Global Adversarial Capability Modeling

spring glow and forever serial capability model not easy tom I should also probably avoid putting 15 syllable words my title scary thing could have probably unwise this presentation I actually gave this week's are going to go at the end of May in Barcelona at the net fishing working group conference so there is paper that goes is this which I wanted to go to abstract away harm but if you do like to reap in verses that I am a big fan of making what you're doing transparent and clear available so with open for scope the first presentation is great this is not code right so this is a way to make sure that we think about what's going to

happen do risky sentences works basically this is Intel stuff and so there's not open source code for this because it's pretty good software for your brain so the English is the open source code you'll probably have this memorized video of the day so we had to close up the legal stuff at the end so I hope you're all sleepy let's see it again detective yeah so that's actually just a that's the prelim for the test that how it's going to give you so I'm coming at this from the defense on up it's like I certain more and the goal of Intel o is to let you do something intelligent what you do anything useful this basically means that we need to

predict how the world is gonna be you're going to do something about it you need to know how the work was going to be is that what you want to change so fancy words we're going to predict the future state of the world right now that's sort of hard I can anyone tell me what the biggest attack on the internet is going to be in six months usually enough can you tell me if there's going to be a way to break into windows a box in six months yes yeah there's totally gonna be one I don't know what it is right now but it's going to be there can you tell me if there's a way to break into the water

system that controls the topwater DX into this building in six months maybe we don't know as well right so what I'm trying to answer with this work is we sort of all know that windows much people are going for you we don't have as good of an intuition about some of these other systems that are coming online so what I'm trying to do here is take the lessons that we all sort of know from how windows broken and how people move through the phases of the break windows and applying that to figuring out how they're going to break all these other systems that are right it's of that way i can predict lips and be like in three years instead of in two

months because if i could predict with something to be like for you i might be able to actually plan for it but if i don't know what something is going to do two months out that is less than everyone's acquisition cycle and everyone's hi ring cycle you can't get some of the rage are into money how are you applying for four months out rightly three years whatever able to do something plus I said take a dicks quickly and the general new tech creates these weird complicated interactions that are hard to predict but adversaries are using tech as a tool to depends so really there ends are we can probably get a better idea of what type of means is if

the tech is that we going to end open source and they want to get into your castle then they can get it they'll get in your castle the other thing that we sort of have to watch out for so a little bit of a stray byzantine history comes into the whole i think the walls of Constantinople were not reduced for 1400 years then even though it happened in 1450 they invented cannons and Turkish ever commissioned to 28 slip on the cannon built a road to wheel it comes editable and shot at the walls for 26 days an impassible didn't work so well anymore we ought to be able to pretty offensive things because now those things happen

every six months so there's a bunch of things that model attacks right so we have the kill chain if you want to do attribution you can do it without me model would chasing the scraps that killed you up and helps you think about a couple of different tasks we have this way good way to think of an adversary objectives for for campaigns from even 98 right the common language for computer security instances from my 1088 long Savin a guy from Cynthia that but none of them really helped me predict the next attack they just let me figure out what happened yesterday so I would figure out how to talk about tomorrow not yesterday the thing that

I've found is difficult some of you may have noticed this you don't always know your cottage on you I felt this is very hard for me worth analysts so really thinking about tell me who did it it's the internet someone on the internet tell me who did it are you that may be the name of the place I gotta go get a guy but nah they were like six proxies that you just told you get into the proxy Network they're all compromised machines could be anywhere now how're you did okay look the internet not a physical network but what are you talking about what our computers I don't care who it is the thing about the unit i did everyone is

tending to you there is no sad to you who did a risk assessment of the electric grid they are all our transformers to get the power to fulfill it turns out that we will take them anymore and you take them out of the sniper rifle because there's in the middle of the woods they're very concerned about this for a while until they realize that no one goes in the middle of the woods with a sniper rifle and shoots the transform I soon catch them as you eat physical access to the thing to go to destroy that's not true Alina everyone has physical access to everything if that's what being on the inter hands so the adversaries only need

the capability of the intense to get stuff they don't need physical access so they don't need physical access I only need to model their capability and then you need to figure out if they want to get to you and that's how you figure out having fun

