3. DecieveDenyDegradeDestroyDisrupt
True innovation in ‘cyberwar’ is cognitive
OfferRemoveAnalyseAccess
Innovations around techniques
Innovations around effects
Increasing innovation
Increasing symmetricity
Ref: Dave Aitel
4. Cognitive cyber offence
There are fundamental reasons why most countries focus on passive
or kinetic cyber as the ultimate tier of capability—typically the
organisations with authority to engage in cyber are the Intelligence
Services and the Military. They are institutionally predisposed to
collecting data or conducting “deny, disrupt, destroy, degrade”
operations to enable and support their forces
-- The Grugq
5. Cognitive cyber offence
[The way the US] came to technology defines how we think of it, and
the West came to cyberspace through computers and hacking. Other
cultures, however, approached cyber differently, primarily from its
basic theoretical premise of providing a tool for control of
populations
-- Richard Danzig
6. Cognitive cyber offence
[Cyber] effects will be produced by the manipulation of software, data,
knowledge, and opinion. The objective is not kinetic but cognitive
effect, the manipulation of information to change thoughts and
behaviours
-- James A. Lewis
7. Cognitive cyber offence
On January 24, 2019, The Bulletin of the Atomic Scientists set the
doomsday clock to two minutes to midnight
The group added: “rather than a cyber Armageddon that causes
financial meltdown or nationwide electrical blackouts,” a larger risk
is the use of cyber-enabled information warfare that erodes “the
trust and cohesion on which civilised societies rely”
8. Cognitive cyber offence
• “…the heart and soul of the Soviet intelligence was subversion. Not
intelligence collection, but subversion: active measures” – Oleg
Kalugin, KGB
• The Smidth-Mundt Act & the US Information Agency
• TS Kuhn’s The Structure of Scientific Revolutions & data-driven
behavioral modelling
11. Cyber offence is pure politics
• With the right kind of eye, you can see politics in malware code
• Offensive toolchains have a political architecture
• Cyber attacks have a distinct political signature
12. Cyber offence is pure politics
• Case studies:
• Malware code reuse as an expression of political semantics
• Exploitation as a technology tree (ref: Dave Aitel)
13. Code reuse: from opcodes to ontology
…we hope that the research community will take cautious advantage of
a higher ontological category to describe collaborative frameworks
for multiple threat actors
…a focus on this ‘multi-tenant’ model of modular malware
development…should allow for…an understanding of… the
organizational complexities behind clusters of malicious activity
that defy simplistic attribution claims
-- J. A. Guerrero-Saade/Chronicle
14. Code reuse: from opcodes to ontology
“Your adversary has a boss and a budget”
-- The Grugq paraphrasing Phil Venables
15. Code reuse: from opcodes to ontology
2006: Thomas Dullien ran a “phylogenetic clustering algorithm” on a
genus of malware, finding that “although we have ~200 samples, we
only have two large families, three small families, two pairs of
siblings, & a few isolated samples”
2011: Google acquires Zynamics
2012: Google acquires VirusTotal
2017:
18. Cyber offence is pure politics
Map the adversarial ecosystem of cyberspace in anthropological
detail with the aim of increasing our understanding of our adversaries
and our own incentives and methods of operation
-- Richard Danzig
22. Cyberspace is [a] continuously contested territory in which we can
control memory & operating capabilities some of the time but cannot be
assured of complete control all of the time or even of any control at any
particular time
-- Richard Danzig
A Contested Territory
A contested territory
23. Possession, ownership & control [of data & assets in cyberspace] do not
overlap
-- Thomas Dullien AKA Halvar Flake
A Contested Territory
A contested territory
24. Ecology professor Philip Greear would challenge his graduate students to
catalog all the life in a cubic yard of forest floor. Computer science
professor Donald Knuth would challenge his graduate students to catalog
everything their computers had done in the last ten seconds
-- Dan Geer
A Contested Territory
A contested territory
25. [Cyber] offence & defence is the wrong dichotomy: it should be control &
non-control
-- Dave Aitel,
A Contested Territory
A contested territory
26. We will respond…we’ll respond proportionally, and we’ll respond in a place
and time and manner that we choose
-- President Obama on the Sony Pictures hack
A Contested Territory
Gone for a toss: causality & proportionality
30. A Contested Territory
Why do we need universal threat ontologies & taxonomies?
• OpenC2
• ATT&CK
• CAPEC
• OpenDXL
• MITRE CAR
• Unfetter
• STIX-TAXII
• YARA
• OpenIoC
• IODEF
• MISP
• VERIS
• SCAP
• …
31. A Contested Territory
Vendors as foot soldiers
Malware used by the U.S. in offensive cyber-operations
plays “nice”…”We see guardrails on malware from nations
like the U.S.”
-- Kevin Mandia, FireEye
33. The declaratory model: 1995-2014
• Dave Aitel labelled Stuxnet as the “announcement of a team”
more than anything else, which could take out any factory,
any time
• The current structures of offence are biased towards
declaratory dominance
34. The escalatory puzzle
Look, we’re moving into a new era here where a number of
countries have significant capacities…But our goal is not to
suddenly, in the cyber arena, duplicate a cycle of escalation that
we saw when it comes to other arms races in the past, but rather
to start instituting some norms so everybody’s acting responsibly
-- Barack Obama, 2016