Thursday, December 1, 2016

How ‘Active Defense’ Would Work

The Problems

In many cases American (and other Western) companies know they have had an intrusion and even who the beneficiary is - but cannot prove it because to do so would require information only available on a remote server in another country, one typically unresponsive to subpoenas from the American court system.

Likewise, large scale botnets and worms such as Mirai can be difficult to combat as no public agency has the authority (and desire) to conduct the necessary international trespasses for the public good. And while penetrating carder forums and child abuse imagery trading websites on the Dark Web can be done by the largest law enforcement agencies, it's time to prepare for a specialist arm that can support all of law enforcement.

In addition, there is a talent problem. Even if there was a clear authority for many of these issues, the US Government does not have an additional natural critical mass of experienced hackers and management teams necessary to safely mount these sorts of operations.

No intelligence community arm is aimed at defeating economic cyber espionage on behalf of American industry. Nor should this become a priority of the foreign intelligence community’s mission. While the protection of the American industrial base is a strategic goal, there are limited resources within the IC and penetrating Chinese corporations which are not involved in military applications is a problematic thing to do for the NSA and CIA.

Desired End State

The first order desired goal is the end of widespread economic cyber espionage, which at scale, is a national security issue, but individually is a law enforcement issue. No Chinese/Russian company would receive stolen American R&D intellectual property or sales plans if it knew that accepting that information could lead to heavy personal and corporate legal sanctions.

Essentially, we want to have a chilling effect on cyber economic espionage while providing the beginnings of the ability to deal with wide ranging international systemic threats such as the Mirai worm, leveraging the deep bench of penetration testing talent and resources available in the private sector to do this without impacting our intelligence community missions.

Active Defense Done Safely and Legally

active_defense (1).png

Issues and Concerns

Escalation into a cyber war or a trade war is most commonly cited concern with this kind of structure for normalized hack-back. But there's no reason to assume that "cyber war" will escalate when countries have the option to simply being responsive to law enforcement requests. The key to avoiding escalation in this case is splitting the effort from traditional IC (which can be involved in battleground preparation operations), and massive transparency as to the scoping and goal of this agency's work.

Another question is why is there a private sector penetration testing company involved at all? Why not do this entirely in-house in a law enforcement agency? The answer is twofold:
  1. Law enforcement agencies have a culture that does not mesh well with cyber teams, to be blunt, which makes it hard for them to maintain the management talent required to run operations as well as you need them to. For example, while initial attacks against child abuse imagery sites and users can be performed somewhat easily, it's reasonable to expect that community to invest in protection and detection mechanisms (as evidenced by them catching the latest Tor Browser 0day when it was used).
  2. There’s a moral hazard issue here - you want American companies to pay for the technical work involved because otherwise every issue becomes the Government’s problem, and there is no incentive to orient their business to security. This is what happened with Credit Cards. Instead of building secured payment infrastructure, Banks relied on the Secret Service to go chase down every 19 year old who got involved in carding.

Of course, if this model works well, the vast majority of these efforts would end with no hacking at all, simply subpoena and information requests between two law enforcement agencies.

How would this model work for other countries?

Other (smaller) countries may not see this model as necessary in terms of the private-public partnership. They may want to make it entirely a law enforcement agency function, because they would manage the moral hazard issue more directly that way and they don’t face talent or culture problems and have a history of joining LE and SIGINT functions.

But the truth is of course that many smaller countries will simply want to have the American cyber security umbrella also apply to their companies, and will work on bilateral agreements to make this possible.

Are you just suggesting this model because you want to do the work?

It’s extremely unlikely Immunity, a small business located in Miami and Argentina with a huge foreign national component would be eligible for this kind of business, although those involved might buy INNUENDO and CANVAS and SILICA (as practically everyone in the industry already does). I assure you this will not drastically affect our profitability.

The penetration testing companies in this model have a very particular risk structure which we can fully explore in another paper - i.e. they need to at some level be closer to classified defense contractors than normal penetration testing companies, even though they are doing unclassified work.

How do other countries trust this process is not itself committing espionage?

This is where measures typical in International Relations such as having, say, Chinese/Russian observers become part of the process. Likewise, this is a great argument for having the tools and techniques and infrastructure for this effort be completely distinct from intelligence community toolchains, and at some level attributable at a group level using specific technical means.

What crimes other than straight economic espionage would this model apply to?

We have a problem in that many crimes in cyberspace are viewed very differently by different countries. For example, posts that defame the Royalty of a country on Twitter are viewed as capital crimes by some countries. What do we do when they send us a subpoena to unmask an anonymous poster of such content, which we would consider protected speech? Are they within their rights under this framework to go active against Twitter?

Those are still painful and unanswered questions.

Isn’t this super risky? What if you break something?

