Three Cyber-War fallacies

If there's one organization that knows irony it's...

Three Fallacies:

1. Cyberwar is asymmetric

2. Cyberwar is non-kinetic

3. Cyberwar is not attributable

Cyberwar is Kinetic

Kinetic does not just mean explosions and instant death

Logistics failure is a dramatic failure

You can change a nation-state's behavior with cyberwar

Wikileaks is just one implementation of that

Power stations are the most obvious

Nuclear power is the most splashy

California is about to hook every home's AC to a network. Smart Grid!

Planes, boats, trains, automobiles

STUXNET

People talk about it as if it's a trojan.

The 4 0day:

- LNK (USB)

- Task Scheduler

- Windows Keyboard

- Print Spooler

Behind every wooden horse

is a woodshop.

The real STUXNET is an organization that includes successful Engineers, Analysis, and R&D

The real message

Any factory, any time.

Aurora

30 companies? 30 is just who got caught and

publicly humiliated.

Cyber attacks are attributable

Simply be ubiquitous

There's a difference between being everywhere and being anywhere

This is not mutually exclusive!

Attack C&C

Get lucky

Todo: insert story after

story about attribution

It's not like all

other WoMD are

perfectly attributable

Cyberwar is NOT Asymmetric

Who thinks that?

Bruce Schneier: http://www.schneier.com/blog/archives/2007/06/cyberwar.html"Cyberwar is asymmetric, and can be a guerrilla attack. Unlike conventional military offensives involving divisions of men and supplies, cyberattacks are carried out by a few trained operatives. In this way, cyberattacks can be part of a guerrilla warfare campaign."

Former D. Defense Secretary William Lynn:

http://www.defense.gov/news/newsarticle.aspx?id=58930

War has moved more toward asymmetric threats. No nation or group can match the U.S. military’s conventional strength, Lynn said, so they don’t try.

“Rather than fighting us head-to-head, they use IEDs to counter our mechanized advantage or guerilla tactics to avoid direct combat,” he explained. Some countries also are investing in weapons such as surface-to-surface missiles, cyber capabilities and anti-satellite technologies to deny U.S. access to battlefields.

Basically everyone

Why do people think this?

Essentially because breaking into machines is relatively cheap

Less than 10M a year will get you into wherever you want

Finding 0days costs money, but not crazy money

Hacker infrastructure is not expensive

Bandwidth is essentially free

This essentially spawned an entire industry

of banking spyware

Two items with carrier-class expense tickets

Maintenance

Analysis

Targeting

This is an NP-complete

problem where clouds

of uncertain data need

to be processed

Generally it involves a

level of human passion

Operational Targeting

Targeting in Exploit Development

Likewise, you need to be supplying the world

in order to do supply-side attacks!

Limit to what companies will put up with

Pressure from their governments

Outsourcing business at risk

Process: Scan, understand, attack

Big Problem? Let's automate it!

Internet Security's Least Kept Secret

Scanners don't work

At least, not very often.

None of security's problems are linear except IP discovery

Types of Scanners That Don't Work:

- Vulnerability Scanners

- Static Analysis

- Web Application Scanners

- Web Application + Static Analysis

- Any other scanner you'll come up with to a non-linear problem

Losing an 0day can sometimes mean losing all the hosts

you owned with it in the past - and losing all the rootkits you installed

on them!

For suitably complex bug classes you have only random attrition

i.e. for 20 kernel bugs since 05, 10 are left. The rest died due

to code refactoring.

.2 cents per IP for remote owning on a country-scale level

He who knows the network best, controls it

Or "application"

Cyberwar is not pentesting - scanning is where the state of the art of penetration testing is!

That doesn't scale up.

Report writing sucks.

Cyberwar strategy

Cyberwar attacks Ideology best

What is a nation-state if not an ideology?

For the warfighter, cyber is more powerful than the other weapons of mass destruction

because it is, at the heart, a weapon of mass disruption.

it takes a few weeks to move an army

it takes a few months to secure a cyber-area

or unsecure an enemy's cyber area.

Analysis can't be rushed.

But there are open sources of information on the subject

1. Air force SQR

2. DARPA papers

3. The "news"

4. Hayden's BH talk

Sometimes burning 0days is a net win:

for example, if you recovered a source code tree, you now have

the ability to generate hundreds of 0days

think: Adobe attacks. Microsoft. Google.

RSA.

Once it matures, it's going to get used.

Comodo example:

The US assumes they are the ones who

manage root CAs so they are ok to use

certs or issue them for their own purposes.

they trusted it, because they thought they had

control over it.