so these are all fancy words to get me except into an academic conference what this means is that i have the vin turned read everything there was about XP and i also synthesized you know the facts that I've been working on this for five years like oh XPS been broken for a while I love this where I'm like oh man this sort of it's like the same thing that happened to the other windows 95 this is sort of the same thing that you know for having the Android and like windows seven turns up still broken no hey SLRs nice alright like cuz they started to get pass a SLR basically what 36 months ever came out so

after you see the same pattern the same process six or ten times like maybe maybe I can figure out what the pattern is if I could figure out the pattern I can predict the future states of the world and get people to pay him money so what we did is I did this loop came up with a came up with a stripped away I modeled I chose it too much be one sir they went now that's them do this this in this better oh yeah that's true where did it yeah and it showed it to some more people anyway this is better but these days ok and so then I presented it in early I don't see anything

particularly wrong I'm sure there's something so I'm sure that there's something else wrong with this this is why I tell it to more people so that one of you can come up afterwards hopefully quietly about asked in part of everyone tell me stupid better but if you insist on embarrassing me to make sure the point gets across tell if everyone that's fine so I'd really didn't have to focus said that already right can't find it anyway so just don't worry but I want to know how good all the adversaries in the whole world aren't attacking this thing we've done this for four things and one of the things is actually kind of attacking the control so I think that I

have your series have a capability to compromise a particular system that's going to be different than administering upon its not the same skill set to administer a hundred million that would not that as it is to compromise 100 more emissions those are Jim and also some of them feed into each other okay so you don't have to compromise 100 million machines of the same operating system but they might only controls so we're going to model those things differently and then what I haven't done yet is figured out how those things all sort of mesh together but anything you can sort of see it from where I am that you know if there's a fire role there's the

capability to get past the firewall and then there's the windows machine once they get past the firewall they have their capability of getting in subway this machine I know once a compromise that they have their capability to control them except those are three capabilities they can do all those things get in your system you guys don't know that that's not hard the thing is how many people have that capability right now so the model is how many people have that capability how many people have it determines how much it costs if they capability to compromise with those is open source it's free and we do it you have to spend a lot of money to stop it from happening

is every possibly on your system even the electricity then running to mine bitcoins income after that's a little bit different than if you a lot of clothes out system that no one really knows about you have just said less on it because there are fewer people with a capability to have them I thought so one of the things we were into I know that definitions is ever most favorite thing but we're like 10 threes I think that everyone at least like perfectly awake right now just a bunch of tired of this yet there's also all 1030 good send me up I don't know how we got a sunny day finally writing ad copy so put your

one slide a very pens definition may be tired for that of the day make sure that no one else can do anything useful so the capability is having the things and knowing how but knowing how is usually on the internet or high p or paper towards in hacker for or where is this that you have to buy it is it a hundred dollars thousand dollars of million dollars a software system as i live in to in a set of software instructions that execute in the same environment and run to the same set of permissions so is anyone ever tried to remove internet explorer from windows yeah does anyone then run up against the little website it says by the way you

can do this because we build it into the files explorer and we hate you you run up to that real quick so the thing is if you compromise the Internet Explorer you compromise the windows kernel at least an XD they tried to make it off a user I'm not sure if that means that Internet Explorer the thing that goes and fetches random unknown web pages it is execute them is the same software system as the window sir this is the reason why we have some problem witness this also means if I model Android or modeled livings Firefox is one software system the linux kernel is a different software system those are different but for Windows is the same because you can't

take it for now and so we got into some weird space where I thought that I was modeling the Android colonel capabilities but it was actually modeling the Android user space because those are actually different and that's when I realized windows is terribly awfully useless but that's why this is important so what we did is we organized this in two phases and it's pretty picture of the moon two phases of it's like a puppy but it's not actually thought of having to be funnier so we have discovery validation escalation the Aequitas ation and ubiquity right age start with discovery can you go through you don't really have to see validation set of know that you're going to move into escalation

they pretty much go in order but there's a couple of things that make this hard one is that some of these things are kept secret so we did the xb1 we got a report from 2010 but the military had problems with the Chinese breaking into their XP systems in two thousand or so we didn't know until seven years later that validation of espionage would happen for XD so sometimes you don't know that one of these symptoms has been observed until way later but we know that that's going to happen because these things are secrets right of course B marker but so that's why we looked at XP to be much later so one reason you might see things

