Thursday, February 15, 2018

Indicators of Nation-State Compromises

What team composition counters what is an extremely complex question with direct applicability to the level of complexity we see around cyber war decision making.

So while I enjoy talking about Overwatch, I'm not doing so on this blog for the fun of it. There is a fundamental difference worth pointing out between our "game theory of deterrence" and our evolving understanding of cyber war which is best illustrated by the complexity of modern gaming. I'm not going to point fingers at any particular paper, but most papers on the game theory of cyber war use ENTIRELY TOO SIMPLE game scenarios. Maybe political science departments need to play more Overwatch?

Here's two problems I have run into in the policy space:

  1. I found an implant on my nuclear energy plant and I'm not sure if it's just in the wrong place, or deliberately targeting this plant for espionage, or targeting this plant as a precursor for turning off the power to Miami-Dade.
  2. I found an implant on the Iranian president's network, which I also have an implant on, and I want to know if I should "remove it" or if I should back off because I'm already getting all the take from this network via partner programs of some sort
  3. I found an implant on an ISIS machine, which needs to let me know that it is about to be used to do something destructive, and I should not install "next" to it for fear of getting detected when it does so

Instead of doing a program that is all about diplomats and lawyers meeting constantly to try to work out large global norms around these issues, which invariably will result in long (and completely useless) lists of "Places that should not be hacked" and "Effects your trojans may not cause!", I want to do something that works!

Let's go into this with eyes wide open in that we have to assume the following:

  • We hack our allies and vice versa
  • Our allies hack systems we also want to hack
  • Someone could in theory reuse our own technology against an ally
  • Allies are not going to want to let us know exactly which machine they caught us on

Obviously the first take on solving these sorts of problems is going to be a hotline. You would have someone from one State Dept call up the US State Dept and say "Hey, we found this this something you think will do serious damage if we uninstall it?"

This has problems in that the State Dept is probably not aware of our programs, and may not know who to call to find out. Likewise, any solutions in this space need to work at wire speed, and be maintainable "in code space" as opposed to "in law space".

So here is my suggestion. I want a server that responds to a specialized request that contains a sort-of-Yara rule, with some additional information, that lets you know if an implant or exploit is "known" to you as being in that particular network or network type. The server, obviously is going to federate any questions it gets. So while the request may have come into the US State Dept, it may be getting answered by a NATO partner. You would want to rate-limit requests to avoid the obvious abuses of a system like this by defenders.

The offensive teams hate any idea of hints of attribution, but life is about compromises, ya know, pun intended. :)

Saturday, February 10, 2018


Overwatch games have six players on a team. It's a common thing to ask for "2-2-2" at the beginning of a game, meaning you want your team to organize into two healers, two tanks, and two DPS. In hacking terms, what this means is that you need to invest both in exploits, implants, and a sustain/exfiltration crew.

"Ready for...?"
That sounds obvious, I can hear you say in your head. Who would invest only in exploits? Who would have only implants? How far can you get with only a sustain crew? Lots of idiots, lemme tell you. Everyone thinks DPS is the fun part so why would anyone play the other team roles? It is the same in hacking.

The truth is that any team comp can be a very viable strategy, but unbalanced comps tend to be the result of immature CNE efforts. Balance and coordination are the sign of mature - and successful - programs. You may find advanced teams using primitive toolchains and simple strategies to great success because they've built a program with the proper team composition.

People (including me on this blog!) like to measure adversary programs by the sophistication of their tools. But what true teams have is rapid turnaround on exploits, completely unique implants, and massively creative sustain while inside. They take every small advantage - every tiny mistake the defenders make - and turn it into domain admin. 

Friday, February 9, 2018


So if you watch Overwatch League you know that there are three major classes of characters who show up at the pro-level:

  • Healers (Providing SUSTAIN)
  • Damage Dealers (Penetrating into space)
  • Tanks (Holding space)

Heroes never die.

In our game-theory model we use tanks as synonyms for Implants. Damage dealers are clearly your initial operator team or automated toolset which penetrate into adversary networks. Healers are your sustain. But what is sustain, when it comes to CNE?

