Wednesday, September 28, 2016

Some old training materials on anti-attribution :)


The thing here is the top page: what information is visible OBLIQUELY, versus information your adversary has to see at the time of attack, versus information left behind on a target. The oblique information is the ... fun part.

As a concrete example: Some teams are good at exploiting race conditions in the Windows kernel - and that information filters through a county's various teams slowly as people leave and join different companies and agencies. But even if the entire toolchain is completely new and unknown, if I see that they got in via a Windows kernel race condition very early on, I can assess which team that came from. Anyways, the slides above are from the part of the class that taught the operational security value of not exposing that data, or at least knowing when it was exposed.

Does that make sense? I feel like the best way to learn all of this stuff if you're a policymaker is from reading Cryptonomicon

Or read these two pages from DKM's The Last Dancer:



You should read that book anyways.

No comments:

Post a Comment