moving faster than you think is that one of the other things has actually happened and adjust have been reporting the other reason is that if people know that they can make money and do espionage on the thing they might go on to creating well hunted or they might be well haunted or high factors in the space right before you see people actually doing some sort of battle sir so you're gonna have to see at least one I proposed might be Robert has been proven wrong yet so that's what we're going to go on his science that if you see one of these symptoms that phase has started and then you might start to see another

symptom from the next phase but you won't see anything from you want skipper face but you'll see one symptom and if you might you can extend them and then we might go back and complete the prior phase they call a phase completed if you've seen all of the symptoms and part of the predictive power comes it is if you see all three of disruption ability monetary gain and nesting on being validated or proved by doing some sort of compromise then we're going to move into escalation soup because all of those things so I have four case studies depending on how much you all want to see them I have three of them in backup slides that I

could definitely go over the windows 1 i'll take some questions and then if i still have time to kill Abigail so we meet these fancy graphics is everyone money graphics especially higher-ups who don't really get paid don't really want to the higher-ups need to get the summary of the stuff the hard work that we've done we need to obviously happened in a one-page graphic usually a pass but I can't bring myself to make a map of the internet it's not a physical system and I hate that but so the darker the box is the more infinity for giggles we also charted the market share XD across the bottom I have no idea of this actually correlates but it looks like

obviously if something is more popular it's likely for people to move against it quickly I know that all those things are very tight but basically as soon as whether they feed him out you had the first bowl in the first ex boy which was a upnp exploit you also actually have the first just proof comes up a work and the counter work later then see so Mike the end of 2002 discovery is done because windows actually sort of been around since how you Clive so the next thing comes up through that link 2002 we've already pretty well hashed out those were code reuse problems you see proof of funny pretty quick proof of espionage pretty

quick so shadow crew stuff money starts to happen and then you see blaster and so this is the space where like everyone was crying all the time is the work we're just spreading through the whole ecosystem and so that's proof of disruption because when the internet goes down that's disrupted by infecting windows so that means that if you know that you can destroy something you have some power over right like dude close enough hot guys and so if you have the ability to destroy or cause hard with windows XP then you have people did USB knowledge like I spin we get the back dated reports about the Espionage in the military we have Russian criminal gangs

using it to seal financial credentials all by mid 2003 and then you basically get remotely controlled zombie king all the stuff go through by the end of two thousand seven books sort of bad but if anyone was in this industry two thousand seven protecting XP machines really ok this is ok but like not really happy about this alright but people start paying penchant for system dude this is when people realize they like that rooms on the neck steam machine and everything is sort of actually broken but it's not really broken in to get to the last half of the life cycle where you get Zeus beating for sale for six hundred dollars to anyone with a stolen credit card little

past except the fellows and then it goes down to 60 and then it gets open source right and then metasploit is open source and then metasploit is updated continually with open source updates for XP detroit's which is at the top there and the one of the end is end of life and so when we have that whole stack filled up we have free control free exploit no more updates how expensive is it to compromise the windows XP machine right now rightly laptop I think it's what 40 seconds if it's connected to the NMM unprotected that might be it was five minutes like two years ago thing has gone down because they'll steal the electricity lab it's cheap enough that

they'll steal the electricity um if you go back right when you have just military-grade security being compromised there's not just like people in someone's basement in 2003 compromising Steve machines in quite the same way wait they might be putting in a hundred hours to do with themselves and just not getting paid for it for some reason because they like it but it's a hundred hours of the work now it's five seconds where the work is however fast your internet connection is to download the zoo spots right and so that changes how much you have to spend to defend it it also changes how much you have to spend you attack it right these are the same so I put forth that

we should follow this adversarial capability is going in stages I think that we have a reasonable reason to think this I think that it helps us figure out a future threat light table a little bit more accurately my estimate is maybe that it stretches us to 18 months to three years out instead of six months out or something like that because I think that it helps us make predictions now I can keep going but I want to give you guys the opportunity to ask any questions or comments yeah word flicka's so I haven't done so I haven't done a rigorous analysis of that but there's definitely windows 7 malware right is it open source yet

