Tuesday, June 20, 2017

Punctuated Equilibrium of Offense

For all the talk of realtime when it comes to cyber defense, cyber offense is a turn-based strategy game. This is because most investment in cyber offense take years to develop, and you only get to know if that investment was worth it at the end.

While obviously the United States and other players are doing continual development, it's mostly on established platforms. But truly new platforms are a five year maturity cycle away. Not only that, but that maturity level of certain platforms hits punctuated equalibriums.

I want to relate a story Rag Tagg tells, (yes, click the link and listen for a sec) about Quake. Many of you might remember quake, but for those of you who don't, this was the first time some gamers rose to the top and really could demonstrate to the whole world their dominance in player-vs-player deathmatch-style gaming.

Thresh was the first one anyone heard about in the real world. Not only did he have an etymologically cool name, but he dominated the early deathmatch scene by shooting people with rockets out of the air and developing map strategies that at the time seemed advanced but now are as primitive and useful as a Tuatara's third eye.



But what Rag Tagg points out is that long after everyone else left the Quake DM scene, some core group of fanatics developed an entirely new strategy around the lightning gun. The game hadn't changed at all, but people realized with enough skill at a weapon previously just thought to be useless special-purpose trash, they could change the strategic dynamic completely.

"The principals never changed, but the players that stayed, they ... learned things."

Let me talk briefly about RATs now. If you look at most of them, Meterpreter, for example, you'll see that you have an operator, and then they type a command, which then gets sent over some synchronous link and then the response is sent back. This kind of "ping-pong" operator model is simple to understand and keep in your head. It is like a terminal.

But INNUENDO and all modern tools are built on an asynchronous model, which makes their operation model and corresponding strategy as different from Meterpreter as a lightning gun from a rocket launcher. If you are building all your defenses against Meterpreter-style synchronous tools, then nothing you do will work against the newer generation of platforms.

I say "modern" but INNUENDO was ramped up Feb 13, 2013 - just to give a picture of the level of foresight you need when building offensive programs and what a realistic timeline is. One of the reasons smaller countries are going to want to be a part of a larger cyber security umbrella is that they cannot afford for their investments to be in the wrong area or on the wrong platforms.

Wednesday, June 14, 2017

Botnets and the NTIA (Commerce Department)

This picture is meant to inspire you while you read the post, but in an unknown way.
Read Commerce Dept Request for Comments Here !

There are two real possibilities for combating botnets on the Internet. One is to play core-wars, which requires legal setups that allow us to launch beneficial worms which patch vulnerabilities. I can see most policy-types shaking their heads at how difficult this would be to do, but it is a technically workable option.

The other method is to build a resilient internet - by which we do not mean an internet free of vulnerabilities, but one free of centralized choke points that can be targeted by massive traffic attacks.

DNS is the primary pain-point, but also one the government likes having around because it allows for centralized governmental control. Imagine if everyone was on a decentralized domain system, and the FBI could not "seize" domains. This is the price you pay for resilience. To be fair, I don't think we really want it. :)

Tuesday, June 13, 2017

Continuity Bias in Cyber Security

I went to this talk today at EmergeAmericas, a business conference a few blocks from my house put together by the movers and shakers of Miami. It had an eclectic crowd of people. But one of the speakers was a bit of a surprise because I'd never seen him speak before, Ambassador Henry Crumpton.

Look at this talk and tell me what it's about:


What is this about? ANYTHING?

Anyways, I had low expectations based on the abstract. But the talk itself was great in the way all great talks are. It was a stampede through his life, which was fascinating and involved negotiations with Afghan warlords and other tide turners. And one thing he highlighted was the continual massive amount of continuity bias he saw everywhere he went, even when obviously things were changing about as fast as they possibly could.

This is nowhere more true than in every defense talk where they go on and on about how the attacker only has to find one hole, but the defender has to patch them all.


Yes, looks like they are doing REAL well at maintaining invisibility, eh?

Look, here's the thing. I read every incident response report that MS and FireEye and Crowdstrike and Endgame and everyone else puts out. PLATINUM looks like a no-holds barred good team. It's not a team that got caught from a leak. They got caught from a commercial, reasonably priced, incident response technology. What if network defense technology is starting to work?

What I'm saying is that it would be a massive mistake for US Strategic Policy to assume that Microsoft or QiHoo360 can't built a security fabric that stops exploitation even on buggy systems with nation-state 0day and techniques. We need to be careful when we design things like the VEP that we don't castrate our strategic intelligence needs.


Dams and Planes and Trains


When you start out hacking, you always hack things that move and go boom because that's the toddler in you coming out, and nothing is more hacker-like than the pure uncontrolled Id.

But if you want to cause real human suffering in an advanced state, manipulating data in a criminal court system is probably the way to go? Once you've planted emails that show prejudice, all you have to do is allow normal discovery to take place - no data exfiltration scheme needed!

I mean, a wise person does not have a house anywhere under a major national dam's flood plane in this day and age. You pretty much have to assume they're all hacked and probably with malware written by a few different countries lowest possible bidders.

But that said: Criminal systems. They combine a need for perfect trust with high impact on society, and weak protections.

Thursday, June 8, 2017

How to pick targets

Do people read these? I'm guessing...not.

There's a whole class of individuals out there with no real job description because "Cyber Warrior" sounds pretentious as hell. But that's as close as we get, and the most important thing they do is pick targets.

What cyber war attacks best is ideologies. But "ideology" is a fuzzy term. So what I like to use to predict fruitful (haha) areas of research is essentially a combination of "hypocrisy" and "industry based on illusion". In other words, how do you get the biggest bang for your buck by manipulating or releasing information? First, your opponent must be off-balance in some way, like how the DNC was, to anyone with the right eyes.

The massive food distribution network is well within the risk area of this kind of analysis. No doubt, when federal policy teams get around to it, they will try to classify it all as "critical infrastructure", which is what they do when scared.

We don't have a TON of real research in the open space on how to find areas where you have a lot of leverage for cyber war effects. People sort of run from one exciting moment to another. Yesterday, car hacking is hot! Today, political hacking and info-war!

But just to start by adding some propane to the fire:

Food distribution combines these fun things (collect them all!):

  • Massive, distributed, country sized wireless networks
  • Full of special purpose old hardware and software with complex supply chains and basically no forensic capability
  • Where any level of UNCERTAINTY, let alone visual physical effect, can cause mass disruptions. You don't have to poison every grape - just ONE GRAPE - in order to make all the grapes worthless
  • No long history of massive security investment (unlike, say, the financial sector)

When you look at strategy in combat or gaming there's a lot of talk of the "meta". In other words, under a given ruleset, what are the best-fit resource allocations for success? But what you see with champions is they almost always go OFF META. Because the true meta is always surprise. With cyber it is no different. Russia's plans worked because they were a surprise. And our response, as well, must be.