Parsing Cyberwar – Part 4: The Best Defense is A Good Defense

Summary: In this series, Marcus Ranum, walks us through the basics of cyberconflict, in its various forms: the nature of the battlefield, logistics, and dynamics. Today he looks at methods of defense. While offense gets most of the attention, most organisations play only defense. So read and learn.


  1. Introduction
  2. Defense Strategies
  3. Corporate Response
  4. Counterintelligence
  5. Conclusion
  6. Other chapters in this series
  7. For more information

(1) Introduction

In the previous part of this series, I looked at the effects that parts of the cyberwar landscape have on the whole; how cybercrime increases our awareness of computer security weaknesses and force us to constantly improve our defenses — accidentally improving our posture against cyberwar and increasing the likelihood that cyberspies will be uncovered. The logistical problems of keeping a cyberweapon fresh and secret are severe, when you consider that you’re fielding it at the targets’ systems — where it is susceptible to dissection and analysis when it’s discovered. This dynamic has already been seen to be at play with the Stuxnet family of attack tools: security responses rapidly co-evolve with attack tools.

(2)  Defense Strategies

When we consider a breakdown of our defensive options, they aren’t very interesting!


Here’s the problem: the tools we have for defense against pretty much everything in cybersecurity boils down to: firewalls, intrusion detection/prevention, antivirus, patch management, system log analysis, etc. Those are what I refer to as “typical internet security” – the tools that have evolved to serve as effective techniques against cybercriminals.

These are the small ones.

There is no “super special super-duper military-grade internet security” technology.

Why not? Mostly because there isn’t anything more that the defenders can use.  We’re already snooping into application data using FPGAs and regular expression accelerators in “next generation firewalls” and we’re already profiling users’ activities, checking their authentication status, doing statistics on edge-networks for weird connectivity, trapping and analyzing kernel calls, and looking for edge-cases in system logs.  The profit-motive is so strong in the internet security industry that, if someone came up with a great new defensive idea, it would migrate rapidly between the military/defense market and the civilian market. In fact, to an observer of the security industry such as myself, it looks like the flow of innovation is doing from the civilian market toward the defense market, not the other way around.

Unlike traditional military technology, it’s impossible for a nation-state to monopolize computer security, so the free market reigns. I can assure you, as a “cyberweapons designer” for the last 20+ years, if I had an idea for a great new security tool, I’d make a huge amount of money selling it commercially, rather than reserving it for the exclusive defensive use of any one country’s military.  Besides, once the ideas are had, the software is fairly simple to replicate. Thus we see a great “levelling effect” in defensive cyberweapons. What we have is what we’ll work with, because it’s all we have.

Where defensive cyberweapons get interesting is where they are knowledge-based: a next-generation firewall doesn’t just block packets based on source/destination address, it can be programmed to analyze data passing through it and specifically block portions of desired transactions.  This makes them extremely nimble when it comes to reacting to an attack. For example, I know one site that was having a problem with a specific botnet variant. They put several next-generation firewalls in and programmed them with a custom signature to specifically match (and black hole) the botnet’s command-and-control traffic.  Poof! With knowledge-based products you’ve got the ability to reconfigure them quickly with new knowledge on short notice. This is where the dynamics of attack/defense might change: I suppose we could imagine an intelligence community having its own knowledge/expertise resource center. They could use off-the-shelf commercial tools and apply not-so-off-the-shelf expertise on top of them.

On the chart, “counterintelligence” implies that the target is going to amplify its defenses by analyzing the actions of potential attackers, and preparing to specifically thwart them. This could be done the expensive way, by embedding intelligence assets in an enemy’s cyberattack process, or the inexpensive way, by analyzing their objectives and hardening the points of attack. If you have an idea of your opponent’s cyberweapons stack, you can develop counter-attacks designed specifically to moot entire stacks of those weapons.

The point remains that, other than adding specific knowledge or intelligence, the elements on the cyberwar battlefield are using basically the same gear and the likelihood of a game-changing upgrade for one side or the other is effectively zero. That argues that cyberwar, at best, will be an intelligence war (a war of knowledge-bases) and that any advantage held by one side or the other is going to be very very fleeting indeed. This is why I say that “On the internet, the best defense is a strong defense.”

(3) Corporate Response

The White House, FBI, and intelligence community are fond of telling corporations that they must improve their cybersecurity. The cynic wonders if it’s simply a call to “buy more stuff!” because there isn’t any great new stuff that corporations can meaningfully do. Corporations already have available to them the entire panoply of internet security technologies — exactly the same as everyone else.

