Thursday, August 16, 2007

Change the Plane

Call me militaristic, but I love the History Channel series Dogfights. I hope the Air Force Academy builds an entire class around the series.

I just finished watching an episode titled "Gun Kills of Vietnam." The show featured two main engagements. Both demonstrated a concept I described in Fight to Your Strengths. In the first battle two A-1H Skyraiders (prop planes) shot down a MiG-17 (a jet) using their cannons. The Skyraiders survived their initial encounter with the MiG by out-turning it at low speeds. They made the MiG fight their fight, and the MiG lost.

In the second battle, an F-4 flown by pilot by Darrell "Dee" Simmonds and backseater George McKinney Jr. downed another MiG-17 using their gun. In that fight, the slower but more maneuverable MiG-17 was out-turning the F-4. In the show McKinney said a less experienced pilot would have fought the MiG's fight by trying to turn with the MiG, probably giving the MiG an opportunity to down the F-4 when the F-4 overshot the MiG. Instead, a highly skilled pilot would act differently. In Simmonds' words:

You can not turn with him... you have to get into another plane.

The "plane" in this case is geographic, not the actual fighter plane. The F-4 leaves the X-Y plane and enters Z, the vertical plane. Simmonds put the F-4 into a "high yo-yo." The image above shows the technique, which can also be seen at the Dogfights clips page. Coming out of the yo-yo put the F-4 right behind the MiG, allowing Simmonds to shoot it down.

Of course this made me think about digital security. We are constantly trying to fight the black hat's fight. We should instead "change the plane." What does this mean in actionable terms? I'm not sure yet. Obviously in air combat it's not about surviving the enemy onslaught and never shooting back. Maybe it's time security researchers concentrate on vulnerabilities in the tools used by intruders, like what the Shmoo Group presented at Def Con 13, e.g., multihtml exploit vulnerability advisory? Ideally law enforcement would be striking back for us, but we're still in Wild West mode until LEAs catch up. What do you think -- how could you change the plane?


Matt said...

Pollute their collected data to the point that it's not either valuable, or too risky to use.

Christofer hoff said...

I'd definitely change the engagement tactics with who and how we respond. I think the days of passive detection and tepid neartime response with the odd firewall rule and IPS Drop/RST as the ONLY responses are over.

I think we need active countermeasures with staff that know how to use them when we have actionable intelligence to do so.

No, I'm not suggesting tearing off a DDoS on every zombie spewing malware on the planet, but surely we can take a more effective stance in not just resisting the enemy but fighting back.

I posted about an organizational element of how to "change the plane" just a day or so ago...I don't actually think we're fighting our adversary's fight at the moment...we're merely limiting our responsiveness based upon what appears to be good measure.

Send in the Leviathan force!


kurt wismer said...

[math pedant]
z is not a plane, it is an axis... a plane is a 2 dimensional surface defined by the intersection of 2 lines (such as a line parallel to the x axis and a line parallel to the y axis)... by traveling in a 3rd dimension one changes the z component of one's position and therefore reaches a lower or in this case higher x-y plane...
[/math pedant]

not that that changes the underlying meaning or affects your point at all... however it could just as easily be described as lateral thinking/thinking outside the box...

as for what is actionable - in order to play to your strengths and exploit the enemy's weaknesses you must first know what your strengths and their weaknesses are... the first step in reaching the goal should be to identify and enumerate those two classes of things... how you then use the resulting information depends a great deal on the context and whatever details are pertinent to it...

mh said...


