Tuesday, December 20, 2016

The Wierding Way

You don't have to believe I know anything about cyber combat or science fiction, but if you read this blog, and haven't read Dune, you're missing out on the philosophy behind how cyber offense works. 
I want to teach the whole Policy World about the Weirding Way in this blogpost. It is hard to explain, but I want to start with this: Scrippie is a better exploit writer than I ever was. I am in the good fortune to be able to watch world class exploit writers do their work. Even now, when I should be selling INFILTRATE tickets, I stand around behind people and talk to them about their exploitation strategies and how they are manipulating a heap overflow to do what they want and what their chances of success are. Sometimes I can help. Mostly I just help by letting them talk it out.

I know that no policy lawyer can read Bratus's paper on Weird Machines. I also know that even Halvar's INFILTRATE keynote on the subject is probably too technical.

But let me tell you something in the Wassenaar Arrangement that is leading the policy world down the wrong path, a sugar coated path of simplicity: The idea that computer code has intent, and even a chain of preferred execution!

The reason Scrippie is a better exploit writer than I am is because he flattens the code out in his head. He reads the whole thing, and then inside his head the input parsing routines and the heap allocation routines and even the KERNEL system call routines are all at the same level, literally as if they are all in a line and he is simply calling them with his data.

This is what it takes to do real exploitation in the world where you don't have Javascript around to do your heap grooming for you. Because most policy experts have only really seen clientsides in occasions where there is a Javascript interpreter, they have a warped view of how exploitation works in general.

Below, I respond to Nicolas Weaver's Lawfare post, but with <sarcasm>, which translates poorly on Twitter.


Ok, so if you're still with me, I want you to think of it this way: Data is also code. I don't mean "Code can be represented as data because everything is just bytes". I mean, the data I pump into your algorithm controls it as much as the executable code itself does. That's how hackers think of your code and it's closer to the true nature of the code than how the regulators and most academics are thinking right now. It's why every time an academic paper comes out on "ROP/JOP/etc" hackers find it redundant and hilarious.

To make this a Koan: Your computer is a state-space, and our data explores it. When it has no input, your computer program is in all potential quantum states - literally anything is possible because it is Turing complete if it has enough complexity. When we give it data, we collapse that waveform into a particular state of our choosing.

Hopefully that helps?

Monday, December 19, 2016


I've spent nearly three years reading policy papers in cyber security, which is a SMALL community, every conference has the same names. And most papers talk about how to classify the problem and map it to existing problems and then use existing solutions. The GOOD papers, (Danzig and Gary) tend to argue the opposite. They are darker, and more painful to read, but also more true and likely to point ways to actual solutions that work.

"Put Simply"

Another thing to watch out for is quick divisions into "phases" of operations. These are vast oversimplifications for the purpose of communicating one particular concept, but you see papers steal classification phases and then run with them as if they are useful in other contexts, which they never are.

Likewise, often the papers that are cited don't support the arguments in the paper, which I always find weird and upsetting, like I'm being cheated by getting a Caribbean lobster instead of a Maine lobster at a restaurant.

11) Dept of Commerce blathers on about stuff unrelated to this paper. This concept needs better support.

The conclusion isn't hard enough on what defines an "activity"

Lots of good reasons to establish presence on SCADA boxes other than direct CNA...

Should probably link to: SIM HEIST

Thursday, December 15, 2016

The DIRNSA trap

New domains, such as cyber, are challenging for leadership. There are always moments where you see people hang on the words of a DIRNSA, especially one who has just exited and is more free to talk (aka, sell whatever solution they are hawking in their retirement). But I want to point out that in most respects these high level people have very little experience in the cyber domain as we know it, and you are better off going to an old 90's hacker-type like Halvar to get strategic advice about what sorts of solutions are going to work next year and the year after that.

Look, I get the magic of the NSA. Being inside the bubble is like living in a crystal ball. I read the presidential daily brief every morning, and then browsed the crypto library or looked at papers on various things far ahead of the outside space. It's like being a Guild Navigator, steeped in Melange.

Folding spacetime is not easy.

Typically, people confuse CLEARANCE with UNDERSTANDING. But reading high level reports and hearing briefings can occlude strategic understanding, especially if you don't have the background to see the whole picture. Obama, towards the end of his term, put in a whole staff on cyber security with no technical or industry experience. Look at Michael Daniels - 17 years at OMB (!) doing financial review of the IC, I'm sure at a very high level of clearance. But he has no technical understanding - he has a undergrad in public policy, not even computer science. This trend was throughout Obama's appointments, and it has led to serious undercutting of our national policy efforts. It doesn't matter how cleared you get, what SAPs you get read into: you cannot get clarity on these issues that way.

