Ransomware Groups, Cognitive Surplus, Social Dynamics & Policy
While I have had a hiatus from writing both technical blog posts since SharpML (but recently getting back into more with our GAN research), and writing more conceptual process orientated articles (such as this – a comparison between Covid19 and Cyber security maturity), I have long thought about the broader Red Team community and how our own actions and cognitive surplus feed into the very problem we, and the governments at large, are trying to solve.
To make my analogy and present my argument I would like to first outline what cognitive surplus is, discuss the open-source tool community, then present an interesting study that I came across with regards to social dynamics and money, before launching into some observations and ideas that I have.
Cognitive Surplus
Definition: Cognitive Surplus focuses on describing the free time that individuals have to engage with collaborative activities within new media.
While I have read and seen some estimates relating to the total global cognitive surplus exceeding trillions of hours, with the rise of generative AI, and indeed my doubts about how this surplus can, currently, be accurately measured, it is still relevant to us in the security community.?
Let me explain why I believe this to be the case, and to present a solution.
In perhaps some distance future, we will be able to precisely calculate the computational load required to fix, and indeed break security products, security processes, and security awareness in terms of human man hours.
Why is this relevant: let’s take for example the Zero-Day community. While Pwn2Own, Zerodium, Government research labs and other players focus on reverse engineering widely deployed software solutions, metrics are an important aspect here.
If we look at the code base of some prominent operating systems and software products, what is conceptually easy to understand is that focused human cognition is being utilised to identify flaws. The larger the codebase, the more technically challenging the security vulnerability and more factors combine to translate into what certain players are willing to pay for research:
If we take a look at the bounties offered by Zerodium, it is fairly easy to see that the more complex the codebase, the more mitigations in place that are bypassed - the higher the bounty:
Now this is all obvious and nothing new. However, the cyber security community deals with three fundamental layers. – the human layer, the process layer, and the technology layer.
While clearly Zero-Days and other exploits sit in the technology layer, it is evident that the cognitive surplus that exists within the security community has given rise to a vast set of tooling that deals with all three layers:
Whether it is the MITRE ATT&CK framework, and associated tooling or manuals, whether it is the torrent of open-source tooling across IR, Penetration Testing, Red Teaming, Mobile, Hardware and all the other dimensions to technical work, or indeed the limitless information available related to human social engineering, operant conditioning, NLP, and more, this only seems to be growing rather than shrinking.
We in the commercial security community are paid to emulate a varying range of threat actors, with varying levels of sophistication; what is evident is that most attacks, that are feasible for a typical Blue Team to respond to sit outside of the 1% of extremely sophisticated attacks launched by Nation States. I don’t know if that statistic is right but given that I’ve never Red Teamed an intelligence agency, I can’t comment nor believe anyone has real numbers there.
So, if we are focusing on the other 99% of attacks and looking at this problem from the viewpoint of a government or the security community at large trying to solve a problem, then I am of the sincere belief that the current use of security professionals’ cognitive surplus is both damaging to corporate, personal and government entities, and devaluing the research time involved.
Off&Defsec Tooling
If we look at the areas of cyber security that are not generally paid – therefore being developed by way of cognitive surplus – then most of the tools now all over GitHub are freely available to both the attacker (cyber criminals, etc) and the security community all over the world.
If we look at the concept of dwell time on a corporate network the image below highlights an easy way to digest:
All the above (&?listed below) activities that the cyber-criminal needs to perform take time to effectively map, code, and develop tooling to achieve these actions as rapidly as possible:
1.????Reconnaissance
2.????Exploitation
3.????Installation
4.????Command & Control
5.????Lateral Movement
领英推荐
6.????Exfiltration
I initially got thinking about this when I wrote SharpSniper. Having worked on a Red Team in 2018 against a Telecommunications business, I had been required to figure out how to do the same in PowerShell, as our team at the time needed access to specific users in the domain given our objectives.
Later when the community had moved to CSharp, I spent some time to develop the same technique to save time. Clearly the development of the PowerShell script was on project paid, but SharpSniper had come by way of my own cognitive surplus.
