Re: Attribution

[Yvan Boily <yboily () gmail com>]

Donald Rumsfeld said it best:

There are known knowns. These are things we know that we know. There
are known unknowns. That is to say, there are things that we know we
don't know. But there are also unknown unknowns. There are things we
don't know we don't know.

I don't agree with your metric as a measure of "Am I winning?".  If I
am being kicked by my enemies while I am on the ground, I can
attribute the source of attacks with a high degree of confidence, but
I am still not winning.

The ability to properly attribute a set of incoming attacks (X) to a
set of actors (Y) gives you a "known known".  The challenge is that
you cannot determine if you are actually aware of all incoming
attacks, a "known unknown" (Z).  At best, you can assign a confidence
level in your capability to detect a certain percentage of attacks,
another "known unknown" (u() - confidence in ability to detect
attacks).

If you constrain this to the internet front of information warfare (or
cyberwarfare if you prefer), and strictly to current technologies for
detecting and deterring incoming network attacks, then you just might
have a chance of coming up with a reasonable function to calculate
your confidence. At that point it starts to look alot like %Attributed
= X / [u(Z)].

For the very specific example you might have a meaningful metric and
that has value, but the whole thing falls apart when you scale it out
to each front in your battlespace, and try integrate it all into an
interesting metric that relates to "am I winning?".  Eventually you
end up with something that looks alot like Drakes formula, and is
probably about as accurate.

On Wed, Apr 14, 2010 at 9:20 AM, dave <dave () immunityinc com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> In an interesting presentation I saw recently someone mentioned that Attribution is
> hard in cyberspace (f.e. [1]), which generally is discussed in the context of
> "Deterrence"[2]. I really like the term "cyberspace", although I know people hate it.
>
> First of all cyberspace is not "the Internet". It's (imho) a collection of networks,
> information systems, databases, phone networks, people's heads, and other
> "information entities" that together make up the world's set of data and data
> processing. They call it "Information Operations" for a reason, but the term
> "InformationSpace" is terrible. Plus, William Gibson is a genius, so Cyberspace it is.
>
> Secondly if you are doing your information operations correctly, then Attribution is
> a solved problem. You can even use it as a metric: "Percent of incoming attacks that
> I can tie to a known actor == amount I have 'dominance over the information
> battlespace'". Aka, Attribution is a simple metric for 'Am I winning?'. If you have
> no attribution, you are not winning.
>
> Dave Aitel
> Immunity, Inc.
>
> [1] http://www.nap.edu/openbook.php?record_id=11925&page=113
> [2] http://www.networkworld.com/news/2010/040710-think-tank-in-estonia-ponders.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkvF60gACgkQtehAhL0gheoPYwCfXqcikgKlZ8pumPlYVAG7Jq5c
> WcAAnjCbY9K4iLfk2XVK7m3+81GauKVH
> =HRBy
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave



-- 
____
ygjb
Computer Science is no more about computers than astronomy is about
telescopes. E. W. Dijkstra
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave