Cyber Warfare Analysis - You're Doing It Wrong
Tuesday, March 15, 2011
Media and politicians have seemed to hook the term cyberwarfare into what is slowly becoming a household term.
I am not just stating this for the sake of stating this, but when my soon to be ten year old is telling his friends on XBox Live: "My dad does cyberwarfare," I become amused to see how he gets it wrong in similar fashion to media, politicians and even those involved in the intelligence agencies in the United States of America.
For the better part of fifteen years, I have been an avid fan of the history of intelligence. From a military standpoint and analytical standpoint, I enjoy being able to take an outside view at what it is a country does when it comes to intelligence.
Some of my favorite sites concerning intel and military related reading have been, the Federation of American Scientists, Global Security, Janes, Cryptome, CIA. The information is intriguing and while it may not offer a concise view of the entire scope of the "gears of war," it does offer much insight.
Had I have to count the number of books I have read on the subject, I would have to place the count at between 50 and 75 with my current reading material being: "Intelligence Analysis - How to Think In Complex Environments." by Wayne Michael Hall, Brigadier General (Retired), U.S. Army and Gary Citrenbaum, Ph.D.
With this brief rambling out of the way, I would like to explain to those willing to read between the lines, why we (the United States of America) fail and will continue to fail at "Cybersecurity Analytics." The answer is not a complex one and is not based on "complexity theories", "signatures", "observables" or any of the traditional points of view. The answer is simply, anonymity and it has nothing to do with the hacker group. Anonymity per wiki: "without a name" or "namelessness".
In colloquial use, anonymity typically refers to the state of an individual's personal identity, or personally identifiable information, being publicly unknown. This is and will forever be the problem with tracing a cyberwarfare attack, anonymity. Sure we can track an IP address to give us an indication of where the attack came from however, far too many factors enhance the capability to remain anonymous from an attacker's perspective.
With that said, picture yourself not only looking for a needle in the haystack, but a needle in a haystack the size of Alaska. Someone can come around and arrogantly snicker: "We've got metal detectors to find that needle" to which I say: "Good luck, what do you plan on doing if someone casually tossed 100 throwaway needles while hiding?"
From the Intelligence Analysis book, "advanced analysis " "the high-level cognitive processes producing specific, detailed thought and understanding of OE, and knowledge superior to that possessed by the adversary.” Advanced analysis has 14 cognitive functions.
While the book is not "cyberwarfare-centric," many concepts concerning warfare (IW, UW) are intermingled by politicians and intelligence agencies to produce what they perceive as some form of "tangible intelligence" to be used in analyzing cyberwarfare. "You're doing it wrong."
IA's 14 cognitive functions are listed as:
1) Decomposition. Mentally breaking a thought or activity into its basic elements.
2) Critical thinking. An intellectual process that “examines assumptions, discerns hidden values, evaluates evidence, and assesses conclusions.”
3) Link analysis. Decomposing and gaining understanding and insight into behavioral and/or functional relationships, means of communicating, or being connected.
4) Pattern analysis. Discerning a consistent series of related actions or events.
5) Trend analysis. Discerning meaning from functionally oriented events or activities that occurred in the past to understand how functionally similar events or activities could happen in the future.
6) Anticipatory analysis. Using thought, intuition, foreknowledge, knowledge, experience, or prescience to realize in advance what the adversary or competitor might do and testing, confirming, or denying the hypothesis or postulate.
7) Technical analysis. Gaining knowledge and understanding about the technical aspects of particular events, situations, activities, and transactions.
8) Tendency analysis. Discerning meaning through thought and study of the general proclivities of people, the behavioral and action inclinations of organizations, mental snapshots of current environment or context situations, events, activities, and behaviors, the emanation dispersal of energy emissions, and what the interaction and enmeshing of all could portend for the future.
9) Cultural intelligence analysis. Knowing a particular culture, its people, and their patterns of behavior as derived from traditional culturally induced attitudes, behaviors, social norms, and conditions.
10) Anomaly analysis. Discerning a departure from the normal or common order, form, or rule; absence of what is expected.
11) Semiotics analysis. Discerning meaning of cultural signs and symbols as reflected in drawings, paintings, photographs, syntax, words, sounds, body language, and graffiti.
12) Aggregation analysis. Discerning meaning of several things, whether numbering from a few to millions, which are grouped, moving, working together, and considered as a whole.
13) Recomposition. Cognition- and machine-driven recompilation of parts to understand the whole.
14) Synthesis. Combining elements of substances to form a coherent whole.
They Might Be Giants... While the 14 cognitive functions can help on an actual battlefront, the fact will remain that they mean little in a world that does not exist. That is, the Internet is not a world, its is a mesh of networks where anonymity will reign supreme for the unforeseeable future.
From my perspective as a "hacker" slash security engineer slash professional slash SME, here are my counters to the 14 cognitive functions. I will call them the "Byronic Functions" since I am a fan of the television show "Lie to Me."
