[Dailydave] Maps, more maps. Graphs. More Graphs.

Dave Aitel dave at immunityinc.com
Mon Jul 1 11:24:51 EDT 2013 

Halvar once said something like "People are pretty rubbish at thinking
in graphs, much better at thinking about which fruit looks tastier." I'm
heavily paraphrasing just to troll him, of course. But the concept of
visualizations in our field being incredibly hard is interesting in
terms of the PRISM-fallout or the #snowdenpocalypse or whatever you want
to call it.

Vanessa and I are spending part of the day staring at various people's
marketing slicks as we prepare ours for BlackHat. People like to
represent the Internet with world maps. Immunity is no exception. We
have at least two products that have maps in them. But the PRISM slides
point out the obvious fact that the topology of cyberspace is only a
weak correlation with world maps.

The super-important data is not "where are the endpoints" but "where are
all the boxes in between me and that target, and what are the network
conditions that they go through". And of course, there are multiple
potential routes for any packet and they change over time. All of this
data is poorly represented by world maps.

VPNs and internal networks complicate these issues. Any two machines on
the Megacorp WAN are close together no matter where they are in the
world, but they may also be close to various other machines in airport
lounges and hotels, varying only in the time dimension. Mark's work
during various wireless assessments shows how easy it is to hit machines
which are single homed on your corporate network one minute, and then
single homed at Starbucks the next.

I like to ask attack platform visualization systems the following question:
Given a vulnerability in some random thing (Linux Portbind, let's say),
can we rank all the interesting boxes that this will let me get near?
(This is the mirror image of "what is our business risk from a new
vulnerability that just came out?").

Or alternatively:
Given a set of vulnerabilities, how close can I get to www.megacorp.com?

If you've tried to do this on any reasonably large data set, you
probably have a instinctive fear of the problem because of that one time
you tried to stamp it out with a Markov model but it turns out not to be
about connectivity and networks so much as information flows.

This is probably mildly bad news in the long term for Endgame Systems or
any company heavily invested in the "world map as a cyber map" model,
but points out huge scope of the problem DARPA's PlanX is likely to be
working on.

-dave
 



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130701/d4efe9fe/attachment.sig>

More information about the Dailydave mailing list