Biology in its beautiful variety has a problem for taxonomist absolutists - new species
keep on being discovered. Thus strategy that aims to find and classify everyone is doomed.
Same in cyberz - it's good that we know about prominent members but little varieties
unless game changing are boring and useless for strategic decision making.
Same sort of goes with C2. C2 is one of the requirements for most varieties of CNE. It
makes a lot of strategic sense to focus on C2 and deal with the rest using resilience
thinking.
On Fri, 28 Jan 2022, at 12:08, Dave Aitel via Dailydave wrote:
https://twitter.com/SecurePeacock/status/1486156096259637250?s=20
image.png
So I wanted to respond to this post which starts "If someone exploits an 0day they
still have to setup C2 - this is where TTPs are generated that Blue Teams can win
against". And I think for the past year I've gone on a huge journey of discovery,
annoying my Cyber Threat Intelligence friends to no end as I ask annoying questions like
"After you put some random non-googlable name up, like PLATINUM, can you just add a
little flag so I know what country you're talking about?""
image.png
(Argh. The whole point of codenames is they are UNIQUE and easy to search for. This is
like naming your OS "Windows" I guess.)
Anyways, imagine if seventeenth century biologists were reporting to the newly
established Royal Society and they were talking about counting all the animals and doing
studies on animals and of course what they used to do that were the various animals that
kings and whatnot had gotten stuffed and sent to them. I feel like you would find out that
almost all animals had fur and were easily shot by muskets or stabbed with spears! I guess
my point here being: Cyber Threat Intelligence is in a very hard place right now, despite
soaring revenues and many exciting trophies on the wall.
What you hear, over and over again, is that yes, detecting exploitation is hard, but you
will be able to detect "lateral movement" and see the command and control
traffic, and when attackers need to "accomplish their mission" they will
therefore be detectable. And this is true - for some missions, and for some operational
concepts
<https://cybersecpolitics.blogspot.com/2020/05/asynchronous-command-and-control-and.html>
that accomplish those missions. But we fail when we don't consider other operational
concepts and other missions. Apparently we call the many reasons we fail to turn data into
warnings and then into action: "pathologies".
Good marketing from XDR companies is a pathology in this space. And that pathology goes
to the highest levels - when we have leaders in govt say "We don't see any
serious Log4J exploitation" we have to think "Wait, we have almost no visibility
for Unix targets though". Even when we have the right telemetry, we don't have
the right analysis.
I like to probe our pathologies with annoying questions:
* What percentage of worms do we see?
* What happens when people don't use a C2 but just drop an implant?
* Who are the hacker groups focusing only on Unix?
* What percentage of 0day do we really even find?
* Are we looking only at our adversary's actions, or also our own to make
trendlines?
But more than that, we are not self-conscious in the way that we should be about our own
analytical pathologies. This is because our academic structure for peer review and
everything else in this space is pretty busted. Anyways, there's more to the world out
there than just lions and antelope and espionage RATs. To see the really interesting
things you need a microscope, and the kind of eyes that want to squint through the lenses
of microscopes we haven't even built yet.
-dave
_______________________________________________
Dailydave mailing list -- dailydave(a)lists.aitelfoundation.org
To unsubscribe send an email to dailydave-leave(a)lists.aitelfoundation.org