Cyber Weapons, Zero Days, and Euphemisms

I:

On February 14th 2017, Microsoft was set to release their monthly patches, but didn’t. The 2nd Tuesday of every month had come to be known as “Patch Tuesday” since Microsoft formalized the monthly cycle for Security patches in 2003 and hadn’t missed a month since. The cryptic announcement appeared to say as little as possible in a maximum number of reassuring words

Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today. After considering all options, we made the decision to delay this month’s updates. We apologize for any inconvenience caused by this change to the existing plan.

On March 14th 2017, Microsoft released their patches as usual, including MS17-010 which fixed 6 different critical issues that were bundled together, and strangely and uncharacteristically without attributing any of them to a source that reported the issue.

On April 14th 2017, a “Hacker Gang” called The Shadow Brokers made good on its threats to release stolen hacking tools stolen from another “Hacker Gang” known as The Equation Group – with some very interesting material including Firewall, VPN, Antivirus, Database and Windows attacks.

Turns out that all the serious Windows bugs that were revealed in April were fixed by Microsoft in March, the month after they cancelled their patch cycle for no clear reason other than a last minute issue.

This all starts to make sense when we acknowledge that the group that had their tools and secret bugs stolen, “The Equation Group”, isn’t a hacker gang; it’s a euphemism for the US National Security Agency, who could be speculated to have whispered, perhaps assertively, in Microsoft’s ear.

II: Backstory

In August of 2016, 8 months earlier, a once unknown group called "The Shadow Brokers" tweeted a pastebin URL. That pastebin URL was for a page advertising a cache of stolen cyber weapons for sale, attributing the weapons to The Equation Group.

The file appeared to be real, according to former NSA personnel who worked in the agency’s hacking division, known as Tailored Access Operations (TAO). “Without a doubt, they’re the keys to the kingdom,” said one former TAO employee, who spoke on the condition of anonymity to discuss sensitive internal operations. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.”

The codenames and provenance of these leaks were confirmed by comparing them to NSA files leaked by Edward Snowden.

The tools themselves were like a set of skeleton keys for secret software flaws that they weren’t telling people about, also known as Zero Day Vulnerabilities. Because they bugs were kept a secret, the attacks against them were 1. Undetectable, since you wouldn’t know what the attack looked like, and 2. Indefensible since people didn’t know what was wrong to begin with. These weapons would be almost universally effective and practically guaranteed a point of surreptitious entry into internet connected computer networks, followed by silent lateral infection and complete compromise. They would literally “hack the firewall”, find their way in, gain control of one machine, then of all the machines, “get all the passwords” and all the data behind those passwords, and do whatever they wanted.

Shadow Brokers acted like they wanted to sell these tools, set up an auction with impossible terms ("send as much money as you can to this untraceable bitcoin account and whoever sends the most wins and gets all the toys") and then acted like they changed course and wanted to sell the tools – and market them – individually. Why all this noise?

This starts to make sense when we speculate that “The Shadow Brokers” is also a euphemism. If Equation is NSA, then Brokers just might be a Russian actor belonging to or working for an arm of the Russian state security apparatus.

III: Reflection

Why prolong the agony? One government (potentially) leak’s “proof of possession” of another government’s secrets, then takes a full 8 months to deliver the goods? Propaganda aside, I think there was an asymmetrical objective.

1.      Massive disruption is not in the interest of either group. Neither of the belligerents want massive large scale compromise of the entire world information system. Brokers wanted these bugs fixed before they made them public knowledge

2.      Equation would be forced to fix these bugs rather than allowing the world information infrastructure to be broken. This would require massive coordinated efforts, would require Equation to whisper into the ears of a lot of software vendors, provide resources and information, coordinate propaganda (or PR if you like that term better) and the release of information, and waste months of effort.

3.      The revelations and confusing and often contradictory news coverage bring a lot of unwanted attention to people desiring to remain covert.

4.      By bringing maximum attention to the leaked files, Brokers almost guarantee that other governments could go back into their records or scan their systems and find evidence of when Equation broke in. That, generally, is not an optimal diplomatic position.

5.    Conjecture: The Shadow Brokers must have been using these tools the whole time. I sure would have, and so would any cyber guy with spirit. Unlike Equation, Brokers didn't intend to keep these bugs a secret, the adversary already knew about them, and they were out shopping with someone else's credit card for those eight months and potentially long before then.

IV: Now What?

What is now undeniably apparent to Joe Cyber Guy is that the world isn’t what we think it is when we think about these matters from an IT perspective. From the alien point of view of security quo security, I postulate the following

1.      There are threat that cannot be reasonably reliably defended against in a connected system.

2.      Threat actors obtain their power through research and effort, and keep it through secrecy.

3.      Threat actors research, invest, recruit, and collude to obtain or embed secret tools and weaknesses and use them sparingly to avoid losing them.

4.      Software is inherently untrustworthy. Even when a moderately sophisticated threat actor – not Equation level, has a weapon, the value of that weapon is in keeping it a secret.

