Thursday, December 20, 2018

VEP: Handling This Patch's Meta Changes

We may be about to enter the Healer meta in Cyber War for Season 3, what does that mean for you?

The Meta Change

Google caught an 0day this week, and Microsoft issued an out of band patch. Kaspersky has been catching and killing 0day as well recently, at a much higher pace than you would expect, something over one a month. If that doesn't surprise you, then it's probably because you're accustomed to seeing defensive companies catch only implants or lateral movement and then helplessly shrugging their shoulders when asked how the hackers got in.

But we're about to enter a healer-meta. In Overwatch, that is when the value of defensive abilities overwhelms the damage you can do over time. So your offense is forced into one of two options:

  • High Burst Damage Heroes (such as snipers, Pharah, ultimate-economy playstyles, etc.)
  • Diving healers
In Cyberwar what this means is that when effective defensive instrumentation gets widely deployed (and used) attackers are forced to do one of three things:
  • Use worms and other automated techniques that execute your mission faster than any possible response (burst damage)
  • Operate at layers that are not instrumented (aka, lower into firmware, higher into app-level attacks)
  • Modify the security layers themselves (aka, you dive the healer by injecting into the AV and filtering what it sends)


There were two arguments around what you should do in a VEP in a Healer Meta at the Carnegie conference. One, was that since you knew bugs were going to get caught, you should make sure you killed them as soon as possible after use (which reduces threat to yourself from your own bugs). The other was that you were going to need a huge stockpile of bugs and that you should stick to only killing bugs that you knew for sure HAD gotten caught, and only if your attribution was already broken by your adversary.

These are very different approaches and have vastly different strategic needs.

Of course, the third take is to avoid the problem of 0day getting caught by focusing on the basics of countering the meta as outlined above. But a nation state can (and will) also use other arms to restrict the spread of defensive technology or erode its effectiveness (i.e. by attacking defensive technology supply chains, using export control to create deliminations between HAVES and HAVE NOTS, etc.). 

Wednesday, December 19, 2018

The Brussels Winter VEP Conference

So recently I went to a conference on vulnerability equities which was under Chatham House Rule, which means I can't say WHO SAID anything or who was there, but they did publish an agenda, so your best guess is probably right, if you've been following the VEP discussion.

Anyways, here (in click-bait format like Jenny Nicholson) are my top three things that are literally and mathematically irrational about the VEP, as informed by the discussion at the conference:

1. A lot of the questions you are supposed to answer in order to make the VEP decision are 100% unknowable.

Questions typically include:
  • How many targets use a particular software?
  • How many friendly people use a software platform?
  • Will the Chinese find this bug easily or not?
  • etc.

Some panel members thought a partial solution might be for every technology company to give all their customer survey information to the government, which could help answer questions like "Do we need to protect or hack more people who are vulnerable to this bug?" This idea is a bad idea and you could sense the people in the room laughing internally at it, although it is partially already the goal of Export Control regulations.

Needless to say, if you are making your decisions based on a bunch of questions you have NO ANSWERS TO, you are making RANDOM decisions. And some of the questions are obviously unknowable because they involve the future. For example, the answer to "Do our opponents use the latest version of Weblogic?" is always "not at the moment but the future is an unknown quantum interplay between dark energy and dark matter that may decide if the universe continues to expand and also if the system administrator in Tehran upgrades to something vulnerable to this particular deserialize issue!". An even better example is the question of "How hard is this bug for the Chinese to find?" to which if you KNEW WHAT BUGS THE CHINESE COULD FIND IN THE FUTURE you would not be worrying about CyberWar problems so much as how to deal with the crippling level of depression that happens when you have a brain the size of a planet.

Although ironically the VEP will tell the Chinese how hard it is for US to find particular bugclasses, so we have THAT going for us at least.

2. Voting does not resolve equities issues. One of the panelists mentioned that if you want to take every bug, and rank its usefulness from 1 to 10, and then take its negative impact, and rank that one to ten, you can draw a nice diagram like the one below.

Then (they posit) you can just look at the equities decisions you've made, and draw a simple line with some sort of slope between the yay's and the nays and you've "made progress" (tm).

Except that in reality, every number on the graph is somewhere on the axis of "would stop World War III if we could use it for SIGINT" and "would end all commerce over the Internet as we know it resulting in the second Great Depression". I.E. every number is zero, infinity, or both zero AND infinity at the same time using a set of irrational numbers that can only graphed on the side of a twelve dimensional Klein bottle. Voting amongst stakeholders does not solve this fundamental unit comparison issue, to say the least.

What if a bug has no use, but the bugclass it belongs to is one you rely on for other ops? The complications are literally an endless Talmudic whirlpool into the abyss.

For example, I am continually mystified by certain high level officials misunderstanding of the basics of OPSEC when you give a bug out. They seem to think that you can USE a bug operationally before you go through the VEP, and then decide to kill it, and not suffer huge risks with OPSEC (including attribution). They often justify this with the idea that "sometimes bugs get caught in the wild or die by themselves" which is TRUE. In that sense, yes, every operational use of an exploit is an equities decision - one that you take for OPSEC reasons. Which is why GOOD OPERATORS use one whole toolchain per target if possible. And if you think that's overkill, then maybe you've underestimated the difficulty of your future target set.

Also note that no person in government policy wants to use this process to measure the impact of the VEP over time - although I'm not sure what units you would measure your operational loss in, other than human lives? Likewise, there's only one output to the VEP, "Give bug to Vendor" as opposed to a multi-output system including "Write and publish our own Patch" which seems like a better choice if you want to have options for when you disagree with a vendor's triage or timeline?

3. No Government in Europe is dumb enough in this geopolitical environment to do VEP for real. It may happen that every Western government signs or sets up some document that assigns a ton of unanswerable rote paperwork per-bug to their already small technical and cleared teams, if for no other reason, because Microsoft and Mozilla and the Software Alliance all have legitimate soft power that can influence public policy. I mention them in particular because they funded this conference and following the money is a thing I once heard about. As a positive bonus note: VEPs are, great cover for killing OTHER people's bugs once you catch them in the wild.

But the EU technical teams were also there at the conference, with the government policy people responsible for getting their cyber war game from D-level to A-level. You can imagine the post-Snowden meetings all across Europe in rooms with no electronic devices where elected officials looked at their teams and said "What exactly do they mean "SSL Added and Removed Here?!? We need to 'Get Gud', as the teens are saying. Pronto."

Does anyone realistically think that they're going to hamstring themselves? Because I talked to them there and I'm pretty sure they're not going to. (insert SHRUG emoji!)

And here's the actual strategy implication that they know, but don't want to say: Your best people will leave if you implement the VEP seriously. There are those Sardaukar for whom it is not about money, who are with you for life, as long as you have a mutual understanding that their work is on mission, all warheads in foreheads. And to them, the VEP is an anathema.

And then there are people out for fame and money, and those people are going to get stolen by a random company anyway, because why would they ever stay and be a glorified bug bounty hunter?

I mean, every country is different. It's possible I'm misjudging cultures and talent pools. Or not. But if you are running a country's VEP program, you have to be pretty confident that I'm wrong about that to move forward. This is the kind of thing you'd want to start asking about in your exit interviews.

Oh, and as a final note: One of the submitted talks to INFILTRATE required an equities decision. Cool 0day, very old, and you should come and see the talk even though we haven't officially announced it yet. :)