Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Three Cyberwar Fallacies (RSA 2012)

A compendium of funny things people say about cyberwar!
by

Dave Aitel

on 19 February 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Three Cyberwar Fallacies (RSA 2012)

Cyberwar attacks Ideology best
What is a nation-state if not an ideology?
He who knows the network best, controls it
Or "application"
Process: Scan, understand, attack
Some attackers find holes in the underlying frameworks. This is more expensive.
Others find holes in the underlying math. This is crazy expensive.
APT APT APT, but deep down, most countries don't own enough computers to win this fight and they know it.
Three Fallacies:
1. Cyberwar is asymmetric
2. Cyberwar is non-kinetic
3. Cyberwar is not attributable

Why do security groups think these things?
For the warfighter, cyber is more powerful than the other weapons of mass destruction
because it is, at the heart, a weapon of mass disruption.
Attacking Google, Amazon and Microsoft makes perfect sense...
Cyberwar is NOT Asymmetric
Who thinks that?
Bruce Schneier: http://www.schneier.com/blog/archives/2007/06/cyberwar.html"Cyberwar is asymmetric, and can be a guerrilla attack. Unlike conventional military offensives involving divisions of men and supplies, cyberattacks are carried out by a few trained operatives. In this way, cyberattacks can be part of a guerrilla warfare campaign."
Former D. Defense Secretary William Lynn:
http://www.defense.gov/news/newsarticle.aspx?id=58930

War has moved more toward asymmetric threats. No nation or group can match the U.S. military’s conventional strength, Lynn said, so they don’t try.
“Rather than fighting us head-to-head, they use IEDs to counter our mechanized advantage or guerilla tactics to avoid direct combat,” he explained. Some countries also are investing in weapons such as surface-to-surface missiles, cyber capabilities and anti-satellite technologies to deny U.S. access to battlefields.
Rand
Basically everyone
Why are they wrong?
Why do people think this?
Essentially because breaking into machines is relatively cheap
Finding 0days costs money, but not crazy money
Less than 10M a year will get you into wherever you want
Maintenance
Analysis
Hacker infrastructure is not expensive
Bandwidth is essentially free
This essentially spawned an entire industry
of banking spyware
What a computer is
Massively parallel to the point you don't think about it as such
Distributed data storage DB
General Purpose API
Azure
Google
Amazon
Two items with carrier-class expense tickets
Cyberwar is Kinetic
Power stations are the most obvious
STUXNET
Nuclear power is the most splashy
California is about to hook every home's AC to a network. Smart Grid!
Kinetic does not just mean explosions and instant death
Planes, boats, trains, automobiles
Logistics failure is a dramatic failure
You can change a nation-state's behavior with cyberwar
Wikileaks is just one implementation of that
As a "bonus", often includes explosions and instant death
Cyber attacks are attributable
Simply be ubiquitous
Attack C&C
It's not like all
other WoMD are
perfectly attributable

Get lucky
This is not mutually exclusive!
There's a difference between being everywhere and being anywhere
Attrition
You are losing not soldiers, but technological advantage
If one of your rootkits is found because you are clumsy
- you lose all the rootkits in that rootkit family!
0day is the most common thing you will lose, and the hardest to protect
Serversides last longer than client-sides here
When your 0day is known to be found, you can kill it by making it public (c.f. chinese style)
Losing an 0day can sometimes mean losing all the hosts
you owned with it in the past - and losing all the rootkits you installed
on them!
Comodo example:
The US assumes they are the ones who
manage root CAs so they are ok to use
certs or issue them for their own purposes.

they trusted it, because they thought they had
control over it.
it takes a few weeks to move an army
it takes a few months to secure a cyber-area
or unsecure an enemy's cyber area.