We already handle these issues in SIGINT collection quite well - or at least, well enough to not fear arbitrary escalation when we make mistakes. It's possible that having the best technical talent the industry has to offer is a net benefit in this way, as it will reduce unfortunate side effects.

Some Resources On This Subject

Scenario Walk-through

In many cases, a narrative explains these concepts better than anything else. So below is a hypothetical walk-through of how this could function.


US SteelCo is in the practice of building a new method for creating high tensile steel girders exposed to tropical environments. The goal is to market them into the Caribbean for anti-hurricane buildings which are now more in demand due to Global Warming. The methodology of creating these girders involves dousing them in a cooled molybdenum bath at a precise time during the tempering of the steel. They go through months of testing to determine the exact right formula and finally make a breakthrough.

Unbeknownst to them, a Chinese hacker has been waiting for just such a breakthrough and is resident on their main mail server using a variant of a trojan he also sold to the PRC Army team.  He pulls the PDF and some notes on the methodology from a triumphant email sent to the management team and then has them translated into Chinese using a Beijing translation service he is friends with. He then sells that information to a Chinese Fusion Center where it is noticed by a local mega-company ChinaSteel which then decides to invest in a brief market exploration of the girders produced by this technique. They have some success locally in the southern Chinese market and then expand into the Pacific and Caribbean tropics.

A few months later a SteelCo sales team has one of its Bahamian customers hand it a sales pamphlet from ChinaSteel that has the exact same parameters for steel girders. It cannot be coincidence. At first, they assume one of their own technology team has left with the valuable formula, but after an internal investigation, done entirely in person in a hotel room offsite, they place a quick phone call to their FBI contact from the local Infraguard meeting, and she sets them up with a meeting at the local Active Defense fusion center, where they present their case.

The board of directors of SteelCo meets as well, and decides to put a budget towards tracking this issue down. Once the DHS officials working at Active Defense look at the evidence, they connect them with a licensed Investigator firm who constructs a simple Word document that pings back to covert infrastructure created for the test. The engineering team at SteelCo fakes a new announcement of an advance in the formula configuration, and then emails it to the SteelCo executive team, where it is caught by the Chinese hacker’s implant.

A simple HTTP connection ping is made from the Beijing-based translator as they work on the new file, urgently passing it onto their customer at ChinaSteel. With this evidence in hand, the Investigator firm packages a request for additional scope to the Active Defense DHS point of contact. The DHS team looks through their history with the Chinese authorities and notes that they have been previously unresponsive to efforts to get information from this exact translation firm.

Once approved, they began a more thorough exploration of the servers the translation team runs, using a simple phishing document and a custom 0day to penetrate the pirated Windows XP laptop the company uses. Once inside, they find evidence of years of ongoing economic espionage, for both ChinaSteel, and many other “customers”.

This evidence then goes, not to US SteelCo, but to the DHS Active Defense team and then onwards to the US Agencies responsible for enforcing legal sanctions. When ChinaSteel’s management team meets later that year to discuss the yearly strategy, they implement a global policy to not use information from the Fusion center to shortcut their R&D, as it has damaged both their brand, and their bottom line.

Wednesday, November 30, 2016

The event horizon of software liability and cyber insurance

Software liability and cyber insurance seem inevitable but you can never reach them - they are singularities.

There's a gravity in the policy world to try to "solve systemic information security risk" via one of two horrible ideas:

  • Cyber Insurance
  • Software Liabilities

These twin black holes spin around each other, generating gravity waves that can be felt from every other part of the information security universe.

The latest musing into this quixotic adventure is Rob Knake's idea to have the Federal Govt backstop universal cyber insurance - eventually leading to massive SEC-level controls over every company in America:
There are not good ideas. Also, email-spoofing is not what anyone does when it comes to phishing in 2016 - which is a weird technical detail to have in this paper at all.
As much as AIG would love to be the middleman in a massive new insurance market for which we have no actuarial data, but where the risk is pushed onto the US Taxpayer , the reality is there are some risks you cannot insure. Insurance was created during the Great Fire of London, but fire does not choose to burn down only the houses of the insured to cause maximum damage to the taxpayer the way a cyber adversary would. This system would be built to create an additional vulnerability on the state that another state could take advantage of.

From a technical perspective, the idea is also bankrupt. As Rob himself points out, we don't know what WORKS when it comes to securing things, and even if we knew what worked in the past, we would not know that it would continue to work in the future.
The smart thing to do is not try to build a new, trusted email, but just not to trust email. I don't know why Knake is so hot on email spoofing. Also, I want to point out that when an APT does their job right, you never know you took damage. What exactly are we insuring?

