"The empirical paradoxes of cybersecurity" - - Pukhraj Singh - DynamicCISO Summit 2021
1. Pukhraj Singh
Product Owner, Cyber Threat Detection
BAe Systems Applied Intelligence
The empirical paradoxes of security
How they impact decisions, architecture & defence
Or
The eternal truths about SolarWinds
2. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
Introduction
• 15 years in detection engineering and threat intelligence
• Roughly five years in the government
• An emphasis on geo-strategic and geopolitical parameters
• Trained and advised military commanders on defence and doctrine
• Written for the US Military Academy and US Army; op-eds in all the leading
national newspapers
• Forever a learner…with impostor syndrome ☺
3. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
Agenda
A brief glimpse into how the broad, empirical realities of cybersecurity are
divergent from its operational parameters and assumptions
PS: I don’t have any solutions to offer
4. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
Vulnerabilities are the Higgs-Boson particle of the cybersecurity universe. If we
don’t understand vulnerabilities, we don’t understand anything else.
5. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
Are vulnerabilities dense or sparse?
- A simple question asked by Bruce Schneier in The Atlantic [1]
6. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
“If vulnerabilities are sparse, then it's obvious that every vulnerability we find
and fix improves security.”
If vulnerabilities are plentiful…we don’t really improve general software security
by disclosing and patching unknown vulnerabilities.”
7. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
But what does the industry wants us to believe?
8. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
9. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
As Dan Geer writes, the answer is not that simple [2].
10. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
As Dan Geer writes, the answer is not that simple [2].
11. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
“Detection deficit:” How does it impact defence?
“Through the variety of areas I explored, the data and analysis continued to
highlight a single conclusion: As a community, our ability to detect 0-days being
used in the wild is severely lacking to the point that we can’t draw significant
conclusions due to the lack of (and biases in) the data we have collected.”
-- Maddie Stone, Google Project Zero [3]
12. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
“Detection deficit:” How does it impact defence?
-- Maddie Stone, Google Project Zero [3]
13. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
Is vulnerability discovery working [4]?
14. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
Is vulnerability discovery working ?
15. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
Is vulnerability discovery working?
16. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
Is vulnerability discovery working?
17. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
But how do you define a vulnerability?
Designers, vendors, and programmers themselves have trouble describing
whether a software or hardware feature is operating as intended or is, in fact, a
security flaw.
Advanced exploitation techniques are rapidly moving towards “the boundary
between bug and expected behavior”, “almost the fringe of what can be
classified as an explicit hole or flaw.” Advanced exploitation is rapidly becoming
synonymous with the system operating exactly as designed—and yet getting
manipulated by attackers.
-- Sergey Bratus [5]
18. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
But how do you define a vulnerability?
-- Aaron Adams [6]
19. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
But how do you define a vulnerability?
Complex software is built in multiple levels of aggregation and composition.
Innovation entails aggregation and composition in unforeseen combinations, at
many levels.
The hooking pattern implements the fundamental software engineering
operation of composing software with other software. For this reason, it is
implemented by a great variety of software, with a wide range of techniques
and uses. Often the hooking software is developed and released separately;
sometimes it is also released together with management tools and automation
tools.
-- Sergey Bratus [7]
20. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
But how do you define a vulnerability?
Complex software is built in multiple levels of aggregation and composition.
Innovation entails aggregation and composition in unforeseen combinations, at
many levels.
The hooking pattern implements the fundamental software engineering
operation of composing software with other software. For this reason, it is
implemented by a great variety of software, with a wide range of techniques
and uses. Often the hooking software is developed and released separately;
sometimes it is also released together with management tools and automation
tools.
-- Sergey Bratus [7]
21. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
But how do you define a vulnerability?
Let’s go back to 1984…
“Reflections on trusting trust” by Ken Thompson [8]
22. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
*Insert mandatory Grugq quote*
Let’s go back to 1984…
23. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
The lopsided vulnerability science
Trusting trust…
24. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
N w, ’ k g n v
My favourite Mudge posts
25. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
N w, ’ k g n v
My favourite Mudge posts
26. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
N w, ’ k g n v
My favourite Mudge posts
27. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
N w, ’ k g n v
My favourite Mudge posts
28. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
N w, ’ k g n v
With misplaced empiricism, your assumptions fail.
For example, killing the Kill Chain.
29. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
These empirical misassumptions extend to other areas, too
30. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
On ring -2, bootkits and the industry botch-up of UEFI and Intel Boot Guard
31. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
Your perimeter is not the boundary of your network it's the boundary of your
telemetry
-- Grugq
32. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
On AVs and EDRs, the “foot-soldiers” of cyberwar
Defeat Bitdefender total security using windows API unhooking to perform
process injection - https://shells.systems/defeat-bitdefender-total-security-
using-windows-api-unhooking-to-perform-process-injection/
A tale of EDR bypass methods - https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-
bypass-methods/
33. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
On not-so-easy attribution and botched up CTI datasets
Identifying Authorship Style in Malicious Binaries: Techniques, Challenges &
Datasets – https://arxiv.org/abs/2101.06124
34. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence
Who takes care of Ambani’s iPhone?