Analysis can't be rushed.
Sometimes burning 0days is a net win:
for example, if you recovered a source code tree, you now have
the ability to generate hundreds of 0days
think: Adobe attacks. Microsoft. Google.
RSA.
It helps to be supplying the world
in order to do supply-side attacks!
http://abovetopsecret.com/forum/thread350381/pg1

Once it matures, it's going to get used.
Conclusions
.2 cents per IP for remote owning on a country-scale level
For suitably complex bug classes you have only random attrition
i.e. for 20 kernel bugs since 05, 10 are left. The rest died due
to code refactoring.
Targeting
This is an NP-complete
problem where clouds
of uncertain data need
to be processed

Generally it involves a
level of human passion
Targeting in Exploit Development
Operational Targeting
Scanners don't work
At least, not very often.
None of security's problems are linear except IP discovery
Big Problem? Let's automate it!
Types of Scanners That Don't Work:
- Vulnerability Scanners
- Static Analysis
- Web Application Scanners
- Web Application + Static Analysis
- Any other scanner you'll come up with to a non-linear problem


Pressure from their governments
Outsourcing business at risk
Cyberwar strategy
Cyberwar is not pentesting - scanning is where the state of the art of penetration testing is!

That doesn't scale up.

Report writing sucks.


Why Attackers Win
Inability to understand the impact of 0day
Community is poisoned by marketing
script kiddies
"We read everything you do - but we don't share"
Is there anything we can tell you about the platform
that would make you abandon it?
cloudburst
ssl vpns
Information Security != IT security
Striking lack of data classification in the commercial world
How do ATTACKERS keep winning?
How do DEFENDERS turn the tide?
cultural weaknesses
My job is to beat your SDL
SDL GOALS
Reduce Number of Vulnerabilities
Reduce severity of vulnerabilities
Strategic Security Research
Make vulnerabilities more dangerouS
Find different vulnerabilties than the defenders
Defenders are not surprising the Attackers
Attacking the Internet's Command and control
Who thinks secure@microsoft.com does not get read by hackers?
What about your company's security team?
Every fuzzer finds different bugs!
Laurent Gaffié's SMB vulnerabilities are a good example
You only need one good attacker
But all your defenders need to be good
Users will click on anything
Attacker Goals
Banned APIs
Fuzzing
Code review
Static Analysis
Metrics are Important
Have an attacker go through your Google appliance
for a day - see what they find!
So you can ask developers to "always think of all the possible issues",
and you will be left with developers who won't have time or motivation to
actually do any real work. And they'll _still_ miss some subtle issue, and
they'll _still_ write code that has bugs.

- Linus Torvalds
Many defenders think
problem is intractable!
Everyone thinks they're the only one who can build their own parser
or data flow algorithm!
Technological Weaknesses
Resulting State of Play
This is essentially a story of software insecurity
Defenders have invested all their
money in products that don't work
The SDL of all the major vendors is broken
Defenders consistantly misunderestimate their opponents
When data loss is detected, there is no way to know what the impact was
The Morris Worm was in 1988
Phrack started in 1985
FIRST started in 1989
As a nation
Strategic deterrence is the only viable option
This also solves the "attribution problem"
As a company
Make better strategic decisions
Platforms and products
Outsourcing and people
Education and timeframes
Defenders are being taught new techniques
by the attackers
deployment takes more time
universal deployment is even later
Static Analysis is a highlighter, not a spell checker!
Most defenders have never
seen a real hacker work.
Public bodies of work
Hacking
Writing Exploits
I feel the need, the need for speed!
You can't do cloud computing
without data classification
http://ilm.thinkst.com/folklore/index.shtml
Modern art: Simple - "I can do that"
People without experience as attackers
This is a young phenomenon
Here's what's going to happen: Nothing
for 20 years until our policy is written by
people with experience in this

This is going to be painful and expensive for the world.

Mudge/Jeff Moss, promising start
Attacker winning is not cyberwarfare

Warfare is an ongoing strategic contest
Until the Blitzkreig, Nukes, and Global Terrorism, Defense had the advantage.

Right now attackers DO win - if not at the cost people think.

Policymakers see offense winning in cyber domain, and think it is a catagory of the domain itself.

