Dailydave mailing list archives
Re: Attribution
From: Yvan Boily <yboily () gmail com>
Date: Thu, 15 Apr 2010 11:34:52 -0700
Donald Rumsfeld said it best: There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know. I don't agree with your metric as a measure of "Am I winning?". If I am being kicked by my enemies while I am on the ground, I can attribute the source of attacks with a high degree of confidence, but I am still not winning. The ability to properly attribute a set of incoming attacks (X) to a set of actors (Y) gives you a "known known". The challenge is that you cannot determine if you are actually aware of all incoming attacks, a "known unknown" (Z). At best, you can assign a confidence level in your capability to detect a certain percentage of attacks, another "known unknown" (u() - confidence in ability to detect attacks). If you constrain this to the internet front of information warfare (or cyberwarfare if you prefer), and strictly to current technologies for detecting and deterring incoming network attacks, then you just might have a chance of coming up with a reasonable function to calculate your confidence. At that point it starts to look alot like %Attributed = X / [u(Z)]. For the very specific example you might have a meaningful metric and that has value, but the whole thing falls apart when you scale it out to each front in your battlespace, and try integrate it all into an interesting metric that relates to "am I winning?". Eventually you end up with something that looks alot like Drakes formula, and is probably about as accurate. On Wed, Apr 14, 2010 at 9:20 AM, dave <dave () immunityinc com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In an interesting presentation I saw recently someone mentioned that Attribution is hard in cyberspace (f.e. [1]), which generally is discussed in the context of "Deterrence"[2]. I really like the term "cyberspace", although I know people hate it. First of all cyberspace is not "the Internet". It's (imho) a collection of networks, information systems, databases, phone networks, people's heads, and other "information entities" that together make up the world's set of data and data processing. They call it "Information Operations" for a reason, but the term "InformationSpace" is terrible. Plus, William Gibson is a genius, so Cyberspace it is. Secondly if you are doing your information operations correctly, then Attribution is a solved problem. You can even use it as a metric: "Percent of incoming attacks that I can tie to a known actor == amount I have 'dominance over the information battlespace'". Aka, Attribution is a simple metric for 'Am I winning?'. If you have no attribution, you are not winning. Dave Aitel Immunity, Inc. [1] http://www.nap.edu/openbook.php?record_id=11925&page=113 [2] http://www.networkworld.com/news/2010/040710-think-tank-in-estonia-ponders.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkvF60gACgkQtehAhL0gheoPYwCfXqcikgKlZ8pumPlYVAG7Jq5c WcAAnjCbY9K4iLfk2XVK7m3+81GauKVH =HRBy -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-- ____ ygjb Computer Science is no more about computers than astronomy is about telescopes. E. W. Dijkstra _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Attribution dave (Apr 14)
- Re: Attribution Shane (Apr 14)
- Re: Attribution Jordan Frank (Apr 15)
- Re: Attribution Josh Saxe (Apr 15)
- Re: Attribution dan (Apr 15)
- Re: Attribution Yvan Boily (Apr 15)
- Re: Attribution Shane (Apr 14)