[Dailydave] The best bugclass is whatever the defender is most mentally invested in

Dave Aitel dave.aitel at gmail.com
Thu Mar 5 00:57:27 UTC 2020

A decade or so ago I got pneumonia and then tried to give a talk about why
attackers tend to win
at cyber stuff. The usual answer you will hear, the *RSAC* answer, if you
will, is total BS. If someone says "Attackers only need to get in once, but
defenders need to succeed every time!" then they are officially a moron and
it's ok to sell them blinky-light systems which protect them from APTs or
whatever, maybe after discussing some ballgame scores with them first that
have all the narrative joy of a set of random numbers, but I wouldn't take
their advice on information security.

But the sign of a truly great attack in our space is often that you could
write it in every blog and newspaper in the land as the top headline, and
defenders would still not be able to adjust to it because they are so
mentally invested in the alternative. CRYPTO-AG is an example of this, as
were the original ENIGMA and PURPLE breaks during WWII.

But my favorite one is maybe "patching". People will take a remotely
accessible system that has a newly published RCE, one they have basically
no telemetry on, and then patch that bad boy up and go on with their lives
as long as it doesn't have some sort of malware that changes the login
screen. Oh lordy the scripts to find out if your Citrix VPN was popped last
month...just comedic genius.

My second favorite might be WAFs. We know they don't WORK, but they KINDA
WORK sometimes and are easy to write metrics around and maybe that's enough
to justify their existence even though they also introduce security flaws
of their own?

My third favorite one is SOCs with humans in them. You can, quite
literally, say "Hey, attackers are always going to move faster than you
because they are going to invest in automation, which is clearly the
answer..." but five thousand blogs on "Threat Hunting" later, here we are.
I mean, I know Jason Healey and Dmitri Alperovitch argued recently that
offensive innovations are in actuality quite limited
<https://www.youtube.com/watch?v=Dgr4A1feV5Y&t=33s>, but it's probably
wisest to assume that the offensive community you see is just the foot of
the mountain range, and that above the permafrost is an entire cloud city
of strange and glorious creatures, working on telnetd remotes

This brings us to a few national-level policies which are just as funny.
When you listen to defense department innovators
<https://www.youtube.com/watch?v=wA0epN0L1fc&t=9s> talk about automation on
the battlefield they are super careful to point out that a "human will
always be in the loop for any use of force". But of course, any of our
adversaries (c.f. China) who has pushed their AI to be fully automated on
the battlefield will have a massive advantage over anyone who has not. They
are either lying and they know it, or, MORE HILARIOUSLY don't even know it.

The same is true about the Air Force's bizarre reaction to Elon Musk this
week pointing out that obviously fully automated drones are the
near-future. The air force, predictably, pushed back
Their paychecks depend on a system full of human butts in expensive
airframes, as useless in the wars they were designed for as a human
querying a time-series database for an IoC.

In other words, the reason attackers win has not changed, and maybe never
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20200304/6f3578aa/attachment.html>

More information about the Dailydave mailing list