Tuesday, September 21, 2010

Thoughts on "Cyber Weapons"

With all the activity concerning Stuxnet, I've been thinking about "cyber weapons." You might recognize the image at left as coming from the venerable rootkit.com site operated by Greg Hoglund since 1999 (for real -- check out archive.org!) When Greg started that site I remember a lot of people complaining about cyber weapons and putting offensive tools in the wrong hands. Now with tools like Metasploit and Ronin, people are bound to worry about the same issues. It would be terrible to see valuable tools get painted with the same "ban the guns" prescriptions I expect to hear when Stuxnet becomes more popular in the media.

So, in this post I'd like to share a few thoughts on differentiating security tools from cyber weapons (CWs). These are just my thoughts so I'd be interested in feedback. Some of them may be controversial and I could probably argue the opposite case for some of the items.

  • Operators develop CWs privately. I don't think a tool you can download from a public Web site qualifies as a true CW. Yes, you can use tools like Metasploit offensively, but a good deal of the value of a real CW comes from the "whoa" factor. (See the next point.) You can't preserve the "whoa" factor after publishing code on the Web.

  • CWs tend to be innovative. Innovation means incorporating 0-day attacks (researched by the developers), new command-and-control methods, or other measures. Real CWs take victims by surprise, especially if they target multiple aspects of the kill chain.

  • CWs tend to have specific effects. Think of Stuxnet and it's programming to alter specific values in PLCs. These are actions designed to damage a target, not provide generic remote control access so intruders can open someone's CD player.

  • CW value degrades quickly. I believe a real CW is much less valuable after being used, often due to the points listed earlier. It's easier to disable a radar the first time than it is the second or third times. As soon as an aggressor uses a CW on a victim, the victim will try to be better prepared for later attacks and may be able to recognize or even thwart them entirely. Contrast that with a tool designed to help validate defenses or conduct audits.

  • Intent matters. The intent behind a CW is to enable the agenda of a nation state or other high-end structured threat, not simply to demonstrate a new technique, or be the best penetration tool, or compromise the most victims, or help administrators validate defensive measures. I don't think HD Moore (who wrote a great pitch on cyber weaponry) intends for Metasploit to be used by governments to harm each other or their citizens. Ask someone who develops real CWs for a living why they wrote CW X and they will likely say "because I was under contract to deliver X by date Y for customer Z."

I hope we can be clever enough to separate real CWs like Stuxnet from tools that serve a useful security function like Metasploit, because actions to try to outlaw all offensive tools would be devastating for defenders everywhere.


TOOTALL said...

I think you have made a really great argument for the need to differentiate between security tools and actual cyber weaponry.
I recently jumped ship on my career as a web/graphic designer so I could pursue my aspirations of working in info sec. I am a student at DeVry University and in one of my classes we recently had a debate over the public availability of tools and frameworks such as Metasploit.

In addition I just recently landed my first position in the IT workforce as a help-desk associate and trainer for a law firm here in Austin, TX. While much of my day is not in any way focused on the security side of our business, my manager recognizes my passion for developing myself in this arena and has had me following the recent Adobe 0-Day and Stuxnet worms.

I read this morning on Bruce Schneier's blog that Stuxnet is thought to "be the work of state-backed professionals" and it's my opinion that as more of these attacks come into the public's eye, the greater the responsibility there is to educate people on the difference between security tools and cyber weapons.

Many people seem to be under the impression that the threat lay with mis-intentioned "hackers" disturbing the peace for educational, mischievous, criminal motives, yet I think that people need to realize that as more and more of our information and infrastrucure becomes digital, the true threat is from governments.

I'm worried too that as Stuxnet and other similar threats become popular in the media that the "ban the guns" thought process will run rampant and it will become more difficult, especially for beginners such as myself, to educate ourselves and learn how to be successful information security professionals.

It's impossible to learn how to drive a car only by reading the manual.

Anonymous said...

I agree with Richard that people must differentiate between tools and cyber weapons. However, my real concern is the sophistication with which cybercriminals can act and destroy an important installation of a nation state. Moreover, in case the attacks are state sponsored, the ramifications can be catastrophic as the affected country is likely to retaliate. Governments and organizations need to be alert and strengthen their defenses against cyber-attacks. We need more cyber warriors such as those trained in certifications such as ceh to deal with the challenges of cybercrime and cyber war.

Chr1s said...

The problem here is that you can't always draw pretty lines around ideas that are borrowed from other things.

The people on Spanair flight 5022 might have called simple malware a deliberate attack intended on killing people, because it certainly was part of the problem. It didn't have to be a 0-day or developed by a leet hacker to any degree to kill people.

I think you should stick to “tool.” A classic example of a weapon can carry out very devastating things all by itself, requiring no medium, except for the person using it. In cyberspace, you need tools to support other tools, where the Internet medium or a physical, digital medium is required.

If you HAVE to use the ideology of a weapon in cyberspace, limit it to software that directly inflicts physical damage. I hate it when people take concepts like “war” and “weapons” and apply them to cyber-something. Why do you need to use “cyber weapon” in any context that “offensive cyber tool” wouldn’t be good enough (while being more specific)?

As soon as you begin to accept ideas like “cyber war” you will then accept ideas like “cyber weapons” because guns are used in warfare. It’s a slippery slope issue. The notion of a projectile breaking human flesh has no carry over to cyberspace. Seeing a handgun on a presentation about software is disgusting and offensive if not plain delusional. It is not the same.

Additionally, I do not agree with the notion that a “cyber weapon” degrades quickly. Take, for instance, class 2 information warfare-- if a company wanted to modify or inject seemingly genuine information to control specific decision making processes in a rival company, it follows suit with your other points. And the fact that it could go undetected for such a long time makes it a non-diminishing—possibly even value-improving—offensive cyber tool.