I'm often chided for holding fast to a rule that you cannot operate strategically in this domain without understanding the technology - I used to make as a rule that nobody could use the exploits my team created operationally without being able to write them themselves. And spending some time in industry seems like it is a requirement for making good policy decisions when nearly everything you do in the cyber domain goes over private networks and software.

A lot of it is just time in grade. A DIRNSA comes from an intel background, but obviously will probably not have 20 years of cyber-hacking under their belt. Your average 90's hacker will. And these days, they all have the clearances and money from their respective governments to use it. We're not playing against amateurs anymore, and we need to stock our bench respectively.

Wednesday, December 14, 2016

The back and forth of 0day

In case you don't read my twitter feed, I wanted to post a quick blog about this talk. There's a few things in it, but we go over both Authentication and VPN+Wireless as bug categories, and then talk about next gen targeting for phishing (aka, microtargeting using Twitter ads) and a few other things that are policy related.

Dwell Time

I like to think of the amount of useful information in any size organization as a static number. It's like, movies all compress differently, but roughly they are 1G per hour. So at a certain point, due to bandwidth improvements on average across the world, torrents moved from being mostly songs, to mostly movies. The same thing is true for corporations. Can you download an entire midsize corporation's information-sphere overnight, before the incident response team comes into work the next day? Lately we've seen this information-sphere include phone calls, recorded from VOIP systems.

But the point here is that every part of the defense equation changes when you hit "complete compromise" times of about a day. If you assume, not just compromise, but a Snowden-level event every five years, how would you organize the NSA?

Awareness Training

Almost all awareness training happens via "someone sends you an email". We've seen how well this works.  But even worse is acknowledging that hackers can leverage the entire battery of advertising targeting tools, to narrow down very targeted ads against your IT staff, even down to one or two members. Facebook and Twitter are great for this. And because it's not a spam email, your organization's defenses never get to see it.


We talk a lot at Immunity about how DoS and resource exhaustion are a "medium" severity vulnerability in the reports we often write, and a "critical" in the wild when they get exploited.

What is NG anyways?

Our position is next-gen is not monitoring, but automated response. This means you have to know ahead of time what it takes to deprovision and reprovision anything on your network.

Monday, December 12, 2016

Sources and Methods


I didn't want to lose this train of thought - but my initial reaction to people in policy places is that they always undervalue the "single server" because from an operator's perspective, there is no such thing. That server is a foothold on a network - probably in a unique position, and the toolchain on that server and that GOT you onto that server puts every mission you have at risk, typically. 

So from that perspective, it's likely that even if it is one server, that a real offensive organization has human lives at risk if that server is deliberately outed. You have to do a massive cleanup job first, equivalent to an enterprise-level forensics job, to cover your tracks. Sometimes that's impossible because you've lost access to part of your toolchain...

Wombo-Combo Cyber Offense

So I'm reviewing a paper on cyber offense resourcing and what I find hard to explain to non-operators is wombo combos. It's not even about "operators" per se. It's about the crucial elements of cyber strategy that evolve from the experience of hackers working in small teams ("islands", if you will). I, like many people, spend a lot of time doing wombo-combos in Overwatch - the standard one being Zarya's gravity bomb, which pulls people all into a group and "Justice Raining From Above", which is a barrage of missiles from the flying character Pharah, which cleans them all up. Obviously the coolest wombo-combos are the weirdest and least expected ones. Many videos have been dedicated to dealing with having control over only two members of a six-person team, which is identical to almost everyone's decisions when doing cyber strategy.

If you want to see a basic outline of the overall picture, the old post on metrics around cyber capabilities is useful. This post, in some senses, is the next level down in terms of technical focus.

A wombo-combo is a strategy of resource choice in a way that creates instant dominant synergies. Most cyber offensive organizations come upon these by accident, or the hard way. They end up throwing a bunch of resources at the problem and get lucky by sometimes having a wombo-combo, but typically they fail to realize why they are getting so successful and eventually disrupt their own synergy. Building these capabilities takes time and forethought, and so it's easy to disrupt them with personnel loss or reorgs.

