Let's Try: Threat
Our third requirement to become a threat is to accomplish some sort of strategic goal. We're not trying to loot a LAN here like some hungry North Korean hackers burning firewood to heat their bunker as they connect into a South Korean McDonalds wifi hotspot, we are trying to create strategic effects in cyberspace, like we read about in JP 3-12. (We read JP 3-12 right?)
So what kind of strategic effect? I think an interesting one here is the idea of "holding at risk". I go into this in some detail in my poorly formatted rant on cyber policy (https://github.com/deveyNull/TenetsOfCyber) but generally, if you are trying to coerce behavior, you need to be able to convince the adversary that you have the ability to hold them at risk. Otherwise, If you are just trying to have an arbitrary effect at any scheduled point in time, you need to have the access to do so. That will require 0day or an existing implant. 0days cost a lot, and the longer the implant sits, the better chance of discovery, the sinkholing of the c2 domains, and the reverse engineering and inevitable blog post.
Q: So how do we get around this???
A: By creating an implant that does not have any hardcoded C2 domain, but instead, waits for an activation signal that tells it which domain to connect back to for a payload. This means we never have to worry about the head getting cut off the snake of our long term implants. To do this, I choose portknocking as an initial activation method, though there are others available. This is underdocumented and should work pretty well.