Constructing the Maginot Line

Jack Rysnider over at Darknet Diaries recently did an absolutely fascinating piece on a CIA Operations officer Jim Lawler where they discussed some of the shenanigans and antics that the CIA has gotten up to over the years in order to get intillegence [1]. But there was, a moment in the piece that really stuck out to me. 

Jim talked about an operation to interact with someone working as an office secretary for a foreign intillegence agency. Jack of course asked him about the cyber impacts of exfiltrating data and Jim referred to the whole affair as a bit of a Maginot Line. He goes on to explain that why would they need data exfiltration or any sort of technology when they can just get exactly what they need straight from the source. 

Why worry about doing the math on the accounting if you can just use a confidential source to ask the CFO for whatever it is you're actually looking for? It got me thinking about all the technology that we use on a daily basis to thwart cyberattacks. We as an industry until about the invention of cryptocurrency weren't really a "thing" so to speak. 

Yes there were cybersecurity concerns certainly, but due to a myriad of factors even if you had the skill set to perform some form of cybersecurity attack, it would still prove to be entirely possible to figure out not only who did it but to capture them as well. 

A combination of greater importance of computing resources, the internet, and a method of transferring funds that is by and large untraceable has led us to a time when Cybersecurity is now at the forefront of literally every organization out there. So much so that I've yet to talk with an enterprise that doesn't have Cybersecurity as one of the big ten in their risk ledgers. 

But realistically what are we REALLY fighting here? To put it bluntly, the true risk to Enterprise from a cybersecurity standpoint is Ransomware. You might want to argue that there's the possibility of data exfiltration, but as I said, why invest in this incredibly costly and difficult operation when we know from our own red team engagements that Social Engineering works just as well and requires virtually none of the same level of effort or resources. 

And the only reason Ransomware is any real threat is because the payment method is hard to track. I assure you that if we knew where the money was going, Ransomware would not be the problem it is today. Groups would likely be far less likely to invest in resources for development and deployment of ransomware if it weren't for the fact that the use of Bitcoin and other cryptocurrencies make it nigh impossible to figure out the actual source of the attack. 

There's discussion of the use of Cyber warfare, yet Ukraine makes a pretty convincing argument that is not actually the case. Again, why would invest god knows how much money into developing a complicated program to take out a Power Grid when an explosive shell is far more effective. The attacks conducted by Russia against the Ukraine with Black Energy weren't done so they could make a move of tank battalions, it was simply to rattle and scare. 

I think (my personal opinion only) this is because Russia and all the major powers know that if they actually wanted to get into a slug fest, they don't want to hinge their plans on costly and potentially ineffective attack methods that could be foiled at any point along the path revealing not only their intended first strike but also preventing said first strike. 

Loading a jet with a bunker buster, pointing it in a direction and saying "Go" is a far more assured method for achieving victory. So why have we constructed this massive network of tools and governance checks that effectively just cause us run through hoops and ladders? I'll give you an example of something I discussed with some colleagues in the field earlier. 

In a situation where you have an administrative account, how do you make sure that administrative account isn't used for bad things? What methods do you take to secure that account? The answers seem simple enough

• Require 2 Factor Authentication 
• Prevent the account from performing actions outside of the administrative ones (IE stop that account from browsing random websites, etc.) 
• Require complex passwords that will be difficult to crack (14+ characters etc.) 
• Require audit logs that record when the account is used.

All of these are the basics anyone in the field is taught, and I don't want to downplay them in their entirety. 2FA and Long passwords do make it harder for a red team or attacker to figure out credentials, there really is no two ways around that. Unfortunately it also fights the basic tenants of human psychology. 

What do I mean by that? Well... if I have a long, complex, and constantly rotating password there's one of two ways it's getting used. 

1. I log in every day and memorize what it is and input it whenever I need to 
2. I have a 3rd Party Interface that remembers the password for me and so long as my normal account gets logged in then it can log in. 

Both of these present problems. The first one is obvious now means that a user has to know their regular password, but also keep track of a constantly changing password that is also complex by it's very nature. One way or another some of them are going to write it down somewhere and now you have lost the entire game. All the security controls in the world are no match for a sticky note.

In the case of the second, it would thus imply that so long as I can breach the first layer I implicitly have access to the second. In which case, why separate the account functionality at all? 

The problem at it's core is there is a technological solution to all of this, it just sucks. It's a tool that tracks user behavior and looks for abnormalities and acts if those abnormalities are detected. At the end of the day that's what we're REALLY looking for. If it's an insider threat, a red teamer, or an APT using an account sure we can catch them at the privilege escalation stage of the attack, but what we're actually trying to prevent isn't the privilege escalation, it's the actions that follow. 

The only steps of the Mitre Attack Framework that actually matter are the last 4. Everything prior to that is just setup. If they did something from every column prior but failed to accomplish the last four then what have they actually done other then give your blue team a write up about what a good job they did? 

The thing is a lot of folks in the industry don't like to admit that a lot of what we do is theater trying to flush people out in those early columns because we can't actually stop them once they get to the last four. Or even if we can stop some of the Collection, Command and Control, Exfiltration and Impact we aren't confident we can stop them all. 

There are a ton of technologies in place to find attackers while they're setting up. IDS's warning of scanning activity. Phishing training programs trying to stop users from getting their accounts or machines compromised. But at the end of the day, all of that amounts to a hill of beans if someone comes in just burns the whole place to the ground. 

No amount of firewalls is gonna protect the business from an employee who's lured into coughing up all of the details while they are out drinking at a bar. The human factor is so often downplayed by Cybersecurity because the solutions all have to be computer driven. This notion that the only way to protect the data is other technologies that are also in their own ways data. 

So long as anonymity is possible through technology be it through cryptocurrencies or VPN's or whatever other assortment of tools is out there, then the crimes will remain. You remove those two factors and I wouldn't be shocked to watch most of the Cybersecurity industry evaporate in only a few years. People tend to be far less inclined to commit crime if there's actually a fair chance they'd get caught. 

Again, I don't want to say these methods aren't important, but I do think that we do spend a fair bit too much time overthinking our security webs at times. We focus on cleaning out the spider webs but we don't actually have a shoe or broom to kill the spider.