And yet, you have seen a burgeoning market for security products which offer guarantees, often backstopped by insurance companies who treat it like a marketing wager, such as this one by Cymmetria. In this end, this may be as "good as we get" when it comes to how insurance is going to work in this space.

The following is the most hilariously scary part of the recommendations:
Yes, nobody will have a problem with THAT clause.
The job of protecting against a systemic massive 9/11-style attack from a nation state in the cyber domain is rightfully the federal government's. But you can't replace a robust and realistic policy program with a Flood Insurance for Cyber. When Keith Alexander went around asking banks to give him access to their incoming traffic with a black box, they all said no, and for good reasons. Rob argues that not only should we go further than a black box doing network inspection, but this should apply to every company. It's a massive power grab and, luckily for all of us, a non-starter.

Remember, when Rob says this will encourage the adoption of best practices, what he means is "We are going to mandate how you run your networks, even though we cannot secure our own."

Monday, November 28, 2016

Unboxing "0day" for Policy People

Sometimes the bugs come out of the box.

Today's painful realization is that the very term "0day" has put this weird box around the policy brain, and minimized the dangers of regulation on all research in the security space, especially, for some reason, the European policy brain (including our British friends!). So I want to demonstrate some Zen Koans to help unbox you, so when Microsoft says they're looking "widely" with their "bounty" program you know what they mean.

Some things which are 0day, but outside the box:

  • Techniques for undetectable persistence on Windows 10
  • Ways to manipulate a heap on iOS that guarantee a certain heap layout
  • A function pointer that is always at a static location in Google Chrome and is called periodically
  • A way to send a lot of data using DNS through Microsoft Exchange servers
  • A shellcode that does something useful on Cisco's OS
  • Ways to clean up a process so that it continues nicely after exploitation.

If you think "Oh, they have promised not to regulate knowledge in general, just dangerous exploits!" then think again. There are many clauses in the Wassenaar agreements and every other proposed regulation (looking in Ari Schwartz's direction here) that seek to control exactly these things. Hopefully this post helps clarify why every security researcher had a big freakout with the Wassenaar proposals.

Wednesday, November 23, 2016

CIS VEP Panel Commentary

You can be super smart and not understand CNO operational issues because of a lack of experience in the area. And you can be smart and have ethical issues with the very idea of doing CNO. Above is a link to the CIS panel released last week on "Government Hacking" that discusses the VEP where both are on display.

It's hard to address the "ethical" issues around SIGINT collection that make people unhappy. I find it disturbing (as should you) that Ari Schwartz and Rob Knake and the Obama White House decided to do what they did with the VEP, sacrificing years of effort to maintain operational advantage by our IC, because of vague ethical issues with something they don't even understand fully. In the video, you can see Ari's face panic when the question comes in about what a vulnerability "Class" is, something we've written about on this blog. Sinan Eren answers it, much to Ari's relief, because Ari has no idea what a vulnerability class is except in the most general sense. He couldn't name them if his life depended on it. AND LIVES DO DEPEND ON IT.

It's also funny in the video to see Ari's look of surprise when he hears Sinan say "Vulnerabilities don't matter from a defensive perspective - focusing on mitigating factors is what makes the difference from a software security perspective". You can see an epiphany almost start to form in his head, then fade away as he returns to his blind ideology.

Inexperience with operational matters is something we can point out clearly though. You can always tell someone is inexperienced when they say things like "How long should we hold a vulnerability for?" or "You don't even need 0days to attack things!" That second one is true, except against hard targets, or when you cannot afford to get caught. Does that sound like the exact position the IC is in? Yes, yes it does.

This is the probabilistic game every good operator has in their heads. This is why it's not simple. Like a scuba operator measuring their outgassing a good CNO OPSEC person is also measuring their exposure to other operations across their entire toolchain at all times.
The reason hackers love 0day is not always the high success levels. It's the protection against detection by intermediaries or the target themselves. Likewise, it takes a very long time - sometimes years - to properly test an exploit in the wild. When people say "How long have you had this bug?" the answer from a properly trained operator is always "Not long enough to be comfortable with it".

The saddest part of the VEP video was when Ari says "Just because we've given it to a vendor doesn't mean it's blown!" Everyone in the IC was headslapping as he said that. It demonstrates a complete lack of understanding of how operations are protected that should not be the case in someone making policy that affects the IC.

But it comes out, during the video, that Ari believes we should control the whole vulnerability "market". That was his real goal with the VEP. And that means everyone. It means Ari thinks the entire research community should follow some disclosure law he and his friends think up and ram through Congress, without any understanding of the impact of his "Ethics" on the rest of us. It's the same as the Wassenaar Agreement. And yet the EFF is still trying to support him on this one. And that too, is baffling.

Sunday, November 20, 2016

you have to love it

No matter how many years it's been since I left - two decades now - people still look only at this one thing on my resume.

