[Dailydave] Strategy

[Richard Thieme]

I am writing a piece today called Content and Context which simply 
hammers at the point that the first piece of work in all this is knowing 
the real nature of the nested levels of organizational structure at each 
level. "What is it, in itself?" asked Marcus Aurelius, cutting to the 
chase. This means that counter intelligence is not an add-on but the 
first not the second order of business. Is the structure or 
organizational identity what it seems to be? Who does it serve, that is, 
who profits, from the continuing existence of this entity? Who is 
running it? What is embedded in it? So even if it had integrity as 
constructed (i.e. a jihadist web site is really a jihadist web site) has 
it been compromised and if so how? What persons or hardware or software 
have been "turned," degraded, or made into dual-use or two-way 
janus-faced portals? Are in fact entire structures or people sacrificed 
to the deception, as they occasionally must be, because the greater 
value of the deception outweighs even a significant number of 
insignificant human lives (e.g. in 1942 the KGB let the Germans know 
about a forthcoming attack by Marshall Zhukov's forces aimed to divert 
German forces from Stalingrad; the information, sent through a complex 
structure of deception, enhanced the value of that and subsequent 
information and the credibility of the bogus source. But Zhukov did not 
know that the disinformation was provided at the expense of thousands of 
his troops who were killed to sustain the ruse ...)

The more granular one gets, the more uncertain the visible evidence, the 
way a coast line that looks long and smooth becomes a lot of branching 
twists and turns at a granular level, any one of which can look like a 
wall but be in fact a door ... yet this work, however imperfect, must be 
done, for the subsequent security concerns to have meaning.

RT



Dan Moniz wrote:
> On Nov 24, 2007 5:37 AM, Dave Aitel <dave at immunityinc.com> wrote:
>
>   
>> If you're reading an information warfare book or paper you'll invariably
>> see a lot of:
>> 1. Inane references to Sun Tzu (or, in some even more horrible cases,
>> any two of Sun Tzu, Clausewitz, and John Boyd)
>> 2. Declarations that information warfare is an "asymmetric attack"
>>
>> It's not asymmetric in the slightest. If you take any significant period
>> of time then the organization with more money has a huge advantage in
>> this game. That doesn't mean that good strategy doesn't hurt, and I
>> wanted to showcase some examples:
>>
>> Halvar gave a talk on his malware classification algorithms and at the
>> beginning of the talk he said "This prevents the malware authors from
>> using off-the-shelf compilers. Current AV technologies don't do this
>> since bypassing them requires this five line Python script which I
>> believe the malware authors have automated."
>>
>> Forcing your opponent to use expensive tools is good strategy. Likewise,
>> choosing to invest in an expensive infrastructure can be good strategy.
>> I believe BinNavi and Immunity Debugger fit this category.
>>
>> In terms of infrastructure, the US .com and .mil communities decided to
>> save money and purchase a mono-culture of Microsoft technologies. Bad
>> strategies like this result in flailing and moaning as you get defeated
>> over and over by someone with better strategy, not because the
>> battlefield is inherently asymmetric.
>>
>> - -dave
>>     
>
> Almost two years ago, I did an invited talk at a D.C. area conference
> that I hadn't heard of before and that was primarily catering to
> intelligence community and homeland security types. I got the feeling
> that the conference was probably more of a smorgasboard of homeland
> security/defense commentators, actual IC operators, military,
> politicos, and associated gadflies than say your average seriously
> technical or seriously military/Pentagon conference, but it was
> interesting nonetheless.
>
> Since I had an abiding personal interest in the Revolution in Military
> Affairs (RMA) debate (sometimes called "Transformation" by certain
> adherents; there are opposing views of RMA is or means and the
> Transformation types tend to argue for advanced battlefield technology
> above all else) and since this was a mixed audience I hadn't spoken to
> before, I decided to throw together a short high-level presentation on
> how I thought RMA applied to computer security. I'll have to dig up
> the actual presentation off of one of my other machines; in a quick
> search of email and this machine, I don't seem to have it locally.
>
> The basic thrust (as applies to the asymmetry question, anyway) was
> this: computer security is highly asymmetric in a classic defense
> sense because the well-funded defender has to maintain complex systems
> in order to get work done and has a suitably high investment and
> operational cost in protecting all that complexity, where the attacker
> can pick and choose any fragile point of the complex system to violate
> at his or her leisure. Monoculture exacerbates the problem, but I
> don't think you could arrive at a "heterogeneous enough" system (whose
> complexity would almost certainly be *greater* than a less
> heterogeneous system, thus threatening security) where the security
> benefits of that mixed system significantly outweigh the investment
> and operational costs and still enable equivalent or greater ability
> to do work.
>
> In a classic symmetric scenario, my tanks and your tanks are about
> equal. Whoever can field more, better tanks can probably win the
> battle. In an asymmetric scenario, your tanks provide overwhelming
> firepower against some things, like buildings or other tanks, but my
> IEDs can kill your tank crew in their Humvee as the ride to the base.
> The issue is that attackers in an infosec sense have IEDs (exploits),
> but defenders don't even have tanks, let alone IED response teams and
> snipers, just walls (firewalls, etc.). This is not necessarily an
> argument that we should have those things, though obviously in some
> corners there are operational teams we'd consider as "our offense" who
> do use exploits, etc., just against a enemy set of defenders. But
> again, that's still asymmetric.
>
> I'm not military scholar, though a ton of stuff included in that field
> interests me, so I'm interested in further debate and discussion along
> these lines.
>
>
>