Sure, there are businesses that don’t take security seriously enough (and they tend to have “teaching moments” fairly frequently) but what corporations should really be pointing out to the government is that aside from defensive precautions that should be taken, there’s nothing more that’s practical to do.

It is not practical for Citibank to try to spy on The Mossad’s cyberwar tools developers, to gather advanced intelligence about what they are up to. It is not a good investment in shareholders’ money for Google to spy on Chinese Government spies to try to figure out where the next attack is coming from – they’re busy trying to keep the ordinary cybercriminals out. It’s the government’s job to do the counter-intelligence; that’s what corporations would pay their taxes for, assuming they actually paid taxes.

Because of this dynamic, the security world has proceeded to evolve in the only manner that is rational: doing basic internet security while sitting back and waiting for the government to do its job on the politico-military front. That the government keeps trying to throw its problem back into the laps of the corporations should be making people worry. Ultimately, other than spending more money on analysts, companies already have all the firewalls and internet security that they need in order to fight the cybercriminals. Corporate security managers’ response to the threat of state-sponsored cyberspies ought to be “isn’t that your job?”

(4) Counterintelligence

Because of the cost of developing cyberweapons, and how easily they can be mooted once the defender has a profile of how they operate, one obvious response to a hostile power gearing up for cyberwar is to defeat their weapons. Being a double-agent cyberweapons developer would be extremely lucrative; in a sense that’s what the guys who sell Zeus are doing right now.

If you’re a person who makes backdoors in software for a living, could you resist the temptation to backdoor your backdoor? Selling the keys could prove dangerous but profitable. The US’ cyberwar efforts appear to be relying (as usual) on outsider contractors. How can you tell if your backdoor is backdoored if you didn’t write it, or don’t have the skills to write it yourself?

One place where government counter-intelligence could get positively involved in cyberwar would be to start disclosing as much information as possible about the cyberspace activities of hostile powers. Because, unlike with military weaponry, disclosing hostiles’ methods would result in making them ineffective without any cost to the defender. Unfortunately, in the US, the FBI has relied on asserting claims of Chinese cyberattacks, rather than “outing” their methods and tools – which would have the effect of quickly rendering them obsolete as the commercial computer security industry took over and added them to its knowledge-base. The US DoD and intelligence community’s approach, so far, has been exactly backwards – by telling everything you know, you force your enemy to keep innovating.

(5) Conclusion

The big scenarios of cyberwar — “putting a country back to the pre-industrial era” — are overblown and ridiculous; generally they appeal to those who don’t really understand data networking or system administration. There are plenty of examples of successful attacks against individual point targets, but the big scenario does not follow logically as a consequence of a lot of small ones – what we’re more likely to see over the coming years are attacks against less important targets of opportunity. Since it has been revealed to the community and dissected at length, Stuxnet has done more to justify improvements in security systems than anything else; in that sense it was self-defeating. It is a stone thrown by people who live in a glass house, that will  serve to encourage more stone-throwing.

Because of the close relationship between cyberwar and cyberespionage governments that wish to have effective defenses will do well to merge those capabilities under the same roof; avoid inter-service toe-stepping. I’d go so far as to say that there really isn’t enough of a difference between the capability sets required for cybewar and cyberespionage – they are technically the same problem and it seems to me that the intelligence-gathering aspect of cyberwar may be so much more valuable than the offensive aspect, that it might not even be worth engaging in offensive operations except for in very narrow situations.

The logistical problems of cyberwar need to be granted more weight than they have been, to date. One thing defenders must do is to turn the logistical problems to their advantage by exacerbating them – publishing and “outing” opponents capabilities; leveraging the existing commercial security products infrastructure to place would-be attackers on an endless treadmill of researching new techniques while simultaneously making them look bad.

Cyberwar is the “shiny new thing” for militarists, but it’s a gift that can’t keep on giving. The more it’s used, the more easily it can be defeated.

At this point, we can be sure that anyone who builds a gas centrifuge cascade is going to be a little bit more careful about their software than usual; perhaps they won’t rely on the lowest bidder to configure it. And that, in a nutshell, is the whole problem. Cyberwar forces organizations to re-examine their trust-boundaries: who do they get to do what, and how can they tell whether their service providers and supply chains are tamper-proof? For a government like the US’, that seems eager to outsource practically everything, that appears to be the opening of a gigantic and very nasty can of worms.