I want to spend a couple minutes pointing out the massive cultural differences between hackers and everyone else in this industry. Because as I crawl around in the policy world I sense these wide gulfs. The first one I sense is about books. Because hackers, despite coming from many backgrounds, share a common philosophy learned entirely from D&D, Neuromancer, Asimov, Heinlein, Snow Crash, Cryptonomicon, The Long Run, Dune, and all the other hard core science fiction they nestled in as they began the ascent up the mountain towards internalizing a difficult discipline.

Because of this, they are universally paranoid, atheistic, libertarian. And when the policy world tries to define norms without understanding the built-in philosophy of the domain, they run into fierce resistance from the denizens of this space, a lot of it only understandable if they have read the curriculum. I was astonished when Sue and other people I know in the legal/policy sphere hadn't read Snow Crash - I assumed EVERYONE had read it, because in my world, everyone has.

There are apparently moves to fire Rogers as DIRNSA. "Huge if true", as they say. I can't even remember any hints of this kind of action ever happening before.

NSA is far too important to this country to ruin, a shining jewel of technological prowess. We should be proud of it. It has gone through some hard times, most of which were not the fault of the organization. VEP is an example of our White House being ashamed of the NSA's competence. How can you expect to keep people if you are ashamed of them?

That then, is all we should ask as the American people of our next DIRNSA. You don't have to be a geek, or have read any science fiction. But it doesn't hurt. You have to join the culture you are becoming a part of. You cannot lead the NSA without falling in love with it.

And if you are in the cyber policy space as a lawyer, make the effort to read the cannon of cyber war, and we hackers will read your books about more recent history.

Many of these are free. :)

<live list follows>

  1. The Long Run PDF 
  2. Snow Crash AMZN
  3. Cryptonomicon AMZN
  4. Dune AMZN

Saturday, November 19, 2016

The State of Cyber Norms

It's worth pointing out that despite the insanely optimistic musings (1,2,3) from everyone in the State Dept about the progress of the international relations world on cyber norms, the reality is a disaster.

The shining light, which State and the Obama administration completely get credit for is the dissolution of the Chinese State economic espionage strategy. But that ignores the overall picture:

  • The UN GGE process misses clear players (Russia/China) and has at the root the issue of nobody agreeing on any of the definitions of the words they use
  • NATO's Tallinn process has many key problems (i.e. it is largely disconnected from the realities of the domain's technical characteristics) 
  • The US's transparency about our SIGINT process has been met with nothing from its European partners, who continue to batter us with hypocritical cries about privacy post-Snowden
To put it in the clearest possible terms: Nobody at State had the foresight to delimit "Not messing with our election" to the  Russians, which meant we had to get into a last minute massive escalation game with them instead. In addition to the lack of progress on any realistic front from our more traditional international efforts, this is the kind of total failure that needs to be publicly recognized.

Here is an example paper exploring what collateral damage might mean. Imagine trying to apply international law or norms to a domain where you don't even know what collateral damage is yet! 

Tuesday, November 8, 2016

New Agencies We Need in the Next Administration

National Cyber Forensics Agency

We need an agency in charge of decryption of phones and analysis of data. It's not just about managing the decryption tools themselves, which are going to remain secret and not handed out to local PDs and FBI offices, but gaining the know-how of how you do forensics and data minimization in a robust way to protect US civil liberties.

This is going to cost a lot more money than I think people are expecting, but we have to do it, and the longer we wait, the more expensive it will be to bootstrap.

National Active Defense Agency

Marketing buzz has ruined the term "Active Defense". But "hack-back" is unpalatably honest. However, if you keep a careful eye on the policy groups, they are quickly finding ways to lay the groundwork for an agency that uses private dollars to hack back against Chinese/Russian C2, and legalize active measures against botnets and worms such as MIRAI.

This is not as hard legally and politically as people sometimes make it sound. You just run it like a penetration testing company, with scope and authority from DHS and money and talent from the private sector. And you make the State Dept sell it overseas, because that's their job and we work with the cyber norms we have, not the ones we want, sometimes.

National CISO

CISO is one of those jobs that destroys people. Thankless, and with the cloud of doom sticking to your pant legs like a toddler's poo everywhere you go. But we need, not centralization, but clarity of vision and of quality and, frankly, someone to give our executives in Government the straight dope of what they can and can't do with regards to their own IT infrastructure. We need a salesperson who can sell a unified government security fabric to all of the many business units that make up the Federal Government. So far we've concentrated on finding bureaucrats with authorities.

Every big bank has the identical federated business plan as the USG when it comes to how this sort of information security and IT infrastructure needs to be run. We need to copy their DNA and figure out how to do this, if not right, at least a lot less wrong.