Thursday, February 15, 2018

Indicators of Nation-State Compromises

What team composition counters what is an extremely complex question with direct applicability to the level of complexity we see around cyber war decision making.

So while I enjoy talking about Overwatch, I'm not doing so on this blog for the fun of it. There is a fundamental difference worth pointing out between our "game theory of deterrence" and our evolving understanding of cyber war which is best illustrated by the complexity of modern gaming. I'm not going to point fingers at any particular paper, but most papers on the game theory of cyber war use ENTIRELY TOO SIMPLE game scenarios. Maybe political science departments need to play more Overwatch?

Here's two problems I have run into in the policy space:

  1. I found an implant on my nuclear energy plant and I'm not sure if it's just in the wrong place, or deliberately targeting this plant for espionage, or targeting this plant as a precursor for turning off the power to Miami-Dade.
  2. I found an implant on the Iranian president's network, which I also have an implant on, and I want to know if I should "remove it" or if I should back off because I'm already getting all the take from this network via partner programs of some sort
  3. I found an implant on an ISIS machine, which needs to let me know that it is about to be used to do something destructive, and I should not install "next" to it for fear of getting detected when it does so

Instead of doing a program that is all about diplomats and lawyers meeting constantly to try to work out large global norms around these issues, which invariably will result in long (and completely useless) lists of "Places that should not be hacked" and "Effects your trojans may not cause!", I want to do something that works!

Let's go into this with eyes wide open in that we have to assume the following:

  • We hack our allies and vice versa
  • Our allies hack systems we also want to hack
  • Someone could in theory reuse our own technology against an ally
  • Allies are not going to want to let us know exactly which machine they caught us on

Obviously the first take on solving these sorts of problems is going to be a hotline. You would have someone from one State Dept call up the US State Dept and say "Hey, we found this thing...is this something you think will do serious damage if we uninstall it?"

This has problems in that the State Dept is probably not aware of our programs, and may not know who to call to find out. Likewise, any solutions in this space need to work at wire speed, and be maintainable "in code space" as opposed to "in law space".

So here is my suggestion. I want a server that responds to a specialized request that contains a sort-of-Yara rule, with some additional information, that lets you know if an implant or exploit is "known" to you as being in that particular network or network type. The server, obviously is going to federate any questions it gets. So while the request may have come into the US State Dept, it may be getting answered by a NATO partner. You would want to rate-limit requests to avoid the obvious abuses of a system like this by defenders.

The offensive teams hate any idea of hints of attribution, but life is about compromises, ya know, pun intended. :)

No comments:

Post a Comment