Three Cyberwar Fallacies (RSA 2012)

If there's one organization that knows irony it's...

Three Fallacies:

1. Cyberwar is asymmetric

2. Cyberwar is non-kinetic

3. Cyberwar is not attributable

What is a cyberweapon?

What Cyberweapons are not

A gun and a tank are two very different things.

But a cyberweapon is different in another way...

Availability

Integrity

Confidentiality

How do these convert to an attacker's perspective?

Access, analyse, remove, offer

Destroy Deny Degrade

situational awareness

Distinguishing marks and features

Global and generic in scope

Distributed infrastructure

Trained (i.e. expensive) team of operators

Data visualization components

focusing on the "data of the unexpected"

more to do with attack surfaces than attacks

Example Cyber-weapons

Defined more by "an organization" than "a technology"

Conclusions and Insinuations!

"A more useful definition of cyber war is, hostile actions in cyberspace that have effects that amplify or are equivalent to major kinetic violence."

http://www.au.af.mil/au/ssq/2011/winter/nye.pdf

Imaginary Cyber Weapons

Magic black box that generates SHA-1 hash collisions. The weapon is the thing you build on that.

List of all SQL Injections in the world - updated nightly.

Person locator via Skype and Google and Facebook

Regulations are hard because each cyber weapon is very different.

Previous attempts have essentially failed.

Attacking the finances appears to have the most effect.

Cyberwar is Kinetic

Kinetic does not just mean explosions and instant death

Logistics failure is a dramatic failure

You can change a nation-state's behavior with cyberwar

Wikileaks is just one implementation of that

STUXNET

People talk about it as if it was a trojan

The 4 0day:

- LNK (USB)

- Task Scheduler

- Windows Keyboard

- Print Spooler

Behind every wooden horse

is a woodshop.

The real STUXNET is an organization that includes successful Engineers, Analysis, and R&D

The real message

Any factory, any time.

Aurora

30 companies? 30 is just who got caught and

publicly humiliated.

It helps to be supplying the world

in order to do supply-side attacks!

Cyber attacks are attributable

Simply be ubiquitous

There's a difference between being everywhere and being anywhere

This is not mutually exclusive!

Attack C&C

Get lucky

It's not like all

other WoMD are

perfectly attributable

Cyberwar is NOT Asymmetric

Who thinks that?

Bruce Schneier: http://www.schneier.com/blog/archives/2007/06/cyberwar.html"Cyberwar is asymmetric, and can be a guerrilla attack. Unlike conventional military offensives involving divisions of men and supplies, cyberattacks are carried out by a few trained operatives. In this way, cyberattacks can be part of a guerrilla warfare campaign."

Former D. Defense Secretary William Lynn:

http://www.defense.gov/news/newsarticle.aspx?id=58930

War has moved more toward asymmetric threats. No nation or group can match the U.S. military’s conventional strength, Lynn said, so they don’t try.

“Rather than fighting us head-to-head, they use IEDs to counter our mechanized advantage or guerilla tactics to avoid direct combat,” he explained. Some countries also are investing in weapons such as surface-to-surface missiles, cyber capabilities and anti-satellite technologies to deny U.S. access to battlefields.

Basically everyone

Why do people think this?

Essentially because breaking into machines is relatively cheap

Less than 10M a year will get you into wherever you want

Finding 0days costs money, but not crazy money

Hacker infrastructure is not expensive

Bandwidth is essentially free

This essentially spawned an entire industry

of banking spyware

Two items with carrier-class expense tickets

Maintenance

Analysis

Targeting

This is an NP-complete

problem where clouds

of uncertain data need

to be processed

Generally it involves a

level of human passion

Operational Targeting

Targeting in Exploit Development

What a computer is

Massively parallel to the point you don't think about it as such

Distributed data storage DB

General Purpose API

Azure

Google

Amazon

APT APT APT, but deep down, most countries don't own enough computers to win this fight and they know it.

Attacking Google, Amazon and Microsoft makes perfect sense...

