Dailydave mailing list archives
Re: Strategy
From: "Dan Moniz" <dnm () pobox com>
Date: Sun, 25 Nov 2007 16:09:23 -0500
On Nov 24, 2007 5:37 AM, Dave Aitel <dave () immunityinc com> wrote:
If you're reading an information warfare book or paper you'll invariably see a lot of: 1. Inane references to Sun Tzu (or, in some even more horrible cases, any two of Sun Tzu, Clausewitz, and John Boyd) 2. Declarations that information warfare is an "asymmetric attack" It's not asymmetric in the slightest. If you take any significant period of time then the organization with more money has a huge advantage in this game. That doesn't mean that good strategy doesn't hurt, and I wanted to showcase some examples: Halvar gave a talk on his malware classification algorithms and at the beginning of the talk he said "This prevents the malware authors from using off-the-shelf compilers. Current AV technologies don't do this since bypassing them requires this five line Python script which I believe the malware authors have automated." Forcing your opponent to use expensive tools is good strategy. Likewise, choosing to invest in an expensive infrastructure can be good strategy. I believe BinNavi and Immunity Debugger fit this category. In terms of infrastructure, the US .com and .mil communities decided to save money and purchase a mono-culture of Microsoft technologies. Bad strategies like this result in flailing and moaning as you get defeated over and over by someone with better strategy, not because the battlefield is inherently asymmetric. - -dave
Almost two years ago, I did an invited talk at a D.C. area conference that I hadn't heard of before and that was primarily catering to intelligence community and homeland security types. I got the feeling that the conference was probably more of a smorgasboard of homeland security/defense commentators, actual IC operators, military, politicos, and associated gadflies than say your average seriously technical or seriously military/Pentagon conference, but it was interesting nonetheless. Since I had an abiding personal interest in the Revolution in Military Affairs (RMA) debate (sometimes called "Transformation" by certain adherents; there are opposing views of RMA is or means and the Transformation types tend to argue for advanced battlefield technology above all else) and since this was a mixed audience I hadn't spoken to before, I decided to throw together a short high-level presentation on how I thought RMA applied to computer security. I'll have to dig up the actual presentation off of one of my other machines; in a quick search of email and this machine, I don't seem to have it locally. The basic thrust (as applies to the asymmetry question, anyway) was this: computer security is highly asymmetric in a classic defense sense because the well-funded defender has to maintain complex systems in order to get work done and has a suitably high investment and operational cost in protecting all that complexity, where the attacker can pick and choose any fragile point of the complex system to violate at his or her leisure. Monoculture exacerbates the problem, but I don't think you could arrive at a "heterogeneous enough" system (whose complexity would almost certainly be *greater* than a less heterogeneous system, thus threatening security) where the security benefits of that mixed system significantly outweigh the investment and operational costs and still enable equivalent or greater ability to do work. In a classic symmetric scenario, my tanks and your tanks are about equal. Whoever can field more, better tanks can probably win the battle. In an asymmetric scenario, your tanks provide overwhelming firepower against some things, like buildings or other tanks, but my IEDs can kill your tank crew in their Humvee as the ride to the base. The issue is that attackers in an infosec sense have IEDs (exploits), but defenders don't even have tanks, let alone IED response teams and snipers, just walls (firewalls, etc.). This is not necessarily an argument that we should have those things, though obviously in some corners there are operational teams we'd consider as "our offense" who do use exploits, etc., just against a enemy set of defenders. But again, that's still asymmetric. I'm not military scholar, though a ton of stuff included in that field interests me, so I'm interested in further debate and discussion along these lines. -- Dan Moniz <dnm () pobox com> [http://pobox.com/~dnm/] _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Strategy Dave Aitel (Nov 24)
- Re: Strategy Dan Moniz (Nov 25)
- Re: Strategy Richard Thieme (Nov 26)
- Re: Strategy jf (Nov 26)
- Re: Strategy Dan Moniz (Nov 25)