Grey bar Blue bar
Share this:

Wed, 8 Jun 2011

Threat Modeling vs Information Classification

Over the last few years there has been a popular meme talking about information centric security as a new paradigm over vulnerability centric security. I've long struggled with the idea of information-centricity being successful, and in replying to a post by Rob Bainbridge, quickly jotted some of those problems down.

In pre-summary, I'm still sceptical of information-classification approaches (or information-led control implementations) as I feel they target a theoretically sensible idea, but not a practically sensible one.

Information gets stored in information containers (to borrow a phrase from Octave) such as the databases or file servers. This will need to inherit a classification based on the information it stores. That's easy if it's a single purpose DB, but what about a SQL cluster (used to reduce processor licenses) or even end-user machines? These should be moved up the classification chain because they may store some sensitive info, even if they spend the majority of the time pushing not-very-sensitive info around. In the end, the hoped-for cost-saving-and-focus-inducing prioritisation doesn't occur and you end up having to deploy a significantly higher level of security to most systems. Potentially, you could radically re-engineer your business to segregate data into separate networks such as some PCI de-scoping approaches suggest, but, apart from being a difficult job, this tends to counter many of the business benefits of data and system integrations that lead to the cross-pollination in the first place.

Next up, I feel this fails to take cognisance of what we call "pivoting"; the escalation of privileges by moving from one system or part of a system to another. I've seen situations when the low criticality network monitoring box is what ends up handing out the domain administrator password. It had never been part of internal/external audits scope, none of the vulns showed up on your average scanner, it had no sensitive info etc. Rather, I think we need to look at physical, network and trust segregation between systems, and then data. It would be nice to go data-first, but DRM isn't mature (read simple & widespread) enough to provide us with those controls.

Lastly, I feel information-led approaches often end up missing the value of raw functionality. For example, a critical trade execution system at an investment bank could have very little sensitive data stored on it, but the functionality it provides (i.e. being able to execute trades using that bank's secret sauce) is hugely sensitive and needs to be considered in any prioritisation.

I'm not saying I have the answers, but we've spent a lot of time thinking about how to model how our analysts attack systems and whether we could "guess" the results of multiple pentests across the organisation systematically, based on the inherent design of your network, systems and authentication. The idea is to use that model to drive prioritisation, or at least a testing plan. This is probably closer aligned to the idea of a threat-centric approach to security, and suffers from a lack of data in this area (I've started some preliminary work on incorporating VERIS metrics).

In summary, I think information-centric security fails in three ways; by providing limited prioritiation due to the high number of shared information containers in IT environments, by not incorporating how attackers move through a networks and by ignoring business critical functionality.

Tue, 7 Jun 2011

From the International Conference on Cyber Conflict

The text that follows is a short statement I prepared for the press ahead of my presentation at the 'The International Conference on Cyber Conflict' (http://www.ccdcoe.org/ICCC/) in Tallinn, Estonia. It felt like I had very mixed response, so I'd be interested to hear what others thinkā€¦

My background and context

Any opinion can only be understood if you also understand its context. Therefore, in order to understand the thinking that follows, you also have to understand my perspective. Three aspects of my context effect my thinking here:
  1. My business is Attack and Penetration testing. I have little insight or experience beyond that narrow field and therefore my view will be skewed by my professional experiences.
  2. Our business is primarily based in South Africa. Hence much of my perspective is formed by making my living in a developing country.
  3. I am no expert on international policy. Hence my hope is that my views can help to inform policy. I'm not attempting to dictate policy in any way.
It should be noted that these are the perspectives I was asked to bring to the event.

In the piece that follows I will make 5 basic hypothesis, namely:

  1. Information warfare is real
  2. Information warfare is asymmetrical
  3. Countries like South Africa can't defend themselves
  4. Neither can other countries
  5. This reality must surely impact cyber policies world-wide

Information warfare is real

My first point is that 'information warfare' or 'cyber warfare' (by some definition) is real and is happening already today. Certainly, even if we are not seeing actual 'battles' being fought, the so-called 'military digital complex' described by Dr Dan Geer exists and is busy accumulating skills, technology and cyber territory as we speak. If the general public was not aware of this already, then this fact became blatantly clear from the email correspondence of information security firms 'HBGary', 'Palantir' and 'Endgame Solutions', which recently got publicly released after HBGary's systems were allegedly breached by the hacker collective known as 'Anonymous'.

Information warfare is asymmetrical

My next point is that information warfare is asymmetrical, with the cards stacked massively in favor of the attacker. Those of us doing so-called 'red team' work have always argued that the defender has to be successful all of the time, while the attacker only has to be successful once, which suggests that a successful compromise of any given target is always just a matter of time and money.

This fact is graphically illustrated by the apparent success of the Stuxnet attack against the the Iranian nuclear enrichment program at Natanz. By all accounts Stuxnet was a devastatingly successful attack launched by one nation or group of nations against key national infrastructure of another nation. It bypassed all reasonable security controls and could easily have been more destructive, potentially even causing loss of life. All that at the measly price of between $ 500,000 and $ 2 million - apparently less than what the US airforce currently spends in a day.

