Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Pukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South Africa

674 views

Published on

My keynote at the ITWeb Security Summit 2019, Johannesburg. Talk audio: http://bit.ly/2WVgMSf.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Pukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South Africa

  1. 1. Politics & Power in ‘Cybersecurity’ Pukhraj Singh #PukhrajSingh
  2. 2. Cognitive cyber offence
  3. 3. DecieveDenyDegradeDestroyDisrupt True innovation in ‘cyberwar’ is cognitive OfferRemoveAnalyseAccess Innovations around techniques Innovations around effects Increasing innovation Increasing symmetricity Ref: Dave Aitel
  4. 4. Cognitive cyber offence There are fundamental reasons why most countries focus on passive or kinetic cyber as the ultimate tier of capability—typically the organisations with authority to engage in cyber are the Intelligence Services and the Military. They are institutionally predisposed to collecting data or conducting “deny, disrupt, destroy, degrade” operations to enable and support their forces -- The Grugq
  5. 5. Cognitive cyber offence [The way the US] came to technology defines how we think of it, and the West came to cyberspace through computers and hacking. Other cultures, however, approached cyber differently, primarily from its basic theoretical premise of providing a tool for control of populations -- Richard Danzig
  6. 6. Cognitive cyber offence [Cyber] effects will be produced by the manipulation of software, data, knowledge, and opinion. The objective is not kinetic but cognitive effect, the manipulation of information to change thoughts and behaviours -- James A. Lewis
  7. 7. Cognitive cyber offence On January 24, 2019, The Bulletin of the Atomic Scientists set the doomsday clock to two minutes to midnight The group added: “rather than a cyber Armageddon that causes financial meltdown or nationwide electrical blackouts,” a larger risk is the use of cyber-enabled information warfare that erodes “the trust and cohesion on which civilised societies rely”
  8. 8. Cognitive cyber offence • “…the heart and soul of the Soviet intelligence was subversion. Not intelligence collection, but subversion: active measures” – Oleg Kalugin, KGB • The Smidth-Mundt Act & the US Information Agency • TS Kuhn’s The Structure of Scientific Revolutions & data-driven behavioral modelling
  9. 9. Cyber offence is pure politics
  10. 10. Cyber offence is pure politics The state of threat intelligence
  11. 11. Cyber offence is pure politics • With the right kind of eye, you can see politics in malware code • Offensive toolchains have a political architecture • Cyber attacks have a distinct political signature
  12. 12. Cyber offence is pure politics • Case studies: • Malware code reuse as an expression of political semantics • Exploitation as a technology tree (ref: Dave Aitel)
  13. 13. Code reuse: from opcodes to ontology …we hope that the research community will take cautious advantage of a higher ontological category to describe collaborative frameworks for multiple threat actors …a focus on this ‘multi-tenant’ model of modular malware development…should allow for…an understanding of… the organizational complexities behind clusters of malicious activity that defy simplistic attribution claims -- J. A. Guerrero-Saade/Chronicle
  14. 14. Code reuse: from opcodes to ontology “Your adversary has a boss and a budget” -- The Grugq paraphrasing Phil Venables
  15. 15. Code reuse: from opcodes to ontology 2006: Thomas Dullien ran a “phylogenetic clustering algorithm” on a genus of malware, finding that “although we have ~200 samples, we only have two large families, three small families, two pairs of siblings, & a few isolated samples” 2011: Google acquires Zynamics 2012: Google acquires VirusTotal 2017:
  16. 16. Exploitation as a technology tree Lineage & Mathematics
  17. 17. Exploitation as a technology tree Lineage & Mathematics Operation Aurora -> Barium/Winnti/APT17/Axiom Winnti >>> Hashing subroutine <<< ShadowPad/NetSarang Winnti >>> base64 <<< CCleaner Stage 1 Winnti >>> String obfuscation <<< CCleaner Stage 2 (Sources: Costin Raiu & Intezer)
  18. 18. Cyber offence is pure politics Map the adversarial ecosystem of cyberspace in anthropological detail with the aim of increasing our understanding of our adversaries and our own incentives and methods of operation -- Richard Danzig
  19. 19. Nation state sovereignty in cyberspace is crashing
  20. 20. Power & conflict in meatspace*
  21. 21. Power & conflict in cyberspace
  22. 22. Cyberspace is [a] continuously contested territory in which we can control memory & operating capabilities some of the time but cannot be assured of complete control all of the time or even of any control at any particular time -- Richard Danzig A Contested Territory A contested territory
  23. 23. Possession, ownership & control [of data & assets in cyberspace] do not overlap -- Thomas Dullien AKA Halvar Flake A Contested Territory A contested territory
  24. 24. Ecology professor Philip Greear would challenge his graduate students to catalog all the life in a cubic yard of forest floor. Computer science professor Donald Knuth would challenge his graduate students to catalog everything their computers had done in the last ten seconds -- Dan Geer A Contested Territory A contested territory
  25. 25. [Cyber] offence & defence is the wrong dichotomy: it should be control & non-control -- Dave Aitel, A Contested Territory A contested territory
  26. 26. We will respond…we’ll respond proportionally, and we’ll respond in a place and time and manner that we choose -- President Obama on the Sony Pictures hack A Contested Territory Gone for a toss: causality & proportionality
  27. 27. Enterprise security: dying by a thousand cuts
  28. 28. A Contested Territory Mudge, 2011
  29. 29. A Contested Territory Mudge, 2015
  30. 30. A Contested Territory Why do we need universal threat ontologies & taxonomies? • OpenC2 • ATT&CK • CAPEC • OpenDXL • MITRE CAR • Unfetter • STIX-TAXII • YARA • OpenIoC • IODEF • MISP • VERIS • SCAP • …
  31. 31. A Contested Territory Vendors as foot soldiers Malware used by the U.S. in offensive cyber-operations plays “nice”…”We see guardrails on malware from nations like the U.S.” -- Kevin Mandia, FireEye
  32. 32. From declaratory to escalatory dominance
  33. 33. The declaratory model: 1995-2014 • Dave Aitel labelled Stuxnet as the “announcement of a team” more than anything else, which could take out any factory, any time • The current structures of offence are biased towards declaratory dominance
  34. 34. The escalatory puzzle Look, we’re moving into a new era here where a number of countries have significant capacities…But our goal is not to suddenly, in the cyber arena, duplicate a cycle of escalation that we saw when it comes to other arms races in the past, but rather to start instituting some norms so everybody’s acting responsibly -- Barack Obama, 2016
  35. 35. Questions? Thank you

×