(6) Other chapters in the Parsing Cyberwar series

  1. The Battlefield
  2. The Logistical Train
  3. Synergies and Interference
  4. Patch #1 – Lessons from the Gauss malware
  5. The Best Defense is a Good Defense

(7)  For More Information

(a)  On the FM website see the FM Reference Page about Cyber-espionage and Cyber-war!, with links to Marcus Ranum’s other posts and a wide range of other resources.

(b)  Other articles about cyber:

  1. Get Internet Access When Your Government Shuts it Down, PC World, 28 January 2011 — “Does your government have an Internet kill-switch? Read our guide to Guerrilla Networking and be prepared for when the lines get cut.”
  2. Obama: Companies Must Step Up Cybersecurity Efforts, Russia Times, August 2012
  3. Pentagon Announces New Strategy: Rapidly Develop Cyberweapons to Attack Specific Targets, Popular Science, April 2012
  4. The Pentagon is Developing Cyberweapons that Launch Without Human Intervention, New American, June 2012
  5. Wikipedia entry on Basil Zaharoff
  6. With Plan X, Pentagon Seeks to spread US Military Might to Cyberspace, Washington Post, 30 May 2012 — turning to game companies and private developers.




13 thoughts on “Parsing Cyberwar – Part 4: The Best Defense is A Good Defense

    1. That’s a really interesting story! We see several things:

      • Government tipped its hand by using government-oriented commercial malware
      • The malware that was used has now been identified and the targets have been conclusively shown that they are, indeed, targets. I expect they might get a bit more careful about how they use their computers. (Hint, guys: get a tosser laptop or an iPad to open attachments on and fill it with lots of random stuff culled from right-wing websites, fake emails between yourself and Dick Cheney, and thousands of copies of the FBI logo renamed with kidporn filenames. Then watch the traffic in and out of that laptop carefully.)
      • Anyone else who may be a target, who has half a brain, will realize that this is a real threat
      • The attack on the journalists was depressingly amateurish, for a spear-phish attack. Whatever government agency was behind it are keystone kops not well-trained scions of big brother


  1. Marcus: “Expect the government to deal with it”

    Oh, yes, I expect that government will deal with it. In all four targets! Licensing internet access for all is the first measure in the line.


    1. I didn’t say that anyone in their right mind would actually expect the government to successfully deal with it!

      Licensing internet access for all? The only proposal I’ve heard along that line applies only to the plan to license internet access for the tinfoil hat brigade.


  2. Darpa Looks to Make Cyberwar Routine With Secret ‘Plan X’“, Noah Shachtman, Wired, 21 August 2012:

    The Pentagon’s top research arm is unveiling a new, classified cyberwarfare project. But it’s not about building the next Stuxnet, Darpa swears. Instead, the just-introduced “Plan X” is designed to make online strikes a more routine part of U.S. military operations. That will make the son of Stuxnet easier to pull off — to, as Darpa puts it, “dominate the cyber battlespace.”

    Darpa spent years backing research that could shore up the nation’s cyberdefenses. “Plan X” is part of a growing and fairly recent push into offensive online operations by the Pentagon agency largely responsible for the internet’s creation. In recent months, everyone from the director of Darpa on down has pushed the need to improve — and normalize — America’s ability to unleash cyberattacks against its foes.

    That means building tools to help warplanners assemble and launch online strikes in a hurry. It means, under Plan X, figuring out ways to assess the damage caused by a new piece of friendly military malware before it’s unleashed. And it means putting together a sort of digital battlefield map that allows the generals to watch the fighting unfold, as former Darpa acting director Ken Gabriel told the Washington Post: “a rapid, high-order look of what the Internet looks like — of what the cyberspace looks like at any one point in time.”

    It’s not quite the same as building the weapons themselves, as Darpa notes in its introduction to the five-year, $100 million effort, issued on Monday: “The Plan X program is explicitly not funding research and development efforts in vulnerability analysis or cyberweapon generation.” (Emphasis in the original.)

    But it is certainly a complementary campaign. A classified kick-off meeting for interested researchers in scheduled for Sept. 20.

    The American defense and intelligence establishment has been reluctant at times to authorize network attacks, for fear that their effects could spread far beyond the target computers. On the eve of the Iraq invasion of 2003, for instance, the Bush administration made plans for a massive online strike on Baghdad’s financial system before discarding the idea out of collateral damage concerns.

