Schneier on Security

Clive Robinson • April 29, 2022 8:05 AM

@ Denton Scratch,

With regards,

… requires a very different skillset from defending against them.

In some respects yes, but in a lot no.

Look at it as defending against a conventional weapon like a spear or sling shot.

You have to understand the use of the weapon by an attacker to understand what it’s range, advantages and disadvantages are.

With that understanding you can then realise that “hight” gives a defender significant advantage over the attacker.

Likewise,

Penetration presumably requires some rather particular coding skills

Don’t make the mistake of thinking you have to be a skilled artisan in the art of weapon making, to either use a weapon or understand the advantages and disadvantages a weapon has. An understanding of the laws of nature being sufficient to abstract out what a defender needs to know for most weapons (including cyber-weapons).

Which brings us onto,

I’m not sure what defence consists of, but surely a large part of it is “normal”…

Things are only “normal” if they can somehow be predicted. That requires,

1, Understanding
2, Information
3, Time

Understanding I’ve kind of covered, but it does contain a “foresight” or “predictive” element. If you turn a new attack on it’s head you realise that somebody had to see things, apply the laws of nature and then act to make the new weapon.

Gunpowder came about we believe from the search for eternal life. Both Honey and salt petere have preservative properties and cooking them up together will as one is a fuel and the other an oxadizer cause an exothermic reaction of some intensity. As part of that process an excess liberation of gas that requires a significantly larger volume occurs. So if the container you cook in is sealed then an over preasure will result and eventually the failure will be explosive.

Seeing this gave basic understanding and information that rose via a series of events over time that gave us fireworks, rockets, hand grenades, mortars, cannon, long guns and pistols. As well as balistics and the basis for orbital mechanics.

Part of being a good defender is what our host @Bruce calls “thinking hinky”. It looks like a kind of magic or almost god like ability to foresee events before they happen.

Well I can tell you for free it’s not magic or god like, you just need to firstly be “eternaly curious with a passion”. A thirst for understanding much greater than the norm is the start of it. Then be of sufficient inteligence to extract out information from what you observe and a little practical application to both test your ideas and gain confidence. All of which give you more time to think about things than the average person.

In short the basic traits of an inventor, artisan, scientist, or engineer.

Whilst formal training can speed the process of gaining knowledge depth you realy need that inate curiosity to develop the required knowledge bredth to be in effect a Renaissance Man who takes knowledge from one domain into another domain.

As your skills of observation improve they become increasingly sub concious. That is you see in less than a glance what hours of staring will not be revealed to others.

Your brain has become more acutely tuned to a new form of pattern recognition. Whilst you might not be using it as a survival instinct, that is what it is based upon.

Like all skills it improves not just with the frequency of use, but how you use it. You can train yourself to recognise the shape of things and realise when one process has the same underlying drivers as another process. Then move forward and test the ideas from one domain in another.

For instance what is now Information Theory and Shannon’s original work on information. He did not think of it as “entropy” untill an almost casual remark from someone else who recognised the underlying form of Shannon’s equations. Then he realised that much else applied from thermo-dunamics to information. Now some ask if infact the physical laws of thermo-dynamics are in effect a subset of information theory…

Similar can be seen with Eisenstein’s Field Equations, a limited version of them give Issac Newton’s equations for gravity that give us in turn basic orbital mechanics which you can in fact work out with no more than one of Newton’s laws of motion and the rules of Pythagorean triangles as they pertain to circles (yes I’ve actually done this and you can to if you hold a childs hoop in your hands and simply turn it through two of the three dimensions).

To understand the world you need a child like view of it to gain understanding. You then need to develop the understanding of knowledge to abstract out the information and give yourself the time to work with it.

If you can then see something before others not only do you have a claim on originality, but you also can start ahead of others as to thinking how it could be weaponised, and abstract from that the strengths weaknesses and thus the characteristics to recognise others using it, but more importantly how you can defend against it.

Too many people think “Event then mitigate” that is “reactive thinking/defence” and always fails for someone if not a lot of someones. The ability to forsee means you can “mitigate thus prevent” which is “proactive thinking/defence”.

The problem is you can not be either proactive or reactive against every single instance of attack, you get into the “requires to many resources” issue.

The trick is to abstract out the features that make many instances of attack into a class of attacks and then mitigate against the key class atributes.

To see this think about “Fire Drills” they are one of many “Drills” against a whole pantheon of threats, Fire, Flood, Earthquake, chemical spill, and so on, the list is endless and some will never happen to you at any given place. So if you had a drill for all of them you would be for ever practicing them not working… The trick is to realise that there are two basic ellements they all have in common,

1, Evacuate from place A to place B.
2, Using a safe route.

From that point on your activities are,

3, Characterise all threats
4, Find or build a safe point B and a route to it to mitigate the identified characteristics.

Then “job done”…

Basically you collapse down all the threats and come up with a single Drill to cover them all.

The process of building defencess is almost exactly the same. The process is not complicated in of it’s self. However as always “The devil is in the details” and thatcis where practice that gives experience helps you recognise what are the essentials to cover.

With regards,

… a significant proportion of hostile network traffic originated in Ukraine. I imagine Ukraine has at least the attack capability of Russia.

This is something I caution against with,

Attribution is hard very hard.

Basically you have two basic problems,

1, Copying or changing data is easy.
2, You only see data you are shown.

Which means your level of certainty is at best very very low. Because you can only have modest certainty about traffic flowing into or out of the node you are at, no more.

Take a LAN concected by a Gateway to another Gateway on a WAN. The reality is those gateways are a “node” and the wire between them the “edge” at some level. If you “instrument the wire” then you can see data entering and exiting the adjacent node or even both nodes. But… Unless you monitor “the wire” at both nodes, how do you actually know if there are not hidden nodes in the wire you can not see?

The answer is “almost certainly there are nodes you can not see”. Because the cable leaving the gateway is say two wire twisted single pair bi-directional. For ease of transmission out of your sight that gets split into four wire two pair of twisted pair each being unidirectional. The invisable node is a “2 to 4 wire hybrid”. The thing is being now uni-directional, injecting other data is almost trivial, only the hybrid stops you seeing it happen.

The same rules apply as you go up first all the hidden layers within the “physical layer” of the communications stack then other layers of the stack.

What you see coming out of the top of the stack you have no real idea where it came from.

Almost by definition what is beyond your perimeter is beyond your control, the only real knowledge you have is you realy do not know where your perimeter is… In short it’s the application layer of the machine you are using, anything beyond that is an assumption, without correct instrumentation.

But something we do know… There were quite a few “Russian Malware developers” effectively under Putin’s protection in the Ukraine for various reasons. Likewise we know that some Ukrainian machines were effectively VPN end points and the like for activities that originated from elsewhere some even in the US.

As indicated you are only getting given data somebody wants you to see, not reality.

For instance we now know that Russia attacked South Korea via China to get into North Korean networks to hide the fact the attack originated from Russia. In effect Russia made North Korea look the guilty party to the world, including US NSA and other IC assets being “on the spot” in South Korea.

This sort of thing goes on all the time and it can be very very difficult to untangle.