Why Attackers Win

Because the offense is winning, strategists and policy makers think it is a feature of the cyber domain! This is not true. Offense is successful due to a current better strategy.

How do ATTACKERS keep winning?

Common Excuses

You only need one good attacker

But all your defenders need to be good

Users will click on anything

Resource Constraints

Many defenders think

problem is intractable!

cultural weaknesses

Law enforcement most useful against

attackers with financial motives

"We read everything you do - but we don't share"

Academic community

not a serious player in modern

information security

Education and timeframes

Defenders are being taught new techniques

by the attackers

deployment takes more time

universal deployment is even later

script kiddies

Inability to understand the impact of 0day

Is there anything we can tell you about the platform

that would make you abandon it?

ssl vpns

cloudburst

The attacking community

is mature, self-organizing,

highly motivated.

FIRST started in 1989

Phrack started in 1985

Information Security != IT security

Striking lack of data classification in the commercial world

Have an attacker go through your Google appliance

for a day - see what they find!

You can't do cloud computing

without data classification

but everyone seems to try anyways.

Technological Weaknesses

This is essentially a story of software insecurity

These are also basically cultural weaknesses

Defenders are not surprising the Attackers

My job is to beat your SDL

Resulting State of Play

The SDL of all the major vendors is broken

Attacking the Internet's Command and control

Who thinks secure@microsoft.com does not get read by hackers?

What about your company's security team?

When data loss is detected, there is no way to know what the impact was

Defenders consistantly misunderestimate their opponents

Defenders have invested all their

money in products that don't work

None of this is inherent in the

cyber domain!

Cyberwar attacks Ideology best

What is a nation-state if not an ideology?

For the warfighter, cyber is more powerful than the other weapons of mass destruction

because it is, at the heart, a weapon of mass disruption.

Once it matures, it's going to get used.

Things you can do

Instrumenting your enterprise, and making

security decisions on an enterprse, not

microscopic basis, works.

The network is a bad place to listen to discover

anomalies

90's era "Sniff and Alert" moves to "instrument, store, analyze, react".

As the analysis gets faster, hackers start getting caught in realtime - they then move as much intelligence as possible into self-replicating attack tools

Process: Scan, understand, attack

He who knows the network best, controls it

Or "application"

Cyberwar is not pentesting - scanning is where the state of the art of penetration testing is!

That doesn't scale up.

Report writing sucks.

it takes a few weeks to move an army

it takes a few months to secure a cyber-area

or unsecure an enemy's cyber area.

Analysis can't be rushed.

Sometimes burning 0days is a net win:

for example, if you recovered a source code tree, you now have

the ability to generate hundreds of 0days

think: Adobe attacks. Microsoft. Google.

RSA.

Definately not this

Nor any particular exploit, no matter how reliable

Nor This

Comodo example:

The US assumes they are the ones who

manage root CAs so they are ok to use

certs or issue them for their own purposes.

they trusted it, because they thought they had

control over it.

CyberWeapon Basics

Example Cyberweapon

- client-sides that install a quick trojan

- trojan looks for Dreamweaver passwords

- Automatically logs in, installs PHP file that injects IFRAME into all HTML pages

- Redirect any users to client-side server

- Goto step 1

Access

Your basic "Information Security Triad"

Attrition

Destroy

Attacks copyright directly

Analyse

Indirectly attacks particular industries

Can people read my email?

The classic Offer Cyberweapon

Michael Hayden would call this "Changing the terrain in cyberspace"

When people think of terrain too often they think only of Access

Can people modify my files?

Offer

Original goal was

also analysis

You are losing not soldiers, but technological advantage

Can I serve pictures of cats to my customers?

Analyse

Degrade

Access

Access+Remove

If one of your rootkits is found because you are clumsy

- you lose all the rootkits in that rootkit family!

0day is the most common thing you will lose, and the hardest to protect

Losing an 0day can sometimes mean losing all the hosts

you owned with it in the past - and losing all the rootkits you installed

on them!

