Tuesday, June 20, 2017

Punctuated Equilibrium of Offense

For all the talk of realtime when it comes to cyber defense, cyber offense is a turn-based strategy game. This is because most investment in cyber offense take years to develop, and you only get to know if that investment was worth it at the end.

While obviously the United States and other players are doing continual development, it's mostly on established platforms. But truly new platforms are a five year maturity cycle away. Not only that, but that maturity level of certain platforms hits punctuated equalibriums.

I want to relate a story Rag Tagg tells, (yes, click the link and listen for a sec) about Quake. Many of you might remember quake, but for those of you who don't, this was the first time some gamers rose to the top and really could demonstrate to the whole world their dominance in player-vs-player deathmatch-style gaming.

Thresh was the first one anyone heard about in the real world. Not only did he have an etymologically cool name, but he dominated the early deathmatch scene by shooting people with rockets out of the air and developing map strategies that at the time seemed advanced but now are as primitive and useful as a Tuatara's third eye.

But what Rag Tagg points out is that long after everyone else left the Quake DM scene, some core group of fanatics developed an entirely new strategy around the lightning gun. The game hadn't changed at all, but people realized with enough skill at a weapon previously just thought to be useless special-purpose trash, they could change the strategic dynamic completely.

"The principals never changed, but the players that stayed, they ... learned things."

Let me talk briefly about RATs now. If you look at most of them, Meterpreter, for example, you'll see that you have an operator, and then they type a command, which then gets sent over some synchronous link and then the response is sent back. This kind of "ping-pong" operator model is simple to understand and keep in your head. It is like a terminal.

But INNUENDO and all modern tools are built on an asynchronous model, which makes their operation model and corresponding strategy as different from Meterpreter as a lightning gun from a rocket launcher. If you are building all your defenses against Meterpreter-style synchronous tools, then nothing you do will work against the newer generation of platforms.

I say "modern" but INNUENDO was ramped up Feb 13, 2013 - just to give a picture of the level of foresight you need when building offensive programs and what a realistic timeline is. One of the reasons smaller countries are going to want to be a part of a larger cyber security umbrella is that they cannot afford for their investments to be in the wrong area or on the wrong platforms.

Wednesday, June 14, 2017

Botnets and the NTIA (Commerce Department)

This picture is meant to inspire you while you read the post, but in an unknown way.
Read Commerce Dept Request for Comments Here !

There are two real possibilities for combating botnets on the Internet. One is to play core-wars, which requires legal setups that allow us to launch beneficial worms which patch vulnerabilities. I can see most policy-types shaking their heads at how difficult this would be to do, but it is a technically workable option.

The other method is to build a resilient internet - by which we do not mean an internet free of vulnerabilities, but one free of centralized choke points that can be targeted by massive traffic attacks.

DNS is the primary pain-point, but also one the government likes having around because it allows for centralized governmental control. Imagine if everyone was on a decentralized domain system, and the FBI could not "seize" domains. This is the price you pay for resilience. To be fair, I don't think we really want it. :)

Tuesday, June 13, 2017

Continuity Bias in Cyber Security

I went to this talk today at EmergeAmericas, a business conference a few blocks from my house put together by the movers and shakers of Miami. It had an eclectic crowd of people. But one of the speakers was a bit of a surprise because I'd never seen him speak before, Ambassador Henry Crumpton.

Look at this talk and tell me what it's about:

What is this about? ANYTHING?

Anyways, I had low expectations based on the abstract. But the talk itself was great in the way all great talks are. It was a stampede through his life, which was fascinating and involved negotiations with Afghan warlords and other tide turners. And one thing he highlighted was the continual massive amount of continuity bias he saw everywhere he went, even when obviously things were changing about as fast as they possibly could.

This is nowhere more true than in every defense talk where they go on and on about how the attacker only has to find one hole, but the defender has to patch them all.

Yes, looks like they are doing REAL well at maintaining invisibility, eh?

Look, here's the thing. I read every incident response report that MS and FireEye and Crowdstrike and Endgame and everyone else puts out. PLATINUM looks like a no-holds barred good team. It's not a team that got caught from a leak. They got caught from a commercial, reasonably priced, incident response technology. What if network defense technology is starting to work?

What I'm saying is that it would be a massive mistake for US Strategic Policy to assume that Microsoft or QiHoo360 can't built a security fabric that stops exploitation even on buggy systems with nation-state 0day and techniques. We need to be careful when we design things like the VEP that we don't castrate our strategic intelligence needs.

Dams and Planes and Trains

When you start out hacking, you always hack things that move and go boom because that's the toddler in you coming out, and nothing is more hacker-like than the pure uncontrolled Id.

But if you want to cause real human suffering in an advanced state, manipulating data in a criminal court system is probably the way to go? Once you've planted emails that show prejudice, all you have to do is allow normal discovery to take place - no data exfiltration scheme needed!

I mean, a wise person does not have a house anywhere under a major national dam's flood plane in this day and age. You pretty much have to assume they're all hacked and probably with malware written by a few different countries lowest possible bidders.

But that said: Criminal systems. They combine a need for perfect trust with high impact on society, and weak protections.

Thursday, June 8, 2017

How to pick targets

Do people read these? I'm guessing...not.

There's a whole class of individuals out there with no real job description because "Cyber Warrior" sounds pretentious as hell. But that's as close as we get, and the most important thing they do is pick targets.

What cyber war attacks best is ideologies. But "ideology" is a fuzzy term. So what I like to use to predict fruitful (haha) areas of research is essentially a combination of "hypocrisy" and "industry based on illusion". In other words, how do you get the biggest bang for your buck by manipulating or releasing information? First, your opponent must be off-balance in some way, like how the DNC was, to anyone with the right eyes.