But good hacker teams do wombo-combos on purpose. The traditional one is PHP + Linux locals. You can get pretty far by specializing in two areas that have great synergies like that, which is something many early hackers groups did instinctively.

So for example, if you specialize in supply chain interception and hardware trojans then what else do you need to have to generate synergies? Can China completely forgo any iPhone client-side or exploitation capability if they get a significant advantage in hardware hacking + somethingelse? Maybe all I invest in is XSS + a pile of cheap RATs? What is Singapore's best "punch above your weight" strategy? I mean, the question for everyone in the next few years is going to be "How do I best team with Equation Group so I can get under the security umbrella?", which even stalwarts like Germany would be best off preparing for now, from a technical capabilities perspective.

I deliberately left exploitation out of the original post on attacker metrics, focusing instead only on implants, which are easier to analyze when you're trying to create measurements from publicly available data. But you can see these strategies operating in the wild every day with the right kind of eyes. Of course, a corollary is I think of HUMINT as just another arm of cyber offense, which would probably insult a lot of CIA-types. :)

Thursday, December 1, 2016

How ‘Active Defense’ Would Work

The Problems

In many cases American (and other Western) companies know they have had an intrusion and even who the beneficiary is - but cannot prove it because to do so would require information only available on a remote server in another country, one typically unresponsive to subpoenas from the American court system.

Likewise, large scale botnets and worms such as Mirai can be difficult to combat as no public agency has the authority (and desire) to conduct the necessary international trespasses for the public good. And while penetrating carder forums and child abuse imagery trading websites on the Dark Web can be done by the largest law enforcement agencies, it's time to prepare for a specialist arm that can support all of law enforcement.

In addition, there is a talent problem. Even if there was a clear authority for many of these issues, the US Government does not have an additional natural critical mass of experienced hackers and management teams necessary to safely mount these sorts of operations.

No intelligence community arm is aimed at defeating economic cyber espionage on behalf of American industry. Nor should this become a priority of the foreign intelligence community’s mission. While the protection of the American industrial base is a strategic goal, there are limited resources within the IC and penetrating Chinese corporations which are not involved in military applications is a problematic thing to do for the NSA and CIA.

Desired End State

The first order desired goal is the end of widespread economic cyber espionage, which at scale, is a national security issue, but individually is a law enforcement issue. No Chinese/Russian company would receive stolen American R&D intellectual property or sales plans if it knew that accepting that information could lead to heavy personal and corporate legal sanctions.

Essentially, we want to have a chilling effect on cyber economic espionage while providing the beginnings of the ability to deal with wide ranging international systemic threats such as the Mirai worm, leveraging the deep bench of penetration testing talent and resources available in the private sector to do this without impacting our intelligence community missions.

Active Defense Done Safely and Legally

active_defense (1).png

Issues and Concerns

Escalation into a cyber war or a trade war is most commonly cited concern with this kind of structure for normalized hack-back. But there's no reason to assume that "cyber war" will escalate when countries have the option to simply being responsive to law enforcement requests. The key to avoiding escalation in this case is splitting the effort from traditional IC (which can be involved in battleground preparation operations), and massive transparency as to the scoping and goal of this agency's work.

Another question is why is there a private sector penetration testing company involved at all? Why not do this entirely in-house in a law enforcement agency? The answer is twofold:
  1. Law enforcement agencies have a culture that does not mesh well with cyber teams, to be blunt, which makes it hard for them to maintain the management talent required to run operations as well as you need them to. For example, while initial attacks against child abuse imagery sites and users can be performed somewhat easily, it's reasonable to expect that community to invest in protection and detection mechanisms (as evidenced by them catching the latest Tor Browser 0day when it was used).
  2. There’s a moral hazard issue here - you want American companies to pay for the technical work involved because otherwise every issue becomes the Government’s problem, and there is no incentive to orient their business to security. This is what happened with Credit Cards. Instead of building secured payment infrastructure, Banks relied on the Secret Service to go chase down every 19 year old who got involved in carding.

Of course, if this model works well, the vast majority of these efforts would end with no hacking at all, simply subpoena and information requests between two law enforcement agencies.

How would this model work for other countries?

Other (smaller) countries may not see this model as necessary in terms of the private-public partnership. They may want to make it entirely a law enforcement agency function, because they would manage the moral hazard issue more directly that way and they don’t face talent or culture problems and have a history of joining LE and SIGINT functions.

But the truth is of course that many smaller countries will simply want to have the American cyber security umbrella also apply to their companies, and will work on bilateral agreements to make this possible.

