On the trilemma of cyber-actions

Draft
Original version: 2022-02-09.
Last update: 2022-02-11T21:27:45+01:00.
Tags:
1 minutes of reading time

Trilemma of cyber-actions

  • Speed
  • Intensity
  • Control

A detour by “the digitalization of the world”

IT projects and their promises

Reality : Inherent problems and difficulties to succeed

Cause : market, skills shortage, ego

Side-effect : the talent issue and inept human resource departements — “hiring is broken”

Cyber-operations

Structure of state-sponsored actors

Size

Funding

Hiring

On the talent issue in the scope of state-sponsored actors

Side-effect : important dependencies on private actors and limited actual capabilities

The case of Palantir

  • USA

  • France

  • Actual capabilities?

A tour of the offensive cyberspace ecosystem through data

State-sponsored actors

Private actors

Isolated hackers

Cyber-terrorism

A peek in advanced subversions and what could have been cyber-operations

Subtle errors and the impossibility to trust your data and systems

  • The case for injecting bogus data which are not reconciled and picked up by coherence safeguards

e.g. election systems.

Catastrophic failure on mission-critical physical infrastructure

  • Subverting crucial data pipelines can build up to catastrophic failure in complicated systems such as energy regulation in a solar / wind dominated mix with a very critical need to predict demands

Abusing, chaining and mastering the whole stack

No attack actually use all the elements:

  • human covert operations ;
  • controlling routing through BGP hijacks ;
  • expert system to apply anti-remediation measures in complicated network topologies ;
  • UI dark patterns and bugs ;
  • custom and unreleased language runtimes with obscure features or ways to carry computation (call/cc for example) etc.

Compromising the last chain and stay hidden until a random researcher finds you

Attacks can live rent-free as a patched microcode of your processor, forensics becomes funnier this way.

  • Intel Management Engine ;
  • AMD

Raising the attacker level forces defenders to keep up, right?

A case for the forgotten: all defenders do not have a Mandiant subscription

Incentives to keep getting pwned

  • Responsibility model, e.g. Equifax, etc.
  • On the impossibility to determine the intention: the case of ransomware and insurances

The golden rules of IT projects are still there

False security sense

Compliance

Defense can be a side-effect of mundane choices

Mass-scanning the legacy Internet

The case of IPv6

Exotic technologies and attack cost

  • Reproducing target system: exotic ISAs, exotic networking, exotic systems, locked down surface.

Close the fucking attack surface

Tragedy of the cyberspace

Attackers