[Dailydave] "I hunt Sys-Admins"

Alex Grigsby AGrigsby at cfr.org
Wed Jul 13 11:16:45 EDT 2016 

If what you're saying is: There are some places you should not attack, I would point out that the translation into cyber world is "There are some effects on systems you should try not to have".

*****

That’s a version of what I’m saying to a certain extent and probably what the UN folks are saying as well in the CERT context. In their 2015 GGE report (http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174), they recommend that “states should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams … of another state.”

It’s probably an open question as to what the UN group meant by “harm”—is it CNE or CNA?—and the only way you get consensus at the UN is by allowing wide variations in interpretation. But the USG was the main proponent of that specific norm and probably meant it as CNA given that the exact language State uses is “a state should not conduct or knowingly support activity intended to prevent a national CSIRT from responding to cyber incidents” (http://www.foreign.senate.gov/imo/media/doc/051415_Painter_Testimony.pdf). That would seem to allow for spying on a CERT but not preventing it from doing its job (disruption/destruction)

There’s an effort on behalf of policymakers to try to keep certain targets off limits. It may or may not work—and it has had mixed success in meat space with keeping hospitals off limits—but I don’t necessarily think that should stop them from trying. Even if you’re able to reduce some of the noise (CNA or otherwise), that should be a win. Baby steps.

From: Dave Aitel [mailto:dave.aitel at gmail.com]
Sent: Tuesday, July 12, 2016 5:24 PM
To: Alex Grigsby <AGrigsby at cfr.org>; dailydave at lists.immunityinc.com
Subject: Re: [Dailydave] "I hunt Sys-Admins"

I wrote a slightly longer piece on this today here: http://cybersecpolitics.blogspot.com/2016/07/when-is-cyber-attack-act-of-war.html

But to address the CERT question directly, I will pose a few distinct arguments as to how Cyber is a special snowflake and CERTS are clearly legitimate targets.

First, the things I've read coming out of the UN/Tallinn have made few inroads into defining the difference between CNE and CNA. From an espionage standpoint, CERTS are clear high priority targets because they collect information on your attacks, but also on other nation states who have been caught, which can be fed directly into your national intrusion response.

Likewise, while it is annoying to have your CERT non-functional, a CNA attack on a CERT is not life-ending or otherwise special in any way - I'm not privy to whatever discussion at the UN/Tallinn drove them to the conclusion that a CERT was something special in the response fabric - one could as well label "Amazon AWS" as off limits. As much as I love the people on our CERTs, we have duplicate response effort in many different agencies (in particular, DHS/NSA/FBI/CIA/DOD). No sane country is going to take CNE against CERTs off the plate.

If what you're saying is: There are some places you should not attack, I would point out that the translation into cyber world is "There are some effects on systems you should try not to have". For example: "Trojan anything you want, but don't actually damage the dam system near NY because we will respond to that as it could cause massive loss of life and clean water".

The thing that makes Cyber special here is that there is no end to the thread when you pull on it - there is no red line you can draw around a hospital or dam system.

-dave

On Tue, Jul 12, 2016 at 3:04 PM Alex Grigsby <AGrigsby at cfr.org<mailto:AGrigsby at cfr.org>> wrote:
I agree with most of the points you raise (esp. with respect to the vagueness of "critical infrastructure") but I'll push back a bit on your CERT point.

You're right that a CERT would likely be a prime target during a conflict, but just because a country would want to pwn a CERT doesn't necessarily mean that it should. Over the last 100+ years, countries have agreed to not deliberately target certain installations in wartime even if it's in their strategic interest to do so. For example, the laws of war prohibit the targeting hospitals or anything with a red cross/red crescent (https://en.wikipedia.org/wiki/Protective_sign) even if it would be militarily advantageous for a country to do so (i.e. less enemies on the battlefield). Same thing goes for restrictions on certain weapons (e.g. chemical weapons in the case of the Geneva protocol or booby traps in the case of the Conventional Weapons convention).

Countries have agreed to these restrictions largely on the basis of reciprocity--we won't do it to you if you don't do it to us. It doesn't necessarily mean that all states will comply, but they create a strong norm in favor of their adherence.