I have a very particular definition of sustain which is best illustrated by a story I heard recently from Law Enforcement about a hacker who got caught after ten years of having his implants on a regional bank. Every day, for ten years, he had logged in and maintained his presence on that network. Think of the dedication that requires.

But he's not alone. Right now, all over the world, hackers are waking up and visiting thousands of networks, making sure logs are being deleted, gathering new passwords that have changed, moving from host to host to avoid detection, looking to make sure no one is investigating their boxes. There's a giant list of things you have to do - reading the admin's mail to see when upgrade cycles are scheduled and then planning how to stay installed through that kind of activity is not easy!

But just as in Overwatch, this game is won or lost not by how great your DPS is, and sometimes not by the sophistication of your implants, but purely on sustain.

Wednesday, February 7, 2018

Changing the Meta: The Evolution of Anti-Virus

Extremely accurate graphical timeline of AV changes...there has been a LOT of innovation here yet everyone's mental picture is still signature based systems!

So when we talk about the changing Meta of cyber war, I believe that many people have somehow ignored the massive disruptions happening in the defensive "Anti-Virus" market.

Looking at AV from the offensive side, there are many things you have to now take into account, including VirusTotal, Cloud Reputation Systems burning your executables, Cloud Reputation Systems burning your C2/dropper web sites, malware heuristics catching you, VM-detonation systems catching you, anti-rootkit systems messing with you, other implants running their own private analysis against you, etc.

In other words, it's a rough world out there for implants ever since about 2010, and only getting rougher.

But the biggest change, the one that altered the Meta forever, in my opinion, was the switch to reputation-based systems from signatures and heuristics. Being able to see and predict this and engineer around it drove attacker innovation for some time. This affected policy as well, because now targets that normally would be of no value became of huge value because of their reputational quality. What are the policy implications of stealing certificates from random Hong-Kong based software providers to hack random other people?

In fact, there were many attacker responses, all of which were predictable, to this meta-shift:

  • Attacking of cloud AV providers (for example, the Israeli team on Kaspersky's network)
  • Coopting of cloud-AV providers (which is what DHS claims it is worried about re: Kaspersky)
  • Full-scripting language implants (aka, powershell implants, chinese webshells)
  • Implants which run only as DLL's inside other programs (and hence, don't need reputation against earlier systems which did not check DLLs)
  • Watering hole attacks (for both exploitation and C2)
  • Large scale automated web attacks (for gathering C2 Listening Posts)
  • Probably more that I'll think of as soon as I post this. :)

The next meta-change is going to be about automated response (aka, Apoptosis - see MS Video here), as the Super-Next-Gen systems are about to demonstrate. So my question is: Have we predicted the obvious attacker responses?

Monday, February 5, 2018

Policy is just cyber war by other means

S4 published a video of my talk. Rewatching it, it feels disjointed to me. So to summarize the points I was trying to make:

  1. Current policy team in cyber is largely spinning its wheels for various and predictable reasons
  2. Applying more complex game theory is a fruitful thing to do when trying to build a predictive framework around cyber war
  3. Non-state actors are the driving actors, and cannot be ignored in our risk equations

Monday, January 29, 2018

Non-State Actors Practice Deterrence!

I know it's going to annoy the International Relations/Law people when I say this, but non-state actors have a more developed deterrence methodology in the cyber domain than state actors at the moment.

There's a whole slide about this in the Immunity T2/S4 keynotes:

Governments, including the USG, need to be aware of the levers of power projection various private entities have. "Access/Analysis/Remove/Offer" come from the Immunity cyber weapons categorization methodology as explained elsewhere.

To be fair, I think Microsoft and Google can do many things that will, completely legally, hamstring the USG in many ways.

For whatever reason, the thing that has awoken many in Government to this threat is the much more innocuous Strava Heat Map. I know that a month ago if you asked "How would I unmask every US drone base in Africa" the answer would not be an SQLi bug in a jogging data app.