Yeah.. we presented similar things at Defcon 12, titled "when the tables turn", which included striking back at tools like metasploit, and throwing in enough confusion during footprinting, etc (you would have liked screwTrace, which basically sat on ur firewall, and spoofed responses so traces that should have ended with ur network bounce all around the world.. (with visual route it looked like hacking on TV) :>

Also, check for a "strike" against "hamster/sidejacking"


Anonymous said...

i don't really see a way to 'change the plane'.
our opponents are more burglers than boxers. as soon as i feel hurt i can trace the cause and react - if i'm good i'll learn of it and find a way to prevent/counter the next attack of this kind - ok.
but fact is: there are just too many ways someone can hit me and inflict damage.
since i don't have complete knowledge and understanding of every component thats running (in) my network (and sure as hell never will) - i see no general technique that would allow me to take the initiative.
its always gonna be something specialized - with all the consequences.

i guess it would be nice if we could make our opponents more visible and turn their sneaky moves into some kind of pain which would be easy to recognize and respond to.
...but this means that in the end there would again be an employee or "intelligent" server who has to interpret things right, so we're back where we started.

Adam said...

One way to fight our fight is to utilize our home field advantage. You can exploit the attackers lack of knowledge of your network by setting up honeypots, which will not only confuse and distract her, but also provide a way for you to detect her.

LonerVamp said...

Thanks for the additional links in your comments. It's nice to see that some thoughts I've had about a more aggressive defense are not necessarily new but also shared by others, even in years past. A recent Wireshark DoS vuln is another example, or attempting to root a Backtrack user with the default username and password.

You can even bring that idea back to air combat, in a way. Once you get into my air space and out of neutral or off-limits territory, you can be mine.

Of course, we're really not going after the threats even in my example, because an attacker can still just leave well enough alone and I'm not going to necessarily go after him unless lawyers say we need to, and that's their game anyway. I'd rather not become an unofficial vigilante...

Unfortunately, I really feel it takes some real free time or real backing to devote official work time to getting very offensive with our defenses. We have to really work to get write-offs for security beyond business-supporting functionality, let alone to write-off from security a more aggressive approach. It's like another abstraction away, in my view.

Still, that won't stop me from trying and playing with the idea!

Anonymous said...

Computer/Network security is not a "war" in the traditional sense, we can not simply adapt and overcome obstacles according to the "book". This war is too dynamic with too many variables. This is very similar to using troops as a police force, it doesn't work - it isn't supposed to work.

LEA needs to find new ways to catch up - perhaps virtually deputizing many in the commercial field is a start. Provide the right set of processes/procedures/tools and let us actually help them in the trenches...

virtual soldiers (contractors) are on the front lines (and supporting lines) in Iraq - why should we not be deputized to help clean up this mess.

I'm not advocating vigilante justice in it's entirety, but a few hundred trained professionals actively (versus passively) participating with LEA might lead to changes. Of course you get into who is monitoring the monitors - but we're already there anyway...
just a thought

kurt wismer said...

"i see no general technique that would allow me to take the initiative.
its always gonna be something specialized - with all the consequences."

it's that way in the real world too - notice how specialized the examples are... there is no single technique that applies generally, the trick is following the general principle of finding and using those specific techniques...

"I'd rather not become an unofficial vigilante..."

indeed, taking offensive action against criminals is a task for those granted the legal authority to do so...

"Computer/Network security is not a "war" in the traditional sense"

it's not a war in any sense, wars are fought between very different sorts of principals (nations or other large cohesive groups, not individuals - individuals fight battles)... also, the 'threats' involved are criminals which makes going after them the purview of law enforcement...

hogfly said...

Here's an off the wall abstract idea for you. Don't expect this to be completely thought through.

I tend to think that we could provide machines with the ability to learn and respond with a communal intelligence system whereby the systems talk to one another and create their own internal system of trust.

Machine learning sensor at network perimeter has been running for 6 months on a corporate network. It has determined a normal or baseline traffic pattern.

sensor notices an oddity and sends out the equivalent of a BOLO (be on the look out) to other network devices and even systems running the same machine learning system.

