Friday, August 24, 2007

threat centric reality check

readers of richard bejtlich's tao security blog are no doubt familiar with a concept he frequently promotes called threat centric security... this is a security paradigm that tries to eliminate threats as opposed to vulnerability centric security which aims to eliminate vulnerabilities...

he's mentioned it in a number of posts and i've often gotten the feeling that there was something that wasn't quite right but i could never really put my finger on it until i read this article on bad guys last week where he said:
It's important to remember that we're fighting people, not code. We can take away their sticks but they will find another to beat us senseless. An exploit or malware is a tool; a person is a threat.
when i read that it suddenly became crystal clear to me, the underlying problem i had with what he was saying about threat centric security was rooted in his classifications....

on the one hand i can see where he's coming from; just about every negative security consequence we can think of can be traced back to a person or group of people... whatever the attack, there's always a person who initiated it and as the saying goes kill the head and the body dies... this is why one would say malware is just at tool, because one sees it as nothing more than an extension of the attacker and hypothesizes that if you take the attacker out of the equation the malware will become irrelevant...

there are a number of problems with this and the first is that malware is more than just a tool... a hammer is a tool and a person has to physically swing it each and every time s/he wants to strike a nail... malware, on the other hand, is an agent and has the ability to be far more autonomous... the most fundamental benefit an attacker receives by employing malware is automation; s/he may only need to press a button to start the malware doing a complex and time consuming set of tasks and it's not going to stop just because the attacker has been put in jail, it doesn't need the attacker at that point, it will just keep going until either it's programming or it's controller tell it to stop...

generally speaking viruses and worms have neither a built-in stop condition nor a controller interface that would allow someone to tell them to stop, so putting the person responsible in jail isn't going to have any affect on the spread of that virus or worm... this is part of the reason why old viruses never die and why there are still people out there trying to remove 15 year old boot sector viruses... once a virus or worm starts self-replicating in the wild, the person responsible is already out of the picture...

in spite of the fact that old viruses never die, some would likely argue that viruses aren't really a big issue anymore... fine, then let's talk about what has replaced them as the scourge of the internet - botnets... botnets do have a controller interface, but what good is that if the person doing the controlling is put in jail? maybe part of his/her sentence could be to instruct the bot software to uninstall itself from all the victim machines but that assumes that someone else hasn't already taken control of the botnet... just as thugs employed by a crime boss find a new crime boss to work for when the existing one is busted by the cops, so too can an existing botnet be used by a new crook when the old one is taken out of the picture... in this case it's not kill the head and the body dies, it's kill the head and a new head will come along and take it's place... ultimately the same is true of virtually all non-replicative malware in some sense - take one attacker out of action and another one steps in and continues using the malware... this is why it's important to consider malware as more than just a tool or extension of the attacker, it's an agent operating on behalf of an attacker and once it's been put into action taking the person responsible out of action doesn't change what it can do...

that leads us to the second problem - the conceit that fighting people can replace fighting code... at the end of the day the threat centric security that focuses on people is called law enforcement because the people in question are criminals... we all know how effective law enforcement has been at eliminating crime in the physical world so it shouldn't be too much of a surprise to realize that it will probably be no more effective at eliminating cyber-crime... a sword on the battlefield stops being able to cause you harm only when there's no one left to wield it; and so too with non-replicative malware, it only stops being able to cause harm when there are no more cyber-criminals left to employ it - and since there's a seemingly endless supply of criminals the malware will continue to be capable of causing harm in spite of our effects to put the criminals behind bars...

finally, on a historical note, in case anyone is thinking that the threat centric security that richard bejtlich talks about is something we need to start doing, it's actually been going on for rather a long time now... remember christopher pile aka the black baron? how about david l. smith aka vicodines? then there's mike calce aka mafiaboy and kim vanvaeck aka gigabyte... even robert morris jr. faced legal repercussions for the morris worm... that's going back nearly 20 years and it's just the tip of the iceberg as far as sheer numbers go...

don't get me wrong, i'm not knocking threat centric security, i think it's important, but there's more to it than just fighting people... malware in general has nothing to do with vulnerabilities so anti-malware security can't be said to fall under the umbrella of vulnerability centric security... even encarta says that things can be threats too... malware is a threat agent (or threat as those who prefer more ambiguous terms would say), it may not be in charge but it is a thing that acts to cause harm, and taking out those instances that come your way qualifies as a type of threat centric security...

2 comments:

Richard Bejtlich said...

Kurt, I see your point but consider these.

You say:

"malware is more than just a tool... malware... is an agent and has the ability to be far more autonomous... the most fundamental benefit an attacker receives by employing malware is automation... it's not going to stop just because the attacker has been put in jail..."

You're thinking post-creation. I'm talking pre-creation. You take the malware writer off the street or deter him and the malware is never written and deployed.

You say:

"we all know how effective law enforcement has been at eliminating crime in the physical world so it shouldn't be too much of a surprise to realize that it will probably be no more effective at eliminating cyber-crime."

You're thinking "elimination." That is an impossible and unnecessary standard. Perfection is not required. (Incidentally if you think you can achieve perfection in code, that is a really ridiculous idea!)

I'm not sure where you live, but I'm guessing the daily possibility of physical bodily harm, or theft of your possessions, or any other of the hundreds of negative acts which could happen is pretty low. You can credit law enforcement for a good portion of that.

You said "there's a seemingly endless supply of criminals," and that is true of the physical world as well. Yet, we are not living in anarchy thanks to law enforcement.

kurt wismer said...

"You're thinking post-creation. I'm talking pre-creation. You take the malware writer off the street or deter him and the malware is never written and deployed."

you're right, i am talking post creation... you're also right that a malware creator whose taken out of action can't create any new malware... that said, i talk about post-creation because there is already malware out there needing to be fought and because we will never get all the malware creators so we will never stop the malware creation...

again, that's not to say that would should stop trying to get the malware creators, but merely to point out that stopping them doesn't obviate the need to fight code at the same time...

"You're thinking "elimination." That is an impossible and unnecessary standard. Perfection is not required."

on the contrary, in order to posit that we aren't fighting code we have to be able to stop fighting code which has as one of it's prerequisites that we completely stop new malware from being written... the only way that can happen is if we completely eliminate the malware writers...

i know this is an impossible task, that's actually why it supports the argument that we still have to fight code...

"You said "there's a seemingly endless supply of criminals," and that is true of the physical world as well. Yet, we are not living in anarchy thanks to law enforcement."

true enough... and i imagine that the internet wouldn't have progressed to such a stage of ubiquity if there hadn't been law enforcement keeping cyber-villains in check this whole time...