5.      Where not trivial, threat actors can elect to use these tools to compromise targets that thought they were secure, and do so unhindered and undetected.

6.      The landscape on the defensive side is often so weak that the actors are correct to use their trump cards sparingly since common tools and techniques are enough to gain entry to most targets.

7.      Targets – information systems – can and should be engineered to be resilient.

We need to do better at securing information systems. On the gradient of actors, Equation is one of the highest out there in terms of effectiveness and sophistication, the ones that cannot be reliably defended against in a connected system, but there are a lot of actors around. Almost all threat actors could be reliably defended against where the security people:

1.      Think differently: rather than emphasizing disclosure or breach, we should begin to think of the issue as more of an issue of maintaining custody and control of information assets and information systems.

2.      This implies that we walk the talk: sure, reassuring words are the useful to quell the fears of the business, which ultimately is justified in being concerned. We talk at the business because we know the business doesn’t know what it’s talking about. Which it shouldn’t, but we do. Just because the patient doesn’t know anything about medicine doesn’t make him less worthy of respect: it’s the doctor’s job to know the subject matter and provide due care. As technology people, it’s our job to know the subject matter and to provide due care to the business.

3.      Standards and frameworks are obsolete the moment they are formulated. They don’t get updated often. For a standard to be suitably relevant, it must be suitably broad and generic. They are therefore a bad cop-out . We know when we talk at the business and quote the names of NIST ISO and all the rest that we are distracting them without adding value.

4.      There is in all things an infinity of options, which makes an infinity of wrong options to take to only a few right ones

5.      Security and technology professionals are an active part of the overall problem. Because we are taking the path of least resistance, our systems are not designed in any material way; they occur.

6.      Rushing to patch against the next zero day or disclosed weakness won't do enough. New vulnerabilities are disclosed regularly, including those that were being exploited before they were publicly known or a fix was available much less adopted.

7.      There are two windows of opportunity with every vulnerability: the one before public disclosure in which you are defenseless, and the one after where you are still defenseless and panicking to defend yourself with everyone else before someone can use them against you. There will be new ones, and the groups with euphemistic names aren't the primary source.

8.      It's great to talk about least privilege and security by design, but not if we don't do it. It's a lot of work, and a lot of accountability, that most organizations avoid.

9.      Most organizations avoid the work and accountability because it's not their fault: the software is faulty, the vendors say that it's OK, the busines have de-localized anxiety and cannot be assured, they want to hear that they are safe and are putting you under pressure to explain how when you know that they aren't.

10.  While avoiding the work and accountability is attractive enough to become the norm, and while knowledge is sparse and the groups in charge are under resourced, the following are not strategies

a.      Hope and optimism

b.      Despair and helplessness

c.      Alarmism – even when there is something to be alarmed at, don’t be alarmist but alarmed.

d.      Empty assurances. Also, non-empty assurances.

V: Self-Indulgent Rehash

If we recognize that information security practice isn’t keeping up with cyber crime, we’re already on the way to the answer. It isn’t a question of catch-up and audit observations and improvement areas but a question of attack and defense.

A secure system isn’t the more unusable restrictive over-encumbered one, its the more well configured one. The major gap isn’t in technology but in techne - in knowledge, skill and craft. Where technology fails it is more often because its misapplied than because it is insufficient, and the answer isn’t in spending but in engineering, in careful and conscientious choice and configuration of your technology including your security technology, in the careful prioritization and re-prioritization of defenses.

It simply isn’t easier to attack than it is to defend, and the effort that it takes to break into a system is dis-proportionally raised by the effort put in to protecting it. The challenge is that the adversary can be an opportunist, a luxury that the defender who does not know where or when or how the attack will come doesn't have.

Denying opportunities to the adversary is cheaper and easier than dealing with the inevitable consequences of allowing them to exist. The vast majority of breaches are demonstrably attributable to negligence and post mortem examination reveals information infrastructures that were clearly badly defended. The adversary is the attacker, but the enemy is the cop-out.

VI:

Knowledge and insight must be cultivated continuously. As with the doctor in a previous metaphor, an uninformed doctor makes mistakes and hurts patients. The knowledge and insights are no good if they aren’t reflected. Security really is everyone’s responsibility, but to varying degrees; security and technology people make decisions that have a bigger impact than the business whether we like to admit it or not, and therefore bear the burden of due care That due care

1.      Must be reflected in the conscious effort to constantly re-engineer of systems and processes: sorry, that’s what continuous improvement and the Plan Do Check Act quality cycle mean.

2.      Must take the form of adaptability and robustness, because no adversarial attacker will ever be rigid and principled in how they gain control of your information system. They have the luxury of a target rich environment, while you have the burden of being a target in an adversary rich environment.

3.      Must ultimately manifest in willingness to take accountability for block and tackle security work. Sure, it isn’t our fault that the software is faulty, but it also isn’t anyone else’s problem when we are compromised.

In the spirit of block and tackle security work, I’ve previously published articles with practical, technical suggestions – I stop short of calling it guidance – which can be found here, here, here and here.