This makes it not their fault! :>

But it's not a feature of the domain - its a strategic failure. Everyone's defense is constantly strategically surprised by the offense.
Calls for more regulation
of the internet
Behind every wooden horse
is a woodshop.
The real STUXNET is an organization that includes successful Engineers, Analysis, and R&D
The 4 0day:
- LNK (USB)
- Task Scheduler
- Windows Keyboard
- Print Spooler

The real message

Because the offense is winning, strategists and policy makers think it is a feature of the cyber domain! This is not true. Offense is successful due to a current better strategy.
Common Excuses
Resource Constraints
Law enforcement most useful against
attackers with financial motives
"Get Rich or Die Trying!"
The attacking community
is mature, self-organizing,
highly motivated.
but everyone seems to try anyways.
Academic community
not a serious player in modern
information security
None of this is inherent in the
cyber domain!

Things you can do
Aurora
30 companies? 30 is just who got caught and
publicly humiliated.
The real answer is "EVERY company".
If there's one organization that knows irony it's...
Nationstates as well are just one implementation of that
These are also basically cultural weaknesses
That's never going to happen
It's all fun and games until someone loses a religion.
Classify your data
Cryptographics is really just a subset of cyber
Example Cyber-weapons
CyberWeapon Basics
Confidentiality
Integrity
Availability
Your basic "Information Security Triad"
How do these convert to an attacker's perspective?
Distinguishing marks and features
Michael Hayden would call this "Changing the terrain in cyberspace"

When people think of terrain too often they think only of Access
Distributed infrastructure
Trained (i.e. expensive) team of operators
Data visualization components
Global and generic in scope
What Cyberweapons are not
Nor any particular exploit, no matter how reliable
situational awareness
focusing on the "data of the unexpected"
Defined more by "an organization" than "a technology"
Regulations are hard because each cyber weapon is very different.

Previous attempts have essentially failed.

Attacking the finances appears to have the most effect.
"A more useful definition of cyber war is, hostile actions in cyberspace that have effects that amplify or are equivalent to major kinetic violence."
http://www.au.af.mil/au/ssq/2011/winter/nye.pdf
Magic black box that generates SHA-1 hash collisions. The weapon is the thing you build on that.
i.e. computers are useful for building cyberweapons and there's less than 5 of them in the world, as correctly predicted.
more to do with attack surfaces than attacks
Example Cyberweapon

- client-sides that install a quick trojan
- trojan looks for Dreamweaver passwords
- Automatically logs in, installs PHP file that injects IFRAME into all HTML pages
- Redirect any users to client-side server
- Goto step 1
Definately not this
Nor This
Attacks copyright directly
Indirectly attacks particular industries
Can people read my email?
Can people modify my files?
Can I serve pictures of cats to my customers?
Destroy Deny Degrade
Access, analyse, remove, offer
Offer
Original goal was
also analysis
The classic Offer Cyberweapon
Access
Destroy
Analyse
Access
Analyse
Access+Remove
Degrade
Imaginary Cyber Weapons
Not a good definition! Kinetic in what space?
What is a cyberweapon?
A gun and a tank are two very different things.
But a cyberweapon is different in another way...
Attacking the distributed infrastructure is the likely path against a well funded attacker.
Conclusions and Insinuations!
A lot of the products on the market are great for offense, and obviously terrible for defense...
The future and things that will work for you in the short term!
The network is a bad place to listen to discover
anomalies
Instrumenting your enterprise, and making
security decisions on an enterprse, not
microscopic basis, works.
90's era "Sniff and Alert" moves to "instrument, store, analyze, react".
How this pans out
As the analysis gets faster, hackers start getting caught in realtime - they then move as much intelligence as possible into self-replicating attack tools
List of all SQL Injections in the world - updated nightly.
Person locator via Skype and Google and Facebook
Some futher notes on terminology
The Chinese call it information war
But the term Cyber means something important
Sometimes the medium is the message
Modern IT has fundamentially changed the way
information effects human societies. That's what
cyber means.
You break into one company, you own them
you break into a thousand companies, they
own you.
Doing either is helped by having
a computer to use.
People talk about it as if it was a trojan
Any factory, any time.
Full transcript