I don't actually know games are actually housing does anyone know there's a couple of other things a bit open source lately I don't know if Zeus has within seven plugins the problem with windows is that there's code reuse so some of the XP my notes still apply the real thing that I think so this comes into the definition of software system many treaties I think that the new thing for seven and eight is that they turned on deaf ASL are by default and that is a different software system basically because that gets in between the user space and doing whatever you want and so I think it would be better not to say what's the

capability against seven but what's the capability ASL aren't deaf since those get turned on much more easily instead of me and I know that there are definitely proven attacks against those fences but if you don't have a SLR indep running like I think that you're basically the same boat is XP more or less except for the you get patches does anyone disagree with me on that we just heard how easy it is to break into the hole wit of the system so i'm going to feel too unjustified time I don't disagree i have a question as somebody who would want to use the model and its predictive power what I don't see in the model is how the attack

focus changes over time well so for example if you're a government organization and you're in the early stage of the month you're a victim in the early stage of model you have two things that I don't think the model of dress is one is you're likely not to share that information widely so knowledge of the exploit and capability remains very limited and as that knowledge spread through escalation and ultimately G Vic whaty the targets of the attacks shift as well so going back to the governmental organization if you're somebody responsible for protecting against that particular capability or mitigating up different capability there needs to be something saying how worried that person needs to be about

the future attacks involving that capability because it seems based on the model that they quickly shifts away from the people who have the early knowledge to the lower hanging proved that far more publicly accessible try to summarize this is basically I don't handle distribution or extent of damage by giving the particular item broken because I don't talk about how widely distributed the software system is we all sort of talk about whatever you would actually apply pressure to do something useful especially if you're the person designing the system I think that it's pretty clear from this that once you hit escalation you're going to run away to ubiquitin it's too late right so that means that if you didn't

itself design a software system you need to basically not have it be targetable because once you get proof of money or proof of destruction ability it'll probably run away into escalation you can try to tamp that down by keeping it by keeping a hold on that but really means that if you don't prevent the actors from dating the capability at a very early stage which is an asymmetric cost right won't be able to get a whole lot once it gets away from you so I think that that's the recommendation that's not very nice for people to hear with a a lot of systems because it basically breaks down to the build security in principle right it I

could retrain late what I said as the security stuff has to be building from the beginnings of the doesn't get targetable so that no one build the capability to destroy it but no one does that because marketing reasons so unless it basically is legislated it won't happen there were a couple over here yeah yeah like it XP android apache and control remote control of industrial control systems once they're our guests all like industrial purchases do at like four distributed systems like Olivia I'm call system like anger or Amazon or how's this fall kind of expansive bigger distributed file system that may or may not have security certificate as time goes on rules I broke or it's not different individual device

it's a bigger so the question basically is how do I deal with distributed systems which I'm going to go back to my definition of software system right so any set of instructions that not in the same environment are a system where so Asher is one system that you have to is it I don't know if I sure has different user votes or whatever but I think that if you have the Amazon Cloud it spins up the vm for you so you have the base OS or the host OS right you have the virtualization software and then you have amazon package those are three systems clear from all of them I knew would model them separately and so

whatever hopes to when someone stands up like we'd see this with web content management stuff all the time right those are host the virtualization software there's there's papers from 2008 by a guy named Travis Normandy who basically published that all of the popular virtualization software at the time could be exploited by a hostile guest to get control of the host he was immediately hired by google and hasn't been heard from since then I wish I were a joke like that's just what happened to our they tell ya so um and then the back end stuff I feel like I saw once in the news that some amazon management stuff have their password entry page open for like two hours and

someone got even guess the password and when did a bunch of mischief and then amazon closed it down right so that's the back end management side right which has kind of obviously have fewer bolt in it but i think that it would be unwise to think that there's not value in compromising with a whole back end for google or the whole back end for amazon and so if there is any capability to do it because it runs on a living system that it's they all right i haven't build a whole new carnival far as I can help so all seen as all the finest I think that the what changes in the model is you multiply the systems

