Monday, December 12, 2016

Wombo-Combo Cyber Offense

So I'm reviewing a paper on cyber offense resourcing and what I find hard to explain to non-operators is wombo combos. It's not even about "operators" per se. It's about the crucial elements of cyber strategy that evolve from the experience of hackers working in small teams ("islands", if you will). I, like many people, spend a lot of time doing wombo-combos in Overwatch - the standard one being Zarya's gravity bomb, which pulls people all into a group and "Justice Raining From Above", which is a barrage of missiles from the flying character Pharah, which cleans them all up. Obviously the coolest wombo-combos are the weirdest and least expected ones. Many videos have been dedicated to dealing with having control over only two members of a six-person team, which is identical to almost everyone's decisions when doing cyber strategy.

If you want to see a basic outline of the overall picture, the old post on metrics around cyber capabilities is useful. This post, in some senses, is the next level down in terms of technical focus.

A wombo-combo is a strategy of resource choice in a way that creates instant dominant synergies. Most cyber offensive organizations come upon these by accident, or the hard way. They end up throwing a bunch of resources at the problem and get lucky by sometimes having a wombo-combo, but typically they fail to realize why they are getting so successful and eventually disrupt their own synergy. Building these capabilities takes time and forethought, and so it's easy to disrupt them with personnel loss or reorgs.

But good hacker teams do wombo-combos on purpose. The traditional one is PHP + Linux locals. You can get pretty far by specializing in two areas that have great synergies like that, which is something many early hackers groups did instinctively.

So for example, if you specialize in supply chain interception and hardware trojans then what else do you need to have to generate synergies? Can China completely forgo any iPhone client-side or exploitation capability if they get a significant advantage in hardware hacking + somethingelse? Maybe all I invest in is XSS + a pile of cheap RATs? What is Singapore's best "punch above your weight" strategy? I mean, the question for everyone in the next few years is going to be "How do I best team with Equation Group so I can get under the security umbrella?", which even stalwarts like Germany would be best off preparing for now, from a technical capabilities perspective.

I deliberately left exploitation out of the original post on attacker metrics, focusing instead only on implants, which are easier to analyze when you're trying to create measurements from publicly available data. But you can see these strategies operating in the wild every day with the right kind of eyes. Of course, a corollary is I think of HUMINT as just another arm of cyber offense, which would probably insult a lot of CIA-types. :)

No comments:

Post a Comment