It wasn’t until a Red Team consultant friend sent me a GitHub gist, where it transpired that the ransomware group Conti had been using SharpSniper to achieve their ends.
This did get me thinking since then, that while Conti would have absolutely no issue themselves programming the tool, the mere fact that it was available freely, among all the other Red Team tools we as a community had put out, then we were contributing to decreasing the effectiveness of the organisations to defend and increasing their abilities to accomplish their goals in their dwell time on corporate networks.
[Later I will also introduce how this could potentially be calculated as to how our unpaid efforts born out of passion and cognitive surplus are directly correlating back to the increased effectiveness of the attackers we are purporting to thwart.]
Since Covid it seems, the number of tools ranging from Loaders, Recon toolkits, C2s, exploits and a massive range of other code to aid the attacker has exploded massively and what may have taken some time to develop in the past, is now all over the internet. A good example of the C2 matrix – the number of open-source C2s now is incredible.
If you take this image for example and compare it to the image I presented around the size of the codebase of various operating systems, then what these Red Team tools across all the kill chain are doing is effectively creating code across the entire OSI model to greatly improve the achieving of goals throughout attacker dwell time.
Yet, no one is really being paid for these efforts (bar some tooling like Brute Ratel, and others), there is zero regulation and cyber criminals across the world have unfettered access to every kind of tool imaginable to achieve their goals.
What is evident then is that while we hackers & developers enjoy our trade, and freely commit our cognitive surplus to developing and sharing code, we are just improving the effectiveness of cyber criminals in achieving their goals.
Social Dynamics
Now I am going to briefly tell a story that I heard about the social dynamics of 10 day care centres in Haifa, Israel, which studied whether punishing had the effect of reducing an action or not.
They studied the day cares at the period of highest tension; which is pick up time of the children. At the end of the day the teachers looking after the children would request the parents to arrive at the allotted time to pick up the children.
The parents conversely are busy and wanted some bandwidth to pick up their children a little late. So the study authors looked at how many late pickups at the day care centres there were each day. There were between 6 and 10 instances of late pick-ups of children on average in these day care centres.
They then divided the day care centres int two groups: they kept one group as a control group and changed nothing, the other they implemented a fine of 10 shekels for a late pick up.
Following the implementation of the change in the second group the behaviour of the parents changed substantially.
Late pick-ups in the group, with the new fine imposed, went up every week for the next four weeks until they tripled the pre fine average and then fluctuated between the double and triple for the rest of the study.
The entire culture of the day centre was changed whereby the parents’ social debt to the teachers was replaced with a small fine, with no residue of guilt or social concern to the teachers for picking up the children late.
This also had a long-term effect on the second group whereby when the fine was removed the late pick-ups continued to be double or triple as frequently as before the fine.
I see some similar patterns in our community. I believe that when SpectreOps at some point realised that by releasing open-source tools and performing intelligent marketing around them, then that began to noticeably correlate to the bottom line of offensive security consultancies, and at least in my view, there suddenly became a huge volume of public research that really came in a torrent and only keeps growing.
However most of the researchers using their cognitive surplus to generate these tools, frameworks, and C2s, benefit very little apart from some kind of “leet’ acceptance, while the real beneficiaries are threat groups conducting Big Game hunting ransomware attacks and similar.
Policy
While I don’t believe that there is an easy fix for this, given that it encompasses social dynamics, legal, technology and open-source communities, I do believe that these kinds of tools should be:
1.????Ring fenced and not open-sourced.
2.????Financially incentivised.
3.????More directed in the sense that some tools have 100 variations, some one
Clearly anyone with knowledge of the dark web marketplaces, and production level ransomware operations will know that threat actors employ similar level market structures and ecosystems motivated by financial and political gain.
I reckon we should stop doing cyber criminals work for them, to merely receive some community accolades in return, and ultimately reduce the dwell time of attackers across business, charity, and government and create a commercial tooling market to incentivise the researchers