If cities were 100% accurately represented by video games, Miami would of
course be *GTA: Vice City*, a story of simplistic corruption garishly lit
and stuck in 2002 forever. It's traditional to hate on Miami, right until
you make some crypto money and decide to move there into a condominium with
a stunning view and an equally stunning lack of maintenance or foresight
around rising water tables.
Seattle, on the other hand, is *Cyberpunk 2077*, a city run by
cybernetically enhanced corpos who get to work by walking past endless
discarded refuse and homeless tent cities heated with literal barrel
campfires - on my way to the airport yesterday we drove through some thick
fog, which the Uber driver explained to me was just "a fire under the
bridge" with the same level of casual interest he would apply to a sale at
a JC Penny's.
Traveling between these two cities imposes arbitrage costs on your
consciousness itself, extracting profit from your inability to look away
from what seems like an obvious oncoming disaster. What happens when the
ocean goes up another foot, and nobody can get flood insurance? you ask
yourself, as people around you wave you off. How come such a progressive
city can't serve its people's needs, or at the very least pick up their
trash? you wonder, while running past a well worn armchair next to the
freeway that, rain or shine, serves as someone's impromptu throne.
While the humanity in you rages against the system, the hacker in you
realizes that knowing the past and processing it to produce the future can
be as useless and predictable as an earthworm's digestion. Hackers live in
a realm between spaces and times, looking at the hidden connections and
occasionally playing a chord on the threads.
So I wanted to respond to this post which starts "If someone exploits an
0day they still have to setup C2 - this is where TTPs are generated that
Blue Teams can win against". And I think for the past year I've gone on a
huge journey of discovery, annoying my Cyber Threat Intelligence friends to
no end as I ask annoying questions like "After you put some random
non-googlable name up, like PLATINUM, can you just add a little flag so I
know what country you're talking about?""
(Argh. The whole point of codenames is they are UNIQUE and easy to search
for. This is like naming your OS "Windows" I guess.)
Anyways, imagine if seventeenth century biologists were reporting to the
newly established Royal Society and they were talking about counting all
the animals and doing studies on animals and of course what they used to do
that were the various animals that kings and whatnot had gotten stuffed and
sent to them. I feel like you would find out that almost all animals had
fur and were easily shot by muskets or stabbed with spears! I guess my
point here being: Cyber Threat Intelligence is in a very hard place right
now, despite soaring revenues and many exciting trophies on the wall.
What you hear, over and over again, is that yes, detecting exploitation is
hard, but you will be able to detect "lateral movement" and see the command
and control traffic, and when attackers need to "accomplish their mission"
they will therefore be detectable. And this is true - for some missions,
and for some operational concepts
that accomplish those missions. But we fail when we don't consider other
operational concepts and other missions. Apparently we call the many
reasons we fail to turn data into warnings and then into action:
Good marketing from XDR companies is a pathology in this space. And that
pathology goes to the highest levels - when we have leaders in govt say "We
don't see any serious Log4J exploitation" we have to think "Wait, we have
almost no visibility for Unix targets though". Even when we have the right
telemetry, we don't have the right analysis.
I like to probe our pathologies with annoying questions:
- What percentage of worms do we see?
- What happens when people don't use a C2 but just drop an implant?
- Who are the hacker groups focusing only on Unix?
- What percentage of 0day do we really even find?
- Are we looking only at our adversary's actions, or also our own to
But more than that, we are not self-conscious in the way that we should be
about our own analytical pathologies. This is because our academic
structure for peer review and everything else in this space is pretty
busted. Anyways, there's more to the world out there than just lions and
antelope and espionage RATs. To see the really interesting things you need
a microscope, and the kind of eyes that want to squint through the lenses
of microscopes we haven't even built yet.