My "Byronic Functions" are not meant to give anyone an indication of "how to think" when it comes to analyzing cyberwarfare but instead give a twist to the 14 cognitive functions, the counterpoints from a cyberwarfare perspective. I could have called it the 10 Cyberwarfare Commandments, but that would be too Hollywoodish media whoring (excuse the term, but reality is what it is.)
1) Decomposition. Would be a waste of time and resources. By attempting to break down the processes and procedures of what occurred, we are throwing money into a bottomless pit. Had we taken the time to focus on security procedures and processes correctly, we would have a better outcome in defending the castle from day one.
2) Critical thinking. Needs to come second to creative thinking. Cyberwarfare - hereby referred to as malicious hacking (whether it is a DoS attack or full compromise) is more of an art than it is a technical process that one can learn. While critical thinking does have its value, its value should always be secondary to "thinking outside of the box."
When someone can explain in layman's terms: "How would you do it" with proof of concept versus rambling gibberish of "bypassing, ASLR through reverse osmosis and taxonomies of cross-vector paralysis of mental acuity" explanations while showing pie charts, then we have true winners.
3) Link analysis. LA is difficult to maintain because of anonymity. Applications such as Palantir and Maltego may have value, but the reality is, here today, gone the next minute. I will expand on this and reference back to this later.
4) Pattern analysis. While valuable, can be the downfall of an analytical function. This need be said because of the inherent use of decoys and deception when it comes to cyberwarfare. For example, while performing professional red-team slash blackhat penetration tests, I always (repeat) always use decoy scans. I do this to become lost inside a barrage of information. Should you want to waste resources (money, time, personnel) chasing down someone who may not be at say 126.96.36.199 or 188.8.131.52 feel free. Your loss.
5) Trend analysis. Another waste of resources in the case of cyberwarfare. While briefly mentioning the use of decoys, the reality is, technology changes too fast to make much use of data. When it comes to cyberwarfare, I would be more concerned with high level attackers. The types that rarely leave fingerprints.
With that said, I believe in inverting the analysis. Forget about what is coming into your network, what is leaving your network. As Richard Bejtlich states, "Extrusion Prevention." The goal: forget trying to get people to STOP from knocking on your door, focus on getting your people to stop wasting time and resources in ANSWERING the door when they know that by this point in time, there will be no-one there when they answer that door.
6) Anticipatory analysis. "Tomorrow is another day" said the Captain Obvious caption. Realize you will always be a target however go back and re-read my #'s 1, 2, 3, 4 and 5.
7) Technical analysis. We live, we learn. Do we need to revisit what we did yesterday? We can never go back. Focus on the here and now. There are many great resources available to defend an infrastructure, why are we still letting politics bog us down.
We must want ourselves to fail. Instead of wasting more resources figuring out what the enemy is doing, I say split the resources into defending the now and creating wargaming scenarios. There is no reason on planet earth why military branches and governments shouldn't have their own "fuzzying" departments.
8) Cultural intelligence analysis. Completely irrelevant to cyberwarfare... I will explain this one. Imagine for a moment what we perceive is an attack from an enemy against say the electric grid. Now imagine a scolded teenager sent to his room fiddling around with applications that he perceives is sending innocuous data to a target.
He understands little about "objectives" or "goals" but he does understand that he can take out his anger while on his iPad during his punishment on any target he chooses. While he is not an enemy of the state, he is committing the same actions as a enemy would. This is what I believe has been done with many of the malicious attackers from certain "cybercriminal groups."
9) Anomaly analysis. See my number 5. Anomalies from the outside can be purposely sent into the course of normal networks. The purpose of this would be to saturate the network with such bogus information that any analysis becomes fruitless. Many Intrusion Detection Systems engineers have long learned to ignore what they deem as false positives. The same applies to cyberwarfare.
Forget what is coming into your network, focus on locking it down followed by what is LEAVING your network. For example, if an attacker is coming from say the 184.108.40.206/8 block in Asia, I cannot stop him from making that connection however, I CAN control what my systems are doing. I CAN stop my machines from connecting BACK TO HIM (answering.)
10) Recomposition. Forget recompiling to understand the whole. How about recompiling to generate a far worse attack. This assists in quite a few ways. a) It allows us to wake up and smell the coffee by creating our own offensive cyberwarfare capabilities and b) It allows us to go back and test our own selves with our own nightmarish attacks.
Everything has been done at some point or another when it comes to "cyber" anything. The harsh reality is, we have become so focused on what someone wants to do to us, that we waste so much effort and resources in trying to understand an attacker we can never accurately pinpoint. Isn't it time we shift resources to the right application.
While I would like to expand on my Byronic Functions more, reality is, I have coffee to drink, a cigarette to smoke, industrial music to listen to. This followed by the sad reality that many just keep "doing it wrong."
Cross-posted from Infiltrated