Re: Strategy

["Dan Moniz" <dnm () pobox com>]

On Nov 24, 2007 5:37 AM, Dave Aitel <dave () immunityinc com> wrote:

> If you're reading an information warfare book or paper you'll invariably
> see a lot of:
> 1. Inane references to Sun Tzu (or, in some even more horrible cases,
> any two of Sun Tzu, Clausewitz, and John Boyd)
> 2. Declarations that information warfare is an "asymmetric attack"
>
> It's not asymmetric in the slightest. If you take any significant period
> of time then the organization with more money has a huge advantage in
> this game. That doesn't mean that good strategy doesn't hurt, and I
> wanted to showcase some examples:
>
> Halvar gave a talk on his malware classification algorithms and at the
> beginning of the talk he said "This prevents the malware authors from
> using off-the-shelf compilers. Current AV technologies don't do this
> since bypassing them requires this five line Python script which I
> believe the malware authors have automated."
>
> Forcing your opponent to use expensive tools is good strategy. Likewise,
> choosing to invest in an expensive infrastructure can be good strategy.
> I believe BinNavi and Immunity Debugger fit this category.
>
> In terms of infrastructure, the US .com and .mil communities decided to
> save money and purchase a mono-culture of Microsoft technologies. Bad
> strategies like this result in flailing and moaning as you get defeated
> over and over by someone with better strategy, not because the
> battlefield is inherently asymmetric.
>
> - -dave

Almost two years ago, I did an invited talk at a D.C. area conference
that I hadn't heard of before and that was primarily catering to
intelligence community and homeland security types. I got the feeling
that the conference was probably more of a smorgasboard of homeland
security/defense commentators, actual IC operators, military,
politicos, and associated gadflies than say your average seriously
technical or seriously military/Pentagon conference, but it was
interesting nonetheless.

Since I had an abiding personal interest in the Revolution in Military
Affairs (RMA) debate (sometimes called "Transformation" by certain
adherents; there are opposing views of RMA is or means and the
Transformation types tend to argue for advanced battlefield technology
above all else) and since this was a mixed audience I hadn't spoken to
before, I decided to throw together a short high-level presentation on
how I thought RMA applied to computer security. I'll have to dig up
the actual presentation off of one of my other machines; in a quick
search of email and this machine, I don't seem to have it locally.

The basic thrust (as applies to the asymmetry question, anyway) was
this: computer security is highly asymmetric in a classic defense
sense because the well-funded defender has to maintain complex systems
in order to get work done and has a suitably high investment and
operational cost in protecting all that complexity, where the attacker
can pick and choose any fragile point of the complex system to violate
at his or her leisure. Monoculture exacerbates the problem, but I
don't think you could arrive at a "heterogeneous enough" system (whose
complexity would almost certainly be *greater* than a less
heterogeneous system, thus threatening security) where the security
benefits of that mixed system significantly outweigh the investment
and operational costs and still enable equivalent or greater ability
to do work.

In a classic symmetric scenario, my tanks and your tanks are about
equal. Whoever can field more, better tanks can probably win the
battle. In an asymmetric scenario, your tanks provide overwhelming
firepower against some things, like buildings or other tanks, but my
IEDs can kill your tank crew in their Humvee as the ride to the base.
The issue is that attackers in an infosec sense have IEDs (exploits),
but defenders don't even have tanks, let alone IED response teams and
snipers, just walls (firewalls, etc.). This is not necessarily an
argument that we should have those things, though obviously in some
corners there are operational teams we'd consider as "our offense" who
do use exploits, etc., just against a enemy set of defenders. But
again, that's still asymmetric.

I'm not military scholar, though a ton of stuff included in that field
interests me, so I'm interested in further debate and discussion along
these lines.


-- 
Dan Moniz <dnm () pobox com> [http://pobox.com/~dnm/]
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave