This is a personal blog. My other stuff: book | home page | Twitter | prepping | CNC robotics | electronics

April 15, 2017

Shadow Brokers, or the hottest security product to buy in 2018

For the past three years and a change, the security industry has been mesmerized by a steady trickle of leaks that expose some of the offensive tooling belonging to the Western world's foremost intelligence agencies. To some folks, the leaks are a devastating blow to national security; to others, they are a chilling peek at the inner workings of an intrusive security apparatus that could be used to attack political enemies within.

I find it difficult to get outraged at revelations such as the compromise of some of the banking exchanges in the Middle East, presumably to track the sources of funding for some of our sworn enemies; at the same time, I'm none too pleased about the reports of the agencies tapping overseas fiber cables of US companies, or indiscriminately hacking university e-mail servers in Europe to provide cover for subsequent C&C ops. Still, many words have been written on the topic, so it is not a debate I am hoping to settle here; my only thought is that if we see espionage as a legitimate task for a nation state, then the revelations seem like a natural extension of what we know about this trade from pre-Internet days. Conversely, if we think that spying is evil, we probably ought to rethink geopolitics in a more fundamental way; until then, there's no use complaining that the NSA is keeping a bunch of 0-days at hand.

But in a more pragmatic sense, there is one consequence of the leaks that I worry about: the inevitable shifts in IT policies and the next crop of commercial tools and services meant to counter this supposedly new threat. I fear this outcome because I think that the core exploitation capabilities of the agencies - at least to the extent exposed by the leaks - are not vastly different from those of a talented teenager: somewhat disappointingly, the intelligence community accomplishes their goals chiefly by relying on public data sources, the attacks on unpatched or poorly configured systems, and the fallibility of human beings. In fact, some of the exploits exposed in the leaks were probably not developed in-house, but purchased through intermediaries from talented hobbyists - a black market that has been thriving over the past decade or so.

Of course, the NSA is a unique "adversary" in many other ways, but there is no alien technology to reckon with; and by constantly re-framing the conversation around IT security as a response to some new enemy, we tend to forget that the underlying problems that enable such hacking have been with us since the 1990s, that they are not unique to this actor, and that they have not been truly solved by any of the previous tooling and IT spending shifts.

I think that it is useful to compare computer spies to another, far better understood actor: the law enforcement community. In particular:

  1. Both the intelligence agencies and law enforcement are very patient and systematic in their pursuits. If they want to get to you but can't do so directly, they can always convince, coerce, or compromise your friends, your sysadmins - or heck, just tamper with your supply chain.

  2. Both kinds of actors operate under the protection of the law - which means that they are taking relatively few risks in going after you, can refine their approaches over the years, and can be quite brazen in their plans. They prefer to hack you remotely, of course - but if they can't, they might just as well break into your home or office, or plant a mole within your org.

  3. Both have nearly unlimited resources. You probably can't outspend them and they can always source a wide range of tools to further their goals, operating more like a well-oiled machine than a merry band of hobbyists. But it is also easy to understand their goals, and for most people, the best survival strategy is not to invite their undivided attention in the first place.

Once you make yourself interesting enough to be in the crosshairs, the game changes in a pretty spectacular way, and the steps to take might have to come from the playbooks of rebels holed up in the mountains of Pakistan more than from a glossy folder of Cyberintellics Inc. There are no simple, low-cost solutions: you will find no click-and-play security product to help you, and there is no "one weird trick" to keep you safe; taping over your camera or putting your phone in the microwave won't save the day.

And ultimately, let's face it: if you're scrambling to lock down your Internet-exposed SMB servers in response to the most recent revelations from Shadow Brokers, you are probably in deep trouble - and it's not because of the NSA.

1 comment:

  1. Love what you wrote. It is interesting to me that if I read this post with the perspective of geopolitics, it makes sense. When I switch it to mean "only politically-motivated cyber espionage" or, even more-differently, "only economically-motivated cyber espionage", it tends to take a different twist to me. Something to think about because not every nation or government agency (or division within a government agency) has the same goals. Before you throw around the word evil, we should learn another lesson from law enforcement that we can compare to national intelligence: that intention is core to everything, criminal law's mens rea.

    Products and services sold, even by a small 3-person security boutique private company with no VC, must unify towards strategic (e.g., Hubbard AIE), operational (e.g., MITRE ATT&CK), tactical (Measure of Effectiveness such as Mean-Time To Know), and remedial (Measures of Performance, such as Mean-Time To Identify) frameworks built on standardized models with standardized language. If a product only affect one Technique (e.g., Standard Application Protocol) over one Tactic (e.g., Command and Control) and this can be mapped to calibrated-confidence intervals that fit an loss-exceedance probability curve and risk-tolerance curve (i.e., one of the Hubbard AIE approaches for challenging spend in risk decisions) -- then we have a way forward. We have been saying "no silver bullets" for years, yet this is all we hear from security leadership. Ask, "Where, how, and to what degree?". Always use the standardized frameworks and language in the answer(s). Don't settle for less.