Duo Tech Talk: A Behind the Scenes Look at Creating DARPA’s Cyber Analytic Framework
Last Thursday, we hosted our October Duo Tech Talk featuring Peiter Zatko (also known as Mudge) at the University of Michigan’s Industrial & Operations Engineering building. Currently working at Google’s Advanced Technology & Projects division, he was formerly a program manager at the Defense Advanced Research Projects Agency (DARPA) where he oversaw cyber security research.
He was also a prominent member of the high profile hacker thinktank/collective, the L0pht. Back in 1998, Mudge testified in front of Congress with the rest of L0pht, infamously stating that they could shut down the entire Internet in 30 minutes.
Mudge came to visit Ann Arbor and present some valuable insights on an Analytic Framework for Cyber, used by DARPA to evaluate and determine areas of research they should pursue in computer and network security and exploitation.
At DARPA, Mudge hoped to bring his ‘hacker ethos’ to the conservative organization, creating a Cyber Fast Track (CFT) program that gave small grants to more agile individuals and small research groups to provide innovative security technology. Here’s a full list of those projects.
Launched in the fall of 2011, the program primarily worked to grant funding quickly - the average time to funding was five days after submitted proposals. One of the projects to come out of the program includes Charlie Miller and Chris Valasek’s car hacking research, another Duo Tech Talk: Hacking Cars: Security-Conscious Design for Auto Manufacturers. The CFT program stopped taking submissions in March 2013.
DARPA Analytical Framework
As a DARPA program manager, Mudge provided more strategy than tactical focus for the government agency by creating an analytical framework that focused on the actual larger problem we’re trying to solve, as well as how to evaluate what’s going to make the biggest impact on the problem.
His formula for a winning program pitch:
- The problem
- Why current or existing solutions will never close on a meaningful solution - you can throw a lot of money/time/effort at it but you’re still doomed.
- Thank God for me! (Presenting your crazy idea)
- Explain why it’s not actually as crazy as it seems - offer previous data/research and reasoning as to why it may work
- It’ll cost some money
Insecure Systems, Bad User Hygiene & Supply Chain Compromise
The first example he used was HBSS, the host-based security system that exists on all of DoD’s systems (similar to McAfee or Symantec) that lists all of their access control lists, rules and policies, antivirus, etc. The licensing of the system cost 26 million a year plus the personnel and support staff to manage it.
They examined two well-known remote exploits, tweaked them and found that they worked on HBSS. They were able to leverage that to about 30 local privilege escalations, proving it was easy to gain access into government systems.
Another issue they had with security within the agencies was bad user hygiene - users that would use USB sticks across systems and use only slightly altered (and predictably patternized) passwords across different logins. While users may know the risks involved in their behavior, they may be motivated more so to get the job done quickly or make their lives easier, at the expense of security.
He also discussed the issue that the supply chain is potentially compromised, due to the fact that many of the components for the F-35C fighter jet are manufactured in China and Taiwan, which are outside of our supply chain jurisdiction. He then talked about the best ways to implement back doors that can be leveraged for future access (conduct a security assessment but don’t fix the bugs), and how they can appear to be accidents.
“Attribution is the antithesis of the game.” From the perspective of an attacker, just having good logging in a separate system that’s immutable can be a major deterrent. For many states carrying out industrial espionage, they would rather fail at their mission and go unnoticed rather than succeed and draw attention to themselves.
Evaluating the Success of Security Solutions
Another issue they had was the fact that they were doing a lot, but were they actually able to measure the success of their efforts? Mudge found the number of cyber incidents from 2006-11 were increasing, as reported to the US-CERT by Federal agencies. However, he also found that the federal defense cyber spending was also increasing, meaning that despite the amount of money and effort put toward security, incidents were still rising.
He also compared the lines of code per security software, and graphed them over time. From 1985 to 2010, he found that the lines of code were increasing in volume, with more than 10,000,000 lines of code being found in Unified Threat Management software. He then plotted the average lines of code of malware, which evened out to 125 lines of code, which stayed steady over the same time period. That means, despite continued and increased efforts/longer lines of code, we are still attempting to combat malware that hadn’t changed that much.
The Problem with Security Software
Mudge pointed out how additional security layers often create vulnerabilities themselves. Through research, they found several different vulnerabilities that users would have otherwise not had, if they hadn’t installed popular security software.
On average, 28.8 percent of all vulnerabilities tracked across 100k networks are actually found within the security software themselves, with QA software as the main culprits.
He researched different applications across different networks and their number of application-specific functions to find out if a smaller piece of software had a smaller attack surface than a more complex one.
He measured modern attacks that target what’s linked in during runtime - finding that there was a relatively constant attack surface, with no difference btw. large and small applications, as many applications link to the same code libraries, loading the same number of support functions. For every 1,000 lines of code, 1 to 5 bugs are introduced, according to IBM.
He then explained how business incentives can motivate or change the threat landscape, using an example of bot herders and different botnets that were developed, as well as the response of antivirus vendors.
While botnets were developed as just slight variants from the same root structure, the way that antivirus vendors released fixes is more favorable to supporting their own subscription-based models that ultimately made money off of renewals. Instead of fixing the root (which would benefit consumers the most), vendors had more of an incentive to release a patch to fix a branch or variant of a botnet that would quickly pop up again.
Increasing Attack Surface Area
Other examples of layering security solutions and uniformity have created certain unintended consequences. Defense in depth is one strategic approach to security that requires a uniform and layered network defense (like HBSS), but it unintentionally creates a larger attack surface, introducing more areas of exploitability for attackers.
He explains how we need to increase user security, more manageable and heterogeneous systems, and layered defense that doesn’t increase the attack surface area.
Watch the video to view the full presentation, including how to evaluate security solutions and contractors, and Mudge’s answer to a brief Q&A from the audience.
Check out some of our previous Duo Tech Talks below, and join our Meetup group for updates on the next one.
Duo Tech Talks: Encryption Works: A Look at Tor and SecureDrop
At our August Duo Tech Talk, Runa A. Sandvik (@runasand) from the Freedom of the Press Foundation spoke about Tor and a tool called SecureDrop that allows anyone to set up their own whistleblower drop site.
Duo Tech Talks: Dissecting the Android Bouncer
Google’s Android Bouncer was intended to shore up weaknesses of the Android Market by testing applications within a dynamic analysis environment to determine application security. In this talk, Jon Oberheide of Duo Security and his colleague Charlie Miller discussed their methods of bypassing Bouncer with a series of experiments.
Duo Tech Talk: Building a Modern Security Engineering Organization
Did you miss our latest Duo Tech Talk featuring Signal Sciences’ Founder and Chief Security Officer (CSO) Zane Lackey? In case you did, we have a video recording available! He presented Building a Modern Security Engineering Organization at the Duo Ann Arbor office last week to a full crowd.