The massive food distribution network is well within the risk area of this kind of analysis. No doubt, when federal policy teams get around to it, they will try to classify it all as "critical infrastructure", which is what they do when scared.

We don't have a TON of real research in the open space on how to find areas where you have a lot of leverage for cyber war effects. People sort of run from one exciting moment to another. Yesterday, car hacking is hot! Today, political hacking and info-war!

But just to start by adding some propane to the fire:

Food distribution combines these fun things (collect them all!):

  • Massive, distributed, country sized wireless networks
  • Full of special purpose old hardware and software with complex supply chains and basically no forensic capability
  • Where any level of UNCERTAINTY, let alone visual physical effect, can cause mass disruptions. You don't have to poison every grape - just ONE GRAPE - in order to make all the grapes worthless
  • No long history of massive security investment (unlike, say, the financial sector)

When you look at strategy in combat or gaming there's a lot of talk of the "meta". In other words, under a given ruleset, what are the best-fit resource allocations for success? But what you see with champions is they almost always go OFF META. Because the true meta is always surprise. With cyber it is no different. Russia's plans worked because they were a surprise. And our response, as well, must be.

Friday, May 26, 2017

Platform Security

COM SECURITY TALK from INFILTRATE 2017: https://vimeo.com/214856542

Ok, so I have a concept that I've tried to explain a bunch of times and
failed every time. And it's how not just codebases decompose, but also
whole platforms. And when that platform cracks, everything built on it
has to be replaced from scratch. Immunity has already gone through our
data, like every other consulting company, and found that the process of
the SDL is 10 times less of an indicator of future security than the
initial choice of platform to build a product on.

It's easier for people to understand the continual chain of
vulnerabilities as these discrete events. They look at the CyberUL work
and think they can assess software risk. But platform risk is harder.

Some signs of cracking are:

  * New bugclasses start to be found on a regular basis
  * Vulnerability criticality regularly is "catastrophic" as bugclasses
    that used to be of low risk are now known to be of super high risk
    when combined together
  * Remediations become much more difficult than "simply patch" and
    often bugs are marked "won't fix"
  * Even knowing if you are vulnerable is sometimes too much work even
    for experts
  * Mitigations at first seem useful but then demonstrate that they do
    more harm than good

From an attacker's standpoint, being able to smell a broken platform is
like knowing where a dead whale is before anyone else - there is about
to be a feeding frenzy. Whole careers will live and die like brittle
stars upon the bloated decomposing underwater corpses of Java and .Net.
Microsoft Windows is the same thing. I want to point out that two years
ago when Microsoft Research gave their talk at INFILTRATE, initially
nobody took any notice. But some of us forced research on it, because we
knew that it was about the cracking of an entire platform - probably the
most important platform in the world, Active Directory.

From a defensive standpoint, what I see is people are in denial this
process even exists. They think patching works. They want to believe.

From an architectural standpoint, Windows is only two things: COM and
Win32api. Forshaw has broken both of them. And not in ways that can be
fixed. What does that mean? Anyways, watch the video. :)

Thursday, May 25, 2017


The PATCH act is well meaning, but handles strategic security issues with the wrong scope and without the information needed to solidify US Government response any longer term systemic risks.

Specifically, we know the following things:
  • Patched vulnerabilities can still result in massive security events (such as Wannacry)
  • Vulnerabilities we know about are sometimes, but not often, found out by our adversaries (RAND paper)
  • Exploits DO sometimes get caught (usually one at a time)
  • Exploits lately have been leaking (wholesale)
  • Understanding the risks or technical details of any one vulnerability is a massive undertaking
  • Exploits are composed of multiple vulnerabilities, each with their own complex story and background
  • Other governments are unlikely to give vulnerabilities to US companies through any similar system

We also know what we don’t know:
  • We don’t know which vulnerabilities we will need in the future
  • We don’t know what vulnerabilities our adversaries will find and use in the future
  • We often don’t know what mitigations will and won’t work in the real world (you would THINK patching would work, but Wannacry exists!)
  • We don't know how our supply chain will react to us giving vulnerabilities to vendors

The PATCH act defines vulnerabilities quite broadly for this reason: We don’t know what types of things will have impact and we will need to react to in the future. But this is also a sign that we are not ready for a legislative solution.

Imagine setting up the exact system described in the Act but only for Internet Explorer vulnerabilities. As you run this imaginary system through its paces you immediately discover how hard it is to get any value out of it. That’s not a good sign for a new law. Proponents of the PATCH Act say it is a "light touch" but anything that handles every vulnerability the United States government uses from every possible dimension is by definition a giant process. One, in this case, we don't know will be effective.

Another question is how we build a defensive whole-of-government framework - for example, should the head of the GSA be read in on our vulnerability knowledge (in aggregate, if not of individual vulnerabilities) so they can guide future purchasing decisions?

In order for our IC to continue in the field of computer exploitation, we will have to get some hold on wholesale leakers of our most sensitive technology. This does not mean “tracking down leakers” but building systems and processes resistant to leaking. It is about information segmentation and taking operators out of the system as much as possible.

This is true in all intelligence fields and may require re-engineering many of our internal processes. But assuming we can do that, and that efforts are already underway to do so, we still have to handle that exploits get caught occasionally, and that other people find and use exploits and that even after a patch, we have complex strategic issues to deal with.

In that sense, having a vendor produce and distribute a patch is only part of the complete breakfast of helping our strategic security needs. It is less about “defense vs offense” and more about handling the complex situations that occur when using this kind of technology. We would be wise to build an emerging strategy around that understanding before any legislation like the PATCH act forces us down a path.