Building Skynet - The Beginning (part 2)

"Automated Response Needed for Cyber Attack, Napolitano Will Say",

http://www.businessweek.com/news/2010-03-03/automated-response-needed-for-cyber-attack-napolitano-will-say.html

"March 3 (Bloomberg) -- U.S. government and businesses should focus on developing new devices for authenticating computer users and automate responses to cyber attacks to bolster Internet security, Homeland Security Secretary Janet Napolitano will say in a speech today..... Napolitano will say that identifying computer users, designing security software that can react at “Internet speed” and developing hardware and software systems that work better together will make the Web more resilient to attacks."

This article by Jeff Bliss describes the DHS secretary's comments at the 2010 Spring RSA conference. In my previous blog, I talked about how we're building a real world version of Skynet, the fictional computer intelligence from the Terminator movie series. The "converged security" approach to cyber and physical security is presenting a new set of threats to our infrastructure. The blending of cyber and physical attack and defense is a danger if not done properly and securely. The automation of these tools is even more dangerous considering our inability to protect what we have online now.

Automated Attack
We've had automated scans and probes for years. We used to call them "script kiddie" attacks. I wonder now what percentage of these probes and scans are really by script kiddies. Commercial pen test tools like Core Impact, Canvas Immunity, Nexpose/Metasploit and freeware tools like Metasploit are the first generation attack tools. They require manual intervention and interpretation of results. The next logical step is to automate the analysis part of the process.

Command and Control
We know about botnets - the 21st century version of the late 1990's Distributed Denial of Service (DDOS) attack kits. We've come a long way from Trinoo, TFN2K, mstream, stacheldracht or have we? The method of attack is basically the same. The DDOS tools exploited buffer overflow vulnerabilities in a variety of RPC based services such as sadmind and ttdbserverd. The attacks were controlled by scripts and reasonably automated for their time. Botnets use the same methodology. They attack web based services for the most part to gain access to a system. The only major difference between the botnets of today and the DDOS nets of the last century is the number of machines controlled by the attack master. The botnet and DDOS command and control structure are identical. The command and control (C&C) structure is a real threat to our infrastructure for the the simple reason that whoever owns that C&C structure has a powerful offensive and defensive weapon.

Automated Defense
"REDWOOD SHORES, CALIF., "March 1, 2010"Imperva, the data security leader, today announced the general availability of ThreatRadar, a new add-on to Imperva's market-leading Web Application Firewall (WAF) that provides automated, reputation-based defense against large scale industrialized cyber attacks." http://www.darkreading.com/securityservices/security/intrusion-prevention/showArticle.jhtml?articleID=223101095

IPS technologies are the first generation automated defense tools. Signature and anomaly based analysis are the first generation analysis techniques. There are numerous research papers on "intelligent" malware defenses where

Secretary Napolitano talks about creating " security software that will react at Internet speed".
When we evaluate "automated" defense tools, we try to construct packets or signatures that might fool the tool into starting its defense and maybe create a false positive situation. In my Skynet scenario, can I generate the right set of threats at "Internet speed" to trigger the wrong reaction of an automated defense tool at "Internet speed". I'm just a dumb human. Can I design an automated tool to do just that? The answer is yes.

The Crossover Problem
Let me recap some things I mentioned in my first post. First generation IDS was strictly in the cyber world. IP addresses are abstractions to the analyst. Sure, we can locate a device but our counterattack was limited to the device itself. We block the device from accessing its targets. In a few situations, there was a physical attack in the form of a police or military raid against the attackers.

Converged security detection tools move us into the physical world. If you're an NCIS or CSI fan, you've seen examples of these technologies. You probably thought this was TV stuff but the capabilities are real as we're discovering. There are tons of surveillance technologies that are being marketed. Most of these have limited or primitive automated control schemes. That is changing. Cities are linking their numerous surveillance networks into a single managed entity. We're seeing a linking together of the disparate surveillance technologies (video, audio, cyber) that is being marketed as "for your safety". The sheer volume of data collected by these technologies overwhelms human's ability to process it and so we add cyber tools to help us analyze the information.

The Dilemma
We have designed attack tools that work at "internet speed" and our defense tools react at "internet speed". Our quandary is that humans don't work well at "internet speed". I seem to recall an old Air Force study that showed a high percentage of soldiers would not push the launch buttons in the event of a nuclear attack. I'll have to research this some more but if you know where it is, let me know.

Do we cede control of our internet defenses to software? Given the poor quality control history of most vendor software, I must admit this scenario frightens me. I worked on the Secure Code project sponsored by the SANS Institute a couple of years ago. It was disturbing to discover there weren't a lot of coders who knew basic secure coding techniques. We see the same infection techniques used in the 1990's are still successful in the present day. Why? Software coders have not been taught secure code techniques. Now, this is changing with new generations of programmers but the damage has been done already.


1. Are we willing to cede operational control of our cyber defenses to software and AI?
2. Who has final "pull the trigger" authority? Human or software?

Stay tuned for Part 3......