together is something that I sort of in response the marks question happens actually a little bit outside the model is the the risk of a compromise or the damage done when I compromising curves goes up and so the risk of the cost-benefit should change right so if you know that there's a system that 100 million people are using and you know that it has you know this far along you should adjust your equation to spend an appropriate amount of money on the security of it right we saw this I think with the project Aurora stop crew right they thought that gmail had no exposure turned out to be targetable and then they went on highland springs into it

just right I don't know what they put in after that but we've seen some instances of this but they're obviously not as far along as XP is partly because they're custom systems right in part because there are fewer of them so they're not as targetable yeah so say the use of Internet Explorer doors take one yeah so what I would say that if you can it all do it don't let anyone leave your local network with Internet Explorer I've seen presentations by the exploit exploit intelligence project i want to say where they measure some of this stuff but what the guy also was doing was he had a company that would sell me basically plug in that just put chrome

inside his floor and ran to hold the same boxes as if it were chrome unless you went to a local network site is trying to make that transparent for everyone but yeah basically if you can prevent people from leaving your home that we're gone it's more that would cut off some of that exposure and i know that there's some program you just hope required to run explore all over the derivatives but software in one Stan hey John eliminate bad so the very least definitely support at least one other browser already here doing a software development thing please it we used to support something besides explores if someone is always able to make this other choice because

some of the reason we have this problem is their websites that are critical that are developed you two only run properly against Explorer and that mean that the security folks can't do the right thing and switch everyone to another browser so yeah at least like Firefox isn't perfect but if you run Firefox at windows I'm pretty sure that they have to at least do something else wants to get the browser to get the colonel I'm not sure that's really true explorer like they're those other things that they can do work sort of well known but they do these do it yeah so this seems like the old or something gets on the more widespread it

becomes the more expensive is to secure but by the same token is less expensive to support and so those two things are inversely proportional is our sweet spot where i can run something obscure enough to not be a target but still so the question was that something gets older and better known is more expensive to secure but it's also cheaper than support so what's that like min max function on this the optimal thing is going to be determined by how targeted you are right so it depends on how many people want your stuff look the more attackers you have that watch your things the lower that sweet slots going to be the more expensive security will

be if you're doing basically nothing important they only want to steal your electricity or are bitcoins then it's probably pretty far along you can use a pretty common system but also note that some of that cost in securing is going to go into other systems that are going front of these systems so you can also budget it that way right there like we're going to have windows on the back end but that means that you know the emails got to be stripped or clean or whatever in a certain way when we would sighing attachments right from people who are in your contact book right so everyone's going to run PGP or some sort of female

signing thing which outlook supports now right so we do this from stuff but those are the sort of costs you're going to have not necessarily IP house but human costs right so no one can receive javascript in their email because they're running a Windows machine what's it son right so then you have to do a public key to allow for everyone but that's the sort of concept I'm talking about what is one over here

house uses various excuse wash floors have no source so this certain innate psychic abilities on the scene James's

so the question was is now are becoming harder to text basically by calling morphic stuff and all these things I don't have that model here they think that I've actually a reasonable separate thing to model is their ability to bypass not just a V but any sort of malware analysis and so based on the hall I would predict that they're getting better at it I don't have anything specific for you that I know I can say about here last question have you noticed any any any trends with this model this crowd exclaiming like it does it does it take you no longer to go from discovered a validation or for validating the escalation oh just thinking ahead you

know if we see that a tool is happy at the validation stage can we make any generalizations about how far we might be general age generalization is a little bit hard as I figured the function of how many machines there are so it's a function of the value proposition for the attackers all right so with the Android API this all fits on one slide the matching one is grace lines the XP one was two slides so they move at different rates but I think that's partly because it how'd you get so much older they were just fewer web servers period so there wasn't as much value getting after them there is 800 million Android phones where it is so it

moves a lot faster but there's so there's not a general rule but I'd like to think that there's probably some sort of relationship between the number of devices and the number of people going after it that you could come up with something but it's I don't have a hard and fast one but it looks to be like so this Android one goes real fast from validation to democratization that's like two two two two and a half years and so I think that if we if you expect him a new popular tag out that's going to hit a big segment of the global population you should expect it to go real fast thanks everyone