Are you just suggesting this model because you want to do the work?

It’s extremely unlikely Immunity, a small business located in Miami and Argentina with a huge foreign national component would be eligible for this kind of business, although those involved might buy INNUENDO and CANVAS and SILICA (as practically everyone in the industry already does). I assure you this will not drastically affect our profitability.

The penetration testing companies in this model have a very particular risk structure which we can fully explore in another paper - i.e. they need to at some level be closer to classified defense contractors than normal penetration testing companies, even though they are doing unclassified work.

How do other countries trust this process is not itself committing espionage?

This is where measures typical in International Relations such as having, say, Chinese/Russian observers become part of the process. Likewise, this is a great argument for having the tools and techniques and infrastructure for this effort be completely distinct from intelligence community toolchains, and at some level attributable at a group level using specific technical means.

What crimes other than straight economic espionage would this model apply to?

We have a problem in that many crimes in cyberspace are viewed very differently by different countries. For example, posts that defame the Royalty of a country on Twitter are viewed as capital crimes by some countries. What do we do when they send us a subpoena to unmask an anonymous poster of such content, which we would consider protected speech? Are they within their rights under this framework to go active against Twitter?

Those are still painful and unanswered questions.

Isn’t this super risky? What if you break something?

We already handle these issues in SIGINT collection quite well - or at least, well enough to not fear arbitrary escalation when we make mistakes. It's possible that having the best technical talent the industry has to offer is a net benefit in this way, as it will reduce unfortunate side effects.

Some Resources On This Subject

Scenario Walk-through

In many cases, a narrative explains these concepts better than anything else. So below is a hypothetical walk-through of how this could function.


US SteelCo is in the practice of building a new method for creating high tensile steel girders exposed to tropical environments. The goal is to market them into the Caribbean for anti-hurricane buildings which are now more in demand due to Global Warming. The methodology of creating these girders involves dousing them in a cooled molybdenum bath at a precise time during the tempering of the steel. They go through months of testing to determine the exact right formula and finally make a breakthrough.

Unbeknownst to them, a Chinese hacker has been waiting for just such a breakthrough and is resident on their main mail server using a variant of a trojan he also sold to the PRC Army team.  He pulls the PDF and some notes on the methodology from a triumphant email sent to the management team and then has them translated into Chinese using a Beijing translation service he is friends with. He then sells that information to a Chinese Fusion Center where it is noticed by a local mega-company ChinaSteel which then decides to invest in a brief market exploration of the girders produced by this technique. They have some success locally in the southern Chinese market and then expand into the Pacific and Caribbean tropics.

A few months later a SteelCo sales team has one of its Bahamian customers hand it a sales pamphlet from ChinaSteel that has the exact same parameters for steel girders. It cannot be coincidence. At first, they assume one of their own technology team has left with the valuable formula, but after an internal investigation, done entirely in person in a hotel room offsite, they place a quick phone call to their FBI contact from the local Infraguard meeting, and she sets them up with a meeting at the local Active Defense fusion center, where they present their case.

The board of directors of SteelCo meets as well, and decides to put a budget towards tracking this issue down. Once the DHS officials working at Active Defense look at the evidence, they connect them with a licensed Investigator firm who constructs a simple Word document that pings back to covert infrastructure created for the test. The engineering team at SteelCo fakes a new announcement of an advance in the formula configuration, and then emails it to the SteelCo executive team, where it is caught by the Chinese hacker’s implant.

A simple HTTP connection ping is made from the Beijing-based translator as they work on the new file, urgently passing it onto their customer at ChinaSteel. With this evidence in hand, the Investigator firm packages a request for additional scope to the Active Defense DHS point of contact. The DHS team looks through their history with the Chinese authorities and notes that they have been previously unresponsive to efforts to get information from this exact translation firm.

Once approved, they began a more thorough exploration of the servers the translation team runs, using a simple phishing document and a custom 0day to penetrate the pirated Windows XP laptop the company uses. Once inside, they find evidence of years of ongoing economic espionage, for both ChinaSteel, and many other “customers”.

This evidence then goes, not to US SteelCo, but to the DHS Active Defense team and then onwards to the US Agencies responsible for enforcing legal sanctions. When ChinaSteel’s management team meets later that year to discuss the yearly strategy, they implement a global policy to not use information from the Fusion center to shortcut their R&D, as it has damaged both their brand, and their bottom line.