These systems would communicate and determine the real threat level with an analysts intervention. escalation path to a higher awareness state would be enabled to respond to the threat. This could be a stricter policy on firewalls, IDS, IPS, routers, logging systems and so on. When enough data for analysis has been captured and analyzed, it gets submitted to an analysis sandbox where virtual machines are loaded up to replicate the corporate network. The machine learning system then re-configures each participating system to re-route traffic of suspicious nature to the sandbox where an analyst could view the effects and make the decision to enable a more permanent defense, set a timer for how long the higher awareness state would last, or revert to normal state.

Richard Bejtlich said...

Deputizing parts of info sec is an interesting idea... in some ways these government-industry partnerships are moving in that direction. I need to read a history book about the Wild West to see how citizens were deputized...

Christofer Hoff said...

"I need to read a history book about the Wild West to see how citizens were deputized..."

I believe it went something like:

1) Hey You!
2) Here's something Shiny
3) Shoot this guy in the picture

When subject #1 fell down due to fast acting lead poisoning, you go find subject #2.

I'm sure it works the same with InfoSec...



jbmoore said...

In Dogfights, the best pilots "know" their aircraft and generally know the strengths and weaknesses of the enemy aircraft. It's also about energy - maintaining your potential energy such as the technique of leveling your wings after you break to maintain speed (energy) so that the MIGs don't gun your brains out because you are too slow and can't avoid them. They showed how Epstein took on 11-12 MIGs and survived by maintaining his energy.

The pilots know their physics, their aircraft, and their enemies aircraft. They maintain situational awareness and the best pilots have better eyesight. It's the guy you don't see who sees you first who kills you.

How does it translate to network attacks? It's the guy you don't see who "kills" you. All things being equal, you and the adversary are on equal footing. You both have the same resources and access to knowledge of the underlying technology. In the end, it comes down partly who is the better system administrator and programmer. Who understands the technology and its use better. This includes who understands the underlying flaws and can exploit them.

In this case, you are using the wrong analogy. It's not a Dogfights kind of situation because network attacks are indirect and to an extent very impersonal and shadowy. It's a Burn Notice situation. In Burn Notice, you assess your opponent's strengths and weaknesses and exploit his weaknesses. If there are no weaknesses, what's left? Psychological warfare. You appeal to their greed or laziness or paranoia. You make them question their own people or technology. For instance, they pointed out in Burn Notice that the CIA broadcast white noise to the Russian's listening posts. The Russians assumed the broadcasts were encrypted and wasted resources trying to decrypt complete noise. This is why honeypots, hogwash and other tools are useful. They look vulnerable and easy and they waste attackers resources and efforts and give you the edge. Social engineering an attacker is more difficult, but they have egos and can likely be exploited.

Our main issues in this venue is that there is very little cost/benefit analysis not to mention intel gathering. We don't sit down and analyze which tools work most of the time and which tools fail most of the time, which practices are worth implementing and which aren't, which practices work independently of what the attacker are doing, and which aren't. You are one of the few who understand this.

Here you are showing that AV programs are quite buggy, but since the attackers are changing the malware before any signatures come out from the AV vendors, they don't even need to exploit the bugs because the common weakness of all passive scanners is their signature databases. Which gets me further, stay off the database so that I'll never be detected by any AV scanner or knockout a few AV programs and possibly bring my actions to someone's attention when their AV software's process dies or dumps a core file, and the latter only gets me anywhere if it's a particular AV program that I know has those bugs.

So, we exploit the natural laziness of the attacker. Emplace multiple honeypots on your network. Configure two high interaction honeypots with telnet and have fake users and passwords that aren't on your network. Make a vulnerable FTP server with the same fake users and passwords. Make a high interaction PHP honeypot web server with high logging levels to see what attacks are coming your way. Misdirect and distract the attackers. Be a magician.

As far as gathering other intel, talk to your ISP's security team and ask them what attacks and malware they are seeing. They probably see more stuff than you'll ever encounter as an individual investigator. Don't trust your security vendor until you can verify that the product does what they say it does. Have your network tested by a reputable third party that specializes in pen testing.