Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Three Cyber-War fallacies

No description

Dave Aitel

on 9 August 2011

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Three Cyber-War fallacies

Cyberwar attacks Ideology best What is a nation-state if not an ideology? He who knows the network best, controls it Or "application" Process: Scan, understand, attack But better attackers find holes in the underlying frameworks. This is more expensive. Others find holes in the underlying math. This is crazy expensive. APT APT APT, but deep down, most countries don't own enough computers to win this fight and they know it. Three Fallacies:
1. Cyberwar is asymmetric
2. Cyberwar is non-kinetic
3. Cyberwar is not attributable Why do security groups think these things? But there are open sources of information on the subject
1. Air force SQR
2. DARPA papers
3. The "news"
4. Hayden's BH talk For the warfighter, cyber is more powerful than the other weapons of mass destruction
because it is, at the heart, a weapon of mass disruption. Attacking Google and Microsoft makes perfect sense... Cyberwar is NOT Asymmetric Who thinks that? Bruce Schneier: http://www.schneier.com/blog/archives/2007/06/cyberwar.html"Cyberwar is asymmetric, and can be a guerrilla attack. Unlike conventional military offensives involving divisions of men and supplies, cyberattacks are carried out by a few trained operatives. In this way, cyberattacks can be part of a guerrilla warfare campaign." Former D. Defense Secretary William Lynn:

War has moved more toward asymmetric threats. No nation or group can match the U.S. military’s conventional strength, Lynn said, so they don’t try.
“Rather than fighting us head-to-head, they use IEDs to counter our mechanized advantage or guerilla tactics to avoid direct combat,” he explained. Some countries also are investing in weapons such as surface-to-surface missiles, cyber capabilities and anti-satellite technologies to deny U.S. access to battlefields. Rand Basically everyone Why are they wrong? Why do people think this? Essentially because breaking into machines is relatively cheap Finding 0days costs money, but not crazy money Less than 10M a year will get you into wherever you want Maintenance Analysis Hacker infrastructure is not expensive Bandwidth is essentially free This essentially spawned an entire industry
of banking spyware What a computer is Massively parallel to the point you don't think about it as such Distributed data storage DB General Purpose API Azure Google Amazon Two items with carrier-class expense tickets Cyberwar is Kinetic Power stations are the most obvious STUXNET Nuclear power is the most splashy California is about to hook every home's AC to a network. Smart Grid! Kinetic does not just mean explosions and instant death Planes, boats, trains, automobiles Logistics failure is a dramatic failure You can change a nation-state's behavior with cyberwar Wikileaks is just one implementation of that As a "bonus", often includes explosions and instant death Cyber attacks are attributable Simply be ubiquitous Attack C&C It's not like all
other WoMD are
perfectly attributable Get lucky This is not mutually exclusive! There's a difference between being everywhere and being anywhere Attrition You are losing not soldiers, but technological advantage If one of your rootkits is found because you are clumsy
- you lose all the rootkits in that rootkit family! 0day is the most common thing you will lose, and the hardest to protect Serversides last longer than client-sides here When your 0day is known to be found, you can kill it by making it public (c.f. chinese style) Losing an 0day can sometimes mean losing all the hosts
you owned with it in the past - and losing all the rootkits you installed
on them! Comodo example:
The US assumes they are the ones who
manage root CAs so they are ok to use
certs or issue them for their own purposes.

they trusted it, because they thought they had
control over it. it takes a few weeks to move an army
it takes a few months to secure a cyber-area
or unsecure an enemy's cyber area.

Analysis can't be rushed. Sometimes burning 0days is a net win:
for example, if you recovered a source code tree, you now have
the ability to generate hundreds of 0days
think: Adobe attacks. Microsoft. Google.
RSA. Likewise, you need to be supplying the world
in order to do supply-side attacks! http://abovetopsecret.com/forum/thread350381/pg1 Cyber capabilities are still
underrated in importance.

