[Dailydave] "I hunt Sys-Admins"

Konrads Smelkovs konrads.smelkovs at gmail.com
Wed Jul 13 06:24:15 EDT 2016


On Tuesday, 12 July 2016, Dave Aitel <dave.aitel at gmail.com> wrote:

>
>
> Likewise, while it is annoying to have your CERT non-functional, a CNA
> attack on a CERT is not life-ending or otherwise special in any way - I'm
> not privy to whatever discussion at the UN/Tallinn drove them to the
> conclusion that a CERT was something special in the response fabric - one
> could as well label "Amazon AWS" as off limits. As much as I love the
> people on our CERTs, we have duplicate response effort in many different
> agencies (in particular, DHS/NSA/FBI/CIA/DOD). No sane country is going to
> take CNE against CERTs off the plate.
>

Anything that fails a dodgy curry thought experiment (what if your entire
team went for lunch and ate a bad curry which made them sick for a week)
cannot be considered critical infrastructure because you've clearly shown
it isn't important to you that much.

The second part is that UN/Tallinn conference attendees are often working
at CERTs so there may be a certain conflict of interest there.


>
> If what you're saying is: There are some places you should not attack, I
> would point out that the translation into cyber world is "There   are some
> effects on systems you should try not to have". For example: "Trojan
> tanything you want, but don't actually damage the dam system near NY
> because we will respond to that as it could cause massive loss of life and
> clean water".
>
> The thing that makes Cyber special here is that there is no end to the
> thread when you pull on it - there is no red line you can draw around a
> hospital or dam system.
>

This is a very good point. CERTs are supposed to be purely defensive and it
sort of holds true in "peacetime" with some exceptions like the alleged
assistance FBI got from one of the CERTs to do some Tor hacking, but it
cannot possibly hold true in "wartime" -  where defending from an intrusion
would involve perhaps a big DDoS of known C2 nodes or manipulating the
global Internet routing table for some traffic redirection, inspection and
black holing - all offensive actions. Besides, if YOU are the one attacking
and you expect counter measures deployed against you, you might have a
national CERT mitigating those counter measures which effectively makes the
CERT part of your attacking team.



-- 
--
Konrads Smelkovs
Applied IT sorcery.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160713/9f00ebb7/attachment-0001.html>


More information about the Dailydave mailing list