But of course the fact that the international consortium of industry players working on the Meltdown bug were able and willing to keep it a secret from the USG is another interesting data point when it comes to way private industry can hold its own interests above governments.

One thing I look at with a lot of this technology analysis is whether or not we have crossed the cell membrane that separates a world where the USG is a market driver, or whether it is considered a niche market and the rivers all run in the opposite direction. For information security, it was true ten years ago the USG was driving the latest technological trends. They were a huge market and had specialized needs that they were very clear about.

I don't think anyone believes that's the case anymore, and it has massive implications for important things like supply chain security, export control, and strategic issues around technological diffusion and power projection.

Friday, January 26, 2018

What is the merit of a merit-based immigration system?

Last week's Grey's Anatomy had a transsexual hack-back plot-line. It was realistic: The FBI looked after their own interests instead of the victim. And there are a ton of transsexuals in the hacking community. As you might imagine any discipline of iconoclasty has a tendency to fit in well.

This week's Grey's Anatomy had a plot point of a black 14 year old getting shot by cops as he broke into his own house. They don't show the aftermath, but you, if you're doing strategic analysis of the cyber domain, have to think: This is what you would target if you were our adversary. The natural fault line. The military "center of gravity" of the States is a fragile unity when you have Mattis telling his soldiers to "hold the line" and yet we can't stop racist memes from being on the signs in the Overwatch League video stream.

It's a normal thing to explain to some of our kids how to behave around cops so they don't get murdered by them. THIS IS EXACTLY THE SORT OF THING CYBERWAR WEAPONIZES INTO INSURGENCIES.

I have three kids, and one of them is brown enough I don't let him carry toy guns outside the yard.

The most surprising thing to a lot of us is that anyone is surprised at how many neo-Nazis there are in America. Like every time Susan Hennessy is like "Where did all this come from?!?" you have to laugh. A lot of Immunity employees in Miami sometimes fantasize about moving the HQ to a different city. But to me a lot of cities were always out of the running. Miami's justice system can be corrupt, but it's not compromised by a Confederacy.

I've felt it both ways: on one hand I'm chameleon enough because of my vocal intonations , sometimes I can pass - I had one person in a bar in Del Ray ask me if I could understand what it was even like growing up a "person of color" and I almost spit out my beer. On the other hand, in the Florida Keys, which are an hour south of Miami and fifty years behind, I'm my white friend's Hispanic helper to the locals. It's a thing. When girls in Miami flirt with me they often start with "Where are you from?" by which they mean "Why are you brown, exactly?"

I see immigration both ways too. I had a cousin who was a dreamer who had to go back to Peru without knowing more than third grade Spanish. She liked World of Warcraft and computer stuff and that's the shibboleth of being an American as far as I'm concerned. But do companies want a massive increase in H1Bs because it lowers salaries overall? Probably. And I don't think the Democratic proposals are coherent because that's their general policy in life.

A lot of countries use a "merit based" immigration system. They assign points to people based on how likely they are to be of benefit, like going for a job interview at a big company. I remember my job interviews at the NSA, which was for a sort of affirmative action ROTC-like program where they paid for collage.

My grades in high school were terrible, and the only reason the NSA was talking to me was I was brown, and my SAT scores were decent, and I wanted to join, because although the NSA was more secret back then, it was still the geekiest thing I'd ever heard of.

Affirmative action is by definition odiously unfair. But on the other hand, I think the NSA did OK with that program. I think it needed a few people who would park their shitty Camry with the FREE KEVIN sticker in the director's spot without even thinking about it, and frankly who cares how they got them? That was a precipitous time and the NSA had a few people who were outside its box right when it needed them.

For a lot of people, the merit they are looking for in their immigration system is one that let's them bring their family to live with them in a place they've come to love. I don't think the NSA knew it was getting a needed skill-set when it hired me so many years ago. They didn't have a points system. I think they took a chance on an unknown who had enough drive to want to be a part of them. And you can't tell me some bureaucrat can think of a better merit than that.

In any case, Immunity is hiring again soon for information security consulting jobs, and you don't have to be brown, or even American.