They will likely grow to be more
important and expensive
than cryptographics in general Once it matures, it's going to get used. Conclusions .2 cents per IP for remote owning on a country-scale level For suitably complex bug classes you have only random attrition
i.e. for 20 kernel bugs since 05, 10 are left. The rest died due
to code refactoring. Targeting This is an NP-complete
problem where clouds
of uncertain data need
to be processed

Generally it involves a
level of human passion Targeting in Exploit Development Operational Targeting Internet Security's Least Kept Secret Scanners don't work At least, not very often. None of security's problems are linear except IP discovery Big Problem? Let's automate it! Types of Scanners That Don't Work:
- Vulnerability Scanners
- Static Analysis
- Web Application Scanners
- Web Application + Static Analysis
- Any other scanner you'll come up with to a non-linear problem Limit to what companies will put up with Pressure from their governments Outsourcing business at risk Cyberwar strategy Cyberwar is not pentesting - scanning is where the state of the art of penetration testing is!

That doesn't scale up.

Report writing sucks. Why Attackers Win Inability to understand the impact of 0day Community is poisoned by marketing script kiddies "We read everything you do - but we don't share" Is there anything we can tell you about the platform
that would make you abandon it? cloudburst ssl vpns Information Security != IT security Striking lack of data classification in the commercial world How do ATTACKERS keep winning? How do DEFENDERS turn the tide? cultural weaknesses My job is to beat your sdl SDL GOALS Reduce Number of Vulnerabilities Reduce severity of vulnerabilities Strategic Security Research Make vulnerabilities more dangerouS Find different vulnerabilties than the defenders Defenders are not surprising the Attackers Attacking the Internet's Command and control Who thinks secure@microsoft.com does not get read by hackers? What about your company's security team? Every fuzzer finds different bugs! Laurent Gaffié's SMB vulnerabilities are a good example You only need one good attacker
But all your defenders need to be good Users will click on anything Attacker Goals Banned APIs Fuzzing Code review Static Analysis Metrics are Important Have an attacker go through your Google appliance
for a day - see what they find! So you can ask developers to "always think of all the possible issues",
and you will be left with developers who won't have time or motivation to
actually do any real work. And they'll _still_ miss some subtle issue, and
they'll _still_ write code that has bugs.

- Linus Torvalds Many defenders think
problem is intractable! Everyone thinks they're the only one who can build their own parser
or data flow algorithm! Technological Weaknesses Resulting State of Play This is essentially a story of software insecurity Defenders have invested all their
money in products that don't work The SDL of all the major vendors is broken Defenders consistantly misunderestimate their opponents When data loss is detected, there is no way to know what the impact was The Morris Worm was in 1988 Phrack started in 1985 FIRST started in 1989 As a nation Strategic deterrence is the only viable option This also solves the "attribution problem" As a company Make better strategic decisions Platforms and products Outsourcing and people Education and timeframes Defenders are being taught new techniques
by the attackers deployment takes more time universal deployment is even later Static Analysis is a highlighter, not a spell checker! Most defenders have never
seen a real hacker work. Public bodies of work Hacking Writing Exploits I feel the need, the need for speed! You can't do cloud computing
without data classification http://ilm.thinkst.com/folklore/index.shtml Modern art: Simple - "I can do that" People without experience as attackers This is a young phenominon Here's what's going to happen: Nothing
for 20 years until our policy is written by
people with experience in this

This is going to be painful and expensive for the world.

Mudge/Jeff Moss, promising start Attacker winning is not cyberwarfare

Warefare is an ongoing strategic contest Until the Blitzkreig, Nukes, and Global Terrorism, Defense had the advantage.

Right now attackers DO win - if not at the cost peopl think.

Policymakers see offense winning in cyber domain, and think it is a catagory of the domain itself.

This makes it not their fault! :>

But it's not a feature of the domain - its a strategic failure. Everyone's defense is constantly strategically surprised by the offense. Calls for more regulation
of the internet People talk about it as if it's a trojan. Behind every wooden horse
is a woodshop. The real STUXNET is an organization that includes successful Engineers, Analysis, and R&D The 4 0day:
- Task Scheduler
- Windows Keyboard
- Print Spooler Any factory, any time. The real message Todo: insert story after
story about attribution Because the offense is winning, strategists and policy makers think it is a feature of the cyber domain! This is not true. Offense is successful due to a current better strategy. Common Excuses Resource Constraints Law enforcement most useful against
attackers with financial motives "Get Rich or Die Trying!" The attacking community
is mature, self-organizing,
highly motivated. but everyone seems to try anyways. Academic community
not a serious player in modern
information security None of this is inherent in the
cyber domain! Things you can do Aurora 30 companies? 30 is just who got caught and
publicly humiliated. The real answer is "EVERY company". If there's one organization that knows irony it's... Nationstates as well are just one implementation of that
Full transcript