize browsers', 'segment wallets', 'isolate VMs', 'stream isolation'] |
Related clusters
To see the related clusters, click here.
CLOAK - Data, credential, and secret protection
Protect secrets and sensitive data against compromise, seizure, coercion, or loss. Includes strong passphrases, MFA, password managers, encryption, backups, offline storage, secret splitting, and recovery planning.
Internal MISP references
UUID 70b94469-ff1a-50d1-a75a-66249f4e14b8 which can be used as unique global reference for CLOAK - Data, credential, and secret protection in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| attribution | This MISP galaxy is based on Concealment Layers for Online Anonymity and Knowledge (CLOAK) by Mick Deben. The MISP Project converted and summarised the source material as a matrix-like MISP galaxy; some descriptions are expanded to provide operational context where the source JSON contains sparse descriptions. |
| external_id | CLOAK-TA10 |
| kill_chain | ['cloak:Data, credential, and secret protection'] |
| layer | Technical/Physical |
| matrix | CLOAK |
| related_misp_galaxies_note | Relationships are best-effort analytical mappings to existing MISP MITRE ATT&CK attack-pattern clusters where CLOAK concealment tactics overlap with ATT&CK adversary behaviors; they are not asserted as source-published CLOAK mappings. |
| source_notes | Descriptions are derived from CLOAK README and concealment-data.json structure and expanded for MISP usability where original entries lack detail. |
| technique_examples | ['password managers', 'MFA', 'file encryption', 'offline backup', 'secret splitting'] |
Related clusters
To see the related clusters, click here.
CLOAK - Deception, misinformation, and plausible deniability
Mislead observers or create alternative explanations to preserve anonymity or protect sensitive material. Includes decoy files, decoy partitions, fake doxing details, active disinformation, and plausible-deniability storage designs.
Internal MISP references
UUID c9245d33-d3fe-570a-9f10-052c350f27d3 which can be used as unique global reference for CLOAK - Deception, misinformation, and plausible deniability in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| attribution | This MISP galaxy is based on Concealment Layers for Online Anonymity and Knowledge (CLOAK) by Mick Deben. The MISP Project converted and summarised the source material as a matrix-like MISP galaxy; some descriptions are expanded to provide operational context where the source JSON contains sparse descriptions. |
| external_id | CLOAK-TA11 |
| kill_chain | ['cloak:Deception, misinformation, and plausible deniability'] |
| layer | Behavioral/Technical |
| matrix | CLOAK |
| related_misp_galaxies_note | Relationships are best-effort analytical mappings to existing MISP MITRE ATT&CK attack-pattern clusters where CLOAK concealment tactics overlap with ATT&CK adversary behaviors; they are not asserted as source-published CLOAK mappings. |
| source_notes | Descriptions are derived from CLOAK README and concealment-data.json structure and expanded for MISP usability where original entries lack detail. |
| technique_examples | ['decoy files', 'decoy partitions', 'fake biographical details', 'plausible deniability', 'file corruption'] |
Related clusters
To see the related clusters, click here.
CLOAK - Operational discipline and situational awareness
Sustain anonymity through repeatable behavior, risk management, threat modeling, legal-rights awareness, avoiding routines, avoiding stylometry, and careful interaction with people, services, and environments.
Internal MISP references
UUID f9467d4e-8a74-58a2-9854-5561426a3526 which can be used as unique global reference for CLOAK - Operational discipline and situational awareness in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| attribution | This MISP galaxy is based on Concealment Layers for Online Anonymity and Knowledge (CLOAK) by Mick Deben. The MISP Project converted and summarised the source material as a matrix-like MISP galaxy; some descriptions are expanded to provide operational context where the source JSON contains sparse descriptions. |
| external_id | CLOAK-TA12 |
| kill_chain | ['cloak:Operational discipline and situational awareness'] |
| layer | Behavioral |
| matrix | CLOAK |
| related_misp_galaxies_note | Relationships are best-effort analytical mappings to existing MISP MITRE ATT&CK attack-pattern clusters where CLOAK concealment tactics overlap with ATT&CK adversary behaviors; they are not asserted as source-published CLOAK mappings. |
| source_notes | Descriptions are derived from CLOAK README and concealment-data.json structure and expanded for MISP usability where original entries lack detail. |
| technique_examples | ['threat modeling', 'risk management', 'avoid routines', 'avoid stylometry', 'remain silent'] |
Related clusters
To see the related clusters, click here.
CLOAK - Physical concealment and resilience
Use physical measures that support continuity, detection avoidance, and resistance to seizure or surveillance. Includes Faraday shielding, disguises, tamper detection, physical destruction, offline/offsite backups, and component removal or covering.
Internal MISP references
UUID e70f8ae9-05cd-5ac9-9509-9f72418f0025 which can be used as unique global reference for CLOAK - Physical concealment and resilience in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| attribution | This MISP galaxy is based on Concealment Layers for Online Anonymity and Knowledge (CLOAK) by Mick Deben. The MISP Project converted and summarised the source material as a matrix-like MISP galaxy; some descriptions are expanded to provide operational context where the source JSON contains sparse descriptions. |
| external_id | CLOAK-TA13 |
| kill_chain | ['cloak:Physical concealment and resilience'] |
| layer | Physical |
| matrix | CLOAK |
| source_notes | Descriptions are derived from CLOAK README and concealment-data.json structure and expanded for MISP usability where original entries lack detail. |
| technique_examples | ['Faraday bags', 'disguise', 'tamper evidence', 'physical destruction', 'offsite backup'] |