When it comes to securing an entire country against a well-funded and well-equipped adversary this is even more true, because governments have a dependency on systems and infrastructure for banking, administration, utilities, industry and communications that they do not control. Security in many of these industries is still very poor and, even if governments did apply themselves to improving security as a matter of national policy, I would argue that it may already be too late and that many systems are already compromised by malicious software, some of which will be too sophisticated to detect and remove on the scale required.

A simple analogy for what I'm saying here can be seen in the recent Wikileaks saga. We tend to think of the Wikileaks saga in terms of Julian Assange and the 'leak', but really what we should be considering is the fact that over 500 thousand people apparently had access to the so-called 'secret' documents that Assange ultimately released to the world. Its a problem of scope: How can a government hope to protect something that is being accessed by half a million people, and how can we begin to believe that, with that level of exposure, the security of SIPRNET hadn't already been breached multiple times before?

Now you can see why information warfare is asymmetrical and why it is almost impossible for an entire country to defend itself. This is the core element of my hypothesis this week.

Countries like South Africa can't hope to defend themselves

If its true that information warfare is real, and that its asymmetrical as I've argued, then where does that leave countries like my home, South Africa? South Africa is a typical developing country: Situated at the very tip of Africa, the country is a greedy adopter of new technologies like mobile telephony, nuclear power, e-government and online banking that support growth and upliftment of our people, but plagued by HIV/AIDS, crime, high unemployment and poor systems of education, we don't have the skills or financial resources to invest in the kind of security we would need to even begin to defend ourselves. South Africa is "connected", but not "protected".

If my government were to approach me and ask: "How can we defend ourselves in this new realm of cyber warfare?" I would have to answer: "We can't". So what option is left to South Africa? Either we can ignore the problem and hope it goes away, or possibly we can develop our own offensive capability to act as a deterrent to would-be attackers. I'm not sure whether this strategy would work, but I do believe that it would at least be feasible to implement, which a defensive strategy is ultimately not. If you accept our previous assertion that a capability like Stuxnet could be developed for just a few million dollars, then even South Africa could afford to get in on the cyber warfare game and potentially strike a few retaliatory blows against its enemies or would-be enemies and thereby maintain a kind of uncomfortable peace. Rather than developing such a capability, we could acquire one commercially, or possibly join a treaty to obtain one, but it strikes me as basically the same thing.

But neither can other countries

But here's the twist: What's true for small, developing countries like South Africa is actually also true for all countries. The size of your country does not fundamentally alter the asymmetry of the equation: The attacker still has the advantage. One could even argue that the bigger your country, and the more connected your systems are, the more vulnerable you are to attack. If this argument is true, that means almost all countries will be presented with the same lack of strategic options for cyber warfare that South Africa has.

So where does it all go from here?

Thus far I have argued that we are (finally) seeing the dawn of a new cyber battle space and that in this new battle the odds massively favor the attacker. I've argued that information and information systems are simply too large, too complex and too inter-connected to defend, and that incidents like Stuxnet and Wikileaks will therefore, inevitably, become more commonplace. I've also suggested that this is probably just the tip of the iceberg.

I've argued that this new reality poses a real national-security challenge to small and emerging countries like South Africa who are 'connected' but can never really be sufficiently 'protected' to defend themselves against a well funded adversary. I surmised that this is true (to a greater or lesser extent) for all countries, no matter how large or powerful.

If this analysis is accurate then it is my opinion that countries have two options going forward. Now, I am no military or political scientist so my domain of expertise is being severely stretched here, but the two options I see are:

  • Cyber neutrality and information freedom
or
  • A cyber arms race and Mutually Assured Destruction
In the 1st option governments can accept that information and information systems cannot be defended against all threats and endeavor to shape local and international affairs in such a way that conflict is avoided, there are no secrets, and there is shared benefit in keeping their information systems alive and connected to the rest of the world.

I love this view of the future as it resonates deeply with the original hacker ethos in which I was 'raised', but I have to confess that I struggle to imagine it being real.

In the second model countries will endeavor to defend themselves by building deterrents - tools of mass cyber destruction aimed at their enemies with the threat of destructive digital force. As history has shown us during the Cold War it seems to me that this approach will ultimately reach a kind of digital stand-off where no single country can afford to unleash its weapons for fear of also destroying itself and the conflict will be reduced to an endless series of spy-vs-spy intrigues and counter-intrigues that will play off in the computers of every government, business, school and even home in the world.

There may be a third option, but if there is I fail to see it. One thing is clear: Unless governments, NGOs, thinkers like Tom Wingfield and other leaders act quickly to highlight and address these challenges then history will take its inevitable course and my colleagues and me will soon all be wearing uniforms and working for the military.

Thank you.