Based on the history of the laws of war, it doesn't seem completely ridiculous that countries could eventually come to some sort of understanding that CERTs are off limits.

Alex

-----Original Message-----
From: dailydave-bounces at lists.immunityinc.com<mailto:dailydave-bounces at lists.immunityinc.com> [mailto:dailydave-bounces at lists.immunityinc.com<mailto:dailydave-bounces at lists.immunityinc.com>] On Behalf Of dailydave-request at lists.immunityinc.com<mailto:dailydave-request at lists.immunityinc.com>
Sent: Tuesday, July 12, 2016 12:00 PM
To: dailydave at lists.immunityinc.com<mailto:dailydave at lists.immunityinc.com>
Subject: Dailydave Digest, Vol 56, Issue 1

Send Dailydave mailing list submissions to
        dailydave at lists.immunityinc.com<mailto:dailydave at lists.immunityinc.com>

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.immunityinc.com/mailman/listinfo/dailydave
or, via email, send a message with subject or body 'help' to
        dailydave-request at lists.immunityinc.com<mailto:dailydave-request at lists.immunityinc.com>

You can reach the person managing the list at
        dailydave-owner at lists.immunityinc.com<mailto:dailydave-owner at lists.immunityinc.com>

When replying, please edit your Subject line so it is more specific than "Re: Contents of Dailydave digest..."


Today's Topics:

   1. "I hunt Sys-Admins" (dave aitel)


----------------------------------------------------------------------

Message: 1
Date: Mon, 11 Jul 2016 15:15:12 -0400
From: dave aitel <dave at immunityinc.com<mailto:dave at immunityinc.com>>
To: "dailydave at lists.immunityinc.com<mailto:dailydave at lists.immunityinc.com>"
        <dailydave at lists.immunityinc.com<mailto:dailydave at lists.immunityinc.com>>
Subject: [Dailydave] "I hunt Sys-Admins"
Message-ID: <5fc94935-e035-6b70-5d55-7f16d7f25992 at immunityinc.com<mailto:5fc94935-e035-6b70-5d55-7f16d7f25992 at immunityinc.com>>
Content-Type: text/plain; charset="utf-8"

Occasionally I like to reflect, as you all do, on the various things that have mis-shaped our understanding of cyber war.

For example, take this Intercept article based on the Snowden leaks:
https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/

Viewed in hindsight, this article points very closely at something I'm going to support in depth in an article coming out shortly, which is that *the term "Critical Infrastructure" does not apply in cyber the way defense strategists think it does*. I mention this, which may seem obvious to the readership of this list, because if you read policy papers they go on an on about how nations should avoid "attacking" each others "critical infrastructure" as a "norm". They don't, of course, consider defining a lot of terms in any specificity, but they do mention that under no circumstances should CERTs be attacked. Which clearly is ridiculous because in cyberwar the CERT is something you will have penetrated first so you know when you've been caught everywhere else.
Likewise, CERTs are usually very easy to attack. Likewise, top on your list is secure at microsoft.com<mailto:secure at microsoft.com>, and every other security contact. And in order to claim those things as "off limits" we have to declare huge swaths of infrastructure (often unknown ahead of time) as off limits.

Also visible in retrospect is that people love to focus on the catchy phrases. "I hunt sys-admins". Sure you do! But that means your strategic offensive efforts have already failed at least twice. In order to get to the point where "I hunt sys-admins" team is involved, you have to get through "I hunt developers", "I hunt other hackers", and "I hunt system integrators". And even above them is "I hunt standards developers and cryptographers" (aka, NIST :) ).

-dave






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160711/97fa7226/attachment-0001.html>

------------------------------

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunityinc.com<mailto:Dailydave at lists.immunityinc.com>
https://lists.immunityinc.com/mailman/listinfo/dailydave


End of Dailydave Digest, Vol 56, Issue 1
****************************************

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunityinc.com<mailto:Dailydave at lists.immunityinc.com>
https://lists.immunityinc.com/mailman/listinfo/dailydave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160713/6030300f/attachment-0001.html>

More information about the Dailydave mailing list