Attrition

You are losing not soldiers, but technological advantage

If one of your rootkits is found because you are clumsy

- you lose all the rootkits in that rootkit family!

0day is the most common thing you will lose, and the hardest to protect

Serversides last longer than client-sides here

When your 0day is known to be found, you can kill it by making it public (c.f. chinese style)

Why do security groups think these things?

How do ATTACKERS keep winning?

How do DEFENDERS turn the tide?

Common Excuses

Why Attackers Win

Resulting State of Play

Users will click on anything

You only need one good attacker

But all your defenders need to be good

The SDL of all the major vendors is broken

I feel the need, the need for speed!

Resource Constraints

Attacking the Internet's Command and control

Who thinks secure@microsoft.com does not get read by hackers?

What about your company's security team?

Defenders consistantly misunderestimate their opponents

When data loss is detected, there is no way to know what the impact was

Defenders have invested all their

money in products that don't work

Many defenders think

problem is intractable!

You can't do cloud computing

without data classification

but everyone seems to try anyways.

cultural weaknesses

Technological Weaknesses

This is essentially a story of software insecurity

The real answer is "EVERY company".

Conclusions

None of this is inherent in the

cyber domain!

Metrics are Important

Information Security != IT security

Defenders are not surprising the Attackers

Striking lack of data classification in the commercial world

Law enforcement most useful against

attackers with financial motives

The attacking community

is mature, self-organizing,

highly motivated.

Have an attacker go through your Google appliance

for a day - see what they find!

Phrack started in 1985

"Get Rich or Die Trying!"

The Morris Worm was in 1988

FIRST started in 1989

http://ilm.thinkst.com/folklore/index.shtml

"We read everything you do - but we don't share"

Academic community

not a serious player in modern

information security

Education and timeframes

Community is poisoned by marketing

script kiddies

Defenders are being taught new techniques

by the attackers

deployment takes more time

universal deployment is even later

Inability to understand the impact of 0day

Is there anything we can tell you about the platform

that would make you abandon it?

ssl vpns

Banned APIs

cloudburst

My job is to beat your sdl

Fuzzing

Strategic Security Research

Every fuzzer finds different bugs!

Laurent Gaffié's SMB vulnerabilities are a good example

Everyone thinks they're the only one who can build their own parser

or data flow algorithm!

SDL GOALS

Attacker Goals

So you can ask developers to "always think of all the possible issues",

and you will be left with developers who won't have time or motivation to

actually do any real work. And they'll _still_ miss some subtle issue, and

they'll _still_ write code that has bugs.

- Linus Torvalds

Static Analysis is a highlighter, not a spell checker!

Reduce Number of Vulnerabilities

Code review

Static Analysis

Reduce severity of vulnerabilities

Find different vulnerabilties than the defenders

Make vulnerabilities more dangerouS

As a "bonus", often includes explosions and instant death

Rand

Public bodies of work

Hacking

Writing Exploits

Most defenders have never

seen a real hacker work.

Nationstates as well are just one implementation of that

Why are they wrong?

But better attackers find holes in the underlying frameworks. This is more expensive.

What a computer is

Massively parallel to the point you don't think about it as such

Distributed data storage DB

General Purpose API

Amazon

Google

Azure

Others find holes in the underlying math. This is crazy expensive.

APT APT APT, but deep down, most countries don't own enough computers to win this fight and they know it.

Attacking Google and Microsoft makes perfect sense...

Because the offense is winning, strategists and policy makers think it is a feature of the cyber domain! This is not true. Offense is successful due to a current better strategy.

http://abovetopsecret.com/forum/thread350381/pg1

Calls for more regulation

of the internet

Until the Blitzkreig, Nukes, and Global Terrorism, Defense had the advantage.

Right now attackers DO win - if not at the cost peopl think.

Policymakers see offense winning in cyber domain, and think it is a catagory of the domain itself.

This makes it not their fault! :>

But it's not a feature of the domain - its a strategic failure. Everyone's defense is constantly strategically surprised by the offense.

Modern art: Simple - "I can do that"

People without experience as attackers

This is a young phenominon

Attacker winning is not cyberwarfare

Warefare is an ongoing strategic contest

Here's what's going to happen: Nothing

for 20 years until our policy is written by

people with experience in this

This is going to be painful and expensive for the world.

Mudge/Jeff Moss, promising start

As a nation

Strategic deterrence is the only viable option

This also solves the "attribution problem"

Things you can do

Cyber capabilities are still

underrated in importance.

They will likely grow to be more

important and expensive

than cryptographics in general

As a company

Make better strategic decisions

Platforms and products

Outsourcing and people