Dailydave mailing list archives
Maps, more maps. Graphs. More Graphs.
From: Dave Aitel <dave () immunityinc com>
Date: Mon, 01 Jul 2013 11:24:51 -0400
Halvar once said something like "People are pretty rubbish at thinking in graphs, much better at thinking about which fruit looks tastier." I'm heavily paraphrasing just to troll him, of course. But the concept of visualizations in our field being incredibly hard is interesting in terms of the PRISM-fallout or the #snowdenpocalypse or whatever you want to call it. Vanessa and I are spending part of the day staring at various people's marketing slicks as we prepare ours for BlackHat. People like to represent the Internet with world maps. Immunity is no exception. We have at least two products that have maps in them. But the PRISM slides point out the obvious fact that the topology of cyberspace is only a weak correlation with world maps. The super-important data is not "where are the endpoints" but "where are all the boxes in between me and that target, and what are the network conditions that they go through". And of course, there are multiple potential routes for any packet and they change over time. All of this data is poorly represented by world maps. VPNs and internal networks complicate these issues. Any two machines on the Megacorp WAN are close together no matter where they are in the world, but they may also be close to various other machines in airport lounges and hotels, varying only in the time dimension. Mark's work during various wireless assessments shows how easy it is to hit machines which are single homed on your corporate network one minute, and then single homed at Starbucks the next. I like to ask attack platform visualization systems the following question: Given a vulnerability in some random thing (Linux Portbind, let's say), can we rank all the interesting boxes that this will let me get near? (This is the mirror image of "what is our business risk from a new vulnerability that just came out?"). Or alternatively: Given a set of vulnerabilities, how close can I get to www.megacorp.com? If you've tried to do this on any reasonably large data set, you probably have a instinctive fear of the problem because of that one time you tried to stamp it out with a Markov model but it turns out not to be about connectivity and networks so much as information flows. This is probably mildly bad news in the long term for Endgame Systems or any company heavily invested in the "world map as a cyber map" model, but points out huge scope of the problem DARPA's PlanX is likely to be working on. -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Maps, more maps. Graphs. More Graphs. Dave Aitel (Jul 01)