Asynchronous Command And Control and Why You Care If You Do Cyber Policy

Imagine you were a bipedal alien scientist studying creatures on Earth and you had never seen any before. Like that 50 First Dates movie with Adam Sandler, but instead of fart jokes from a walrus, science. Almost certainly as you examine things with your ultra-sophisticated tools, you are going to become obsessed with cause and effect or command and control. You're going to map every system and say which parts influence other parts. 

In other words, for humans, actions descend from centralized control, carried by a nervous system, with a rationalization of purpose. Even the stupid mitochondria is mislabeled as the "powerhouse of the cell". But this is sadly not how most systems really work! And so when you, the alien scientist, come across an ant colony or a siphonophore or certain species of shrimp and you're literally left reassessing the very meaning of cognition, it's hard not to want to just pretend it doesn't exist.

Basically everything they taught you in school about Eusocial organisms was confused because the subject is naturally confusing. 

It is basically like this in all cyber policy when it comes to how implants and command and control work, and this filters into a lot of the policy frameworks you see built out of various places, such as the Tallinn Manual, export control frameworks, the unfortunately named "PrEP" framework, etc.  

Obviously there are a lot of hard definitional questions when it comes to cyber policy:

• What is an exploit?
• What is a vulnerability?
• What is known vs unknown, and the meaning of the word 0day?
• What is the location of a cyber operation?
• What is sovereignty and when is it being compromised?

One of the hardest problems is that because remote access can be used for both espionage and for effect (D4), and of course also for defensive telemetry, the delimiters for policy control tend to lie outside of view.

So aside from admiring the problem I wanted to point at a whole new set of problems to admire that we have so far left in a blindspot - worms, emergent behavior, and asynchronous operations. These are the realistic mechanisms which correspond to two major defensive innovations:

1. Air gaps and air-gap-like network structures (and this includes modern API-driven zero-trust architectures)
2. Automated network-speed defenses (Microsoft ATP, for example)

technically everything is a circle if you zoom out far enough, but obviously Tempest exists and hardware implants exist and supply chain chicanery exists

Part of the problem is the lack of operational examples of decentralized control structures in cyber implants, but I will list the ones we know about here. Although it's worth noting that propagation via USB and control via USB are not the same thing. Three of these were just announced this week! But there are literally only five publicly known as far as I can tell.

1. 2010 - FLAME (see this amazing Bitdefender article)
2. 2020 - USB Thief (c.f. ESET here)
3. 2014 - USB Ferry (Chinese APT c.f. Trend Micro here)
4. 2017 - RAMSAY (DarkHotel c.f. ESET here)
5. 2020 - COMpfun (c.f. Kaspersky here, although the section on the USB C2 is slim)
6. 2014 - Cycldek (also known as Goblin Panda and Conimes according to Kaspersky) "One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose." This doesn't sound like C2, but hard to say from public reporting.

For why it is harder to model a system built by passing occasional messages and even more rarely receiving a response to those messages, it's useful to read James Micken's essentially perfect paper on the subject here. Implants that take commands from, say, a website are essentially interactive. This is the flavor that Metasploit and CANVAS and CORE Impact model - a simple connected lifestyle of cause and effect. You input a command, you get the result. If you don't get a result, that means perhaps your command has not ended, or your implant has crashed. Those are the two possibilities. 

But in an asynchronous model, your implant is making a lot of its own decisions! It's thinking "Hey, maybe I don't want to do that job yet, because nobody is on this computer right now so spinning up the CPU and getting really active will light a lot of bells on the endpoint protection system".  Or maybe your command did not get there. Or maybe the response did not get back. Or maybe something got corrupted and a gate to complexity hell opened up. Everything is possible. And hence, the behavior of the overall system, like an enraged ants nest, becomes complex and depends on a million factors out of your control.

In other words, I like to add to the list of questions above which haunt us: 

• What is control, without control?