Serversides last longer than client-sides here

When your 0day is known to be found, you can kill it by making it public (c.f. chinese style)

For suitably complex bug classes you have only random attrition

i.e. for 20 kernel bugs since 05, 10 are left. The rest died due

to code refactoring.

Scanners don't work

Big Problem? Let's automate it!

Not a good definition! Kinetic in what space?

.2 cents per IP for remote owning on a country-scale level

A lot of the products on the market are great for offense, and obviously terrible for defense...

Types of Scanners That Don't Work:

- Vulnerability Scanners

- Static Analysis

- Web Application Scanners

- Web Application + Static Analysis

- Any other scanner you'll come up with to a non-linear problem

i.e. computers are useful for building cyberweapons and there's less than 5 of them in the world, as correctly predicted.

At least, not very often.

None of security's problems are linear except IP discovery

Attacking the distributed infrastructure is the likely path against a well funded attacker.

Some futher notes on terminology

The Chinese call it information war

But the term Cyber means something important

Sometimes the medium is the message

Modern IT has fundamentially changed the way

information effects human societies. That's what

cyber means.

Why do security groups think these things?

How do DEFENDERS turn the tide?

I feel the need, the need for speed!

Power stations are the most obvious

Nuclear power is the most splashy

Pressure from their governments

Outsourcing business at risk

Cyberwar strategy

http://abovetopsecret.com/forum/thread350381/pg1

The real answer is "EVERY company".

California is about to hook every home's AC to a network. Smart Grid!

Conclusions

Metrics are Important

Planes, boats, trains, automobiles

"Get Rich or Die Trying!"

The Morris Worm was in 1988

http://ilm.thinkst.com/folklore/index.shtml

Community is poisoned by marketing

Banned APIs

Fuzzing

Strategic Security Research

Every fuzzer finds different bugs!

Laurent Gaffié's SMB vulnerabilities are a good example

Everyone thinks they're the only one who can build their own parser

or data flow algorithm!

SDL GOALS

Attacker Goals

So you can ask developers to "always think of all the possible issues",

and you will be left with developers who won't have time or motivation to

actually do any real work. And they'll _still_ miss some subtle issue, and

they'll _still_ write code that has bugs.

- Linus Torvalds

Static Analysis is a highlighter, not a spell checker!

Reduce Number of Vulnerabilities

Code review

Static Analysis

Find different vulnerabilties than the defenders

Reduce severity of vulnerabilities

Make vulnerabilities more dangerouS

As a "bonus", often includes explosions and instant death

Rand

Public bodies of work

Hacking

Writing Exploits

Most defenders have never

seen a real hacker work.

Nationstates as well are just one implementation of that

Why are they wrong?

You break into one company, you own them

you break into a thousand companies, they

own you.

Some attackers find holes in the underlying frameworks. This is more expensive.

Others find holes in the underlying math. This is crazy expensive.

Doing either is helped by having

a computer to use.

It's all fun and games until someone loses a religion.

Calls for more regulation

of the internet

Until the Blitzkreig, Nukes, and Global Terrorism, Defense had the advantage.

Right now attackers DO win - if not at the cost people think.

Policymakers see offense winning in cyber domain, and think it is a catagory of the domain itself.

This makes it not their fault! :>

But it's not a feature of the domain - its a strategic failure. Everyone's defense is constantly strategically surprised by the offense.

That's never going to happen

Modern art: Simple - "I can do that"

People without experience as attackers

This is a young phenomenon

Attacker winning is not cyberwarfare

Warfare is an ongoing strategic contest

Here's what's going to happen: Nothing

for 20 years until our policy is written by

people with experience in this

This is going to be painful and expensive for the world.

Mudge/Jeff Moss, promising start

As a nation

Strategic deterrence is the only viable option

This also solves the "attribution problem"

The future and things that will work for you in the short term!

How this pans out

Cryptographics is really just a subset of cyber

As a company

Make better strategic decisions

Platforms and products

Outsourcing and people

Classify your data