    It’s not the only factor holding back such operations. U.S. military chiefs like National Security Agency director Gen. Keith Alexander have publicly expressed concern that America may not be able to properly respond to a national-level attack unless they’re given pre-defined battle plans and “standing rules of engagement” that would allow them to launch a counterstrike “at net speed.” Waiting more than a few moments might hurt the American ability to respond at all, these officers say.

    “Plan X” aims to solve both problems simultaneously, by automatically constructing mission plans that are as easy to execute as “the auto-pilot function in modern aircraft,” but contain “formal methods to provably quantify the potential battle damage from each synthesized mission plan.” Then, once the plan is launched, Darpa would like to have machines running on operating systems that can withstand the rigors of a full-blown online conflict: “hardened ‘battle units’ that can perform cyberwarfare functions such as battle damage monitoring, communication relay, weapon deployment, and adaptive defense.”

    The ability to operate in dangerous areas, pull potential missions off-the-shelf, and assess the impact of attacks — these are all commonplace for air, sea, and land forces today. The goal of Plan X is to give network-warfare troops the same tools. “To get it to the point where it’s a part of routine military operations,” explains Jim Lewis, a long-time analyst of online operations at the Center for Strategic and International Studies.

    Of course, many critics of U.S. policy believe the deployment of cyberweapons is already too routine. America’s online espionage campaign against Iran has been deeply controversial, both at home and abroad. The Russian government and its allies believe that cyberweapons ought to be banned by international treaty. Here in the U.S., there’s a fear that, by unleashing Stuxnet and other military-grade malware, the Obama administration legitimized such attacks as a tool of statecraft — and invited other nations to strike our fragile infrastructure.

    The Darpa effort is being lead, fittingly, by a former hacker and defense contractor. Daniel Roelker helped start the intrusion detection company Sourcefire and the DC Black Ops unit of Raytheon SI Government Solutions. In a November 2011 presentation (.pdf), Roelker decried the current, “hacker vs. hacker” approach to online combat. It doesn’t scale well — there are only so many technically skilled people — and it’s limited in how fast it can be executed. “We don’t win wars by out-hiring an adversary, we win through technology,” he added.

    Instead, Roelker continued, the U.S. needs a suite of tools to analyze the network, automate the execution of cyberattacks, and be sure of the results. At the time, he called these the “Pillars of Foundational Cyberwarfare.” Now, it’s simply known as Plan X.


  3. Remarks by Secretary Panetta Aboard the USS John C. Stennis, Bremerton, Wash.

    We’ve got cyber threats. We live in a world now where we are receiving literally hundreds of thousands of cyber attacks every day. That’s the battlefield of the future. A cyber attack — we now live in a time when a cyber attack could virtually cripple this country, take down our grid system or power grid, take down our financial systems, take down our government system. And that’s another real threat that we confront as we face the future.


  4. Good to recognize how corporations have, as you put it, “nothing more that’s practical to do.”, because this is precisely the root of problem. This has been the status quo for too long, as long term strategies are now being created based on the assumption this will continue to be the case. I argue, that security products are around the corner which would dramatically change the necessary approaches. Imagine if drive-by hacking were a thing of the past, and all security professionals needed to be concerned about were directed attacks on your physical infrastructure or social engineering. Man, that’d be cool. Might even make the infosec job a lot more fun.


  5. NYRB reviews new books about cybercrime & cyberwar – new frontiers of the 21st century, so far unexplored.

    Are Hackers Heroes?“, Sue Halpern, New York Review of Books, 27 September 2012

    • DarkMarket: Cyberthieves, Cybercops and You by Misha Glenny
    • Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker by Kevin Mitnick with William L. Simon
    • We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency by Parmy Olson
    • Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power by David E. Sanger


  6. Dropping a country off the internet – not as easy as it sounds: “Updated: Paint it black—How Syria methodically erased itself from ‘Net“, Ars Technica, 1 December 2012 — “Now over (for the moment) Syria’s blackout was carefully planned, with no leaks”.

    It’s interesting to see that the Syrian Government had to do a test, first, to see if their blocks worked. An attacker preparing to drop a country off the internet wouldn’t have that luxury – they’d have to get it right the first time. (And, as the Ars Technica article indicates, they’d need to coordinate it with taking down land lines that could used for dialup access)


Leave a comment & share your thoughts...

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s