« November 2006 | Main | January 2007 »

December 2006 Archives

December 7, 2006

Maneuver Warfare and Infosec Products

The modern practice of network security is essentially an exercise in information warfare. The two competing parties, namely the network operators and the botnet managers, are continually evolving to combat the other's tactics, each driven by economic motives. The attackers are attempting to create a distributed services platform out of the defender's systems for delivering... rich media content in the form of image spam, phishing landing pages, and DDoS packets, while the defenders are trying to keep their employer's underlying infrastructure in one piece. This is a very old analogy, one exploited heavily by individuals looking to grab funding earmarked for national defense or attempting to scaremonger groups into the potential threat of an "Electronic Pearl Harbor". The use of these analogies by demagogues does not make them any less apropos; there are many interesting conclusions that can be drawn from the application of modern military theory to the information security space.

Let's consider the somewhat popular work of John Boyd and the tenants of maneuver warfare. Maneuver warfare emphasizes rapid movement, distributed decision making, and dynamism of tactical objectives rather than the costly brute strength of an attrition campaign. This method of warfare has likely been around since the dawn of interstate combat, with Hannibal's tactics at Cannae serving as a brilliant example. In a briefing entitled Patterns of Conflict, Boyd formalized these ideas into what is now referred to as the OODA Loop. This is an embarrassingly brief description, but Boyd viewed warfare as being a a continuous cycle of Observation, Orientation, Decision, and Action, and that those who succeed in warfare are those who can correctly execute the loop in the shortest period of time. Another way of viewing it is whoever can predict their opponents next move and act/react before the other party can assess their situation will win the conflict. This can only be achieved by employing a fast operational tempo, rapidly altering tactics, obscuring your decision state from the enemy, and reducing infrastructure-based friction, such as communication cost.

The most effective infosec schemes on the market today rely upon principles that can be viewed as derivative from these lessons. The effective DDoS and Anti-Virus systems available today and under development seem to work by employing:

  • Large sensor networks to reduce observation time.
  • Automated analysis schemes with either zero in-loop human interaction or a slice of massive amounts of distributed human interaction to minimize feedback time.
  • Rapid decision deployment to clients.
  • Massive monitoring to detect and correct poor decisions.
  • A large variety of detection and response tactics.
  • Ability to quickly roll out new tactics in light of effective evasion methods.

As the tempo of financially-driven security events, i.e. spyware and its ilk, increases, any security system that is solely dependent on human-scale timelines to make decisions will labeled ineffective. Solutions dependent upon individual decision makers will have to complement their scheme with rapid reaction schemes or face decreasing continually decreasing accuracy figures.

December 9, 2006

Will someone please tell me what Christmas is all about?

For me it is watching "A Charlie Brown Christmas", even if it is performed by the cast of Scrubs.

December 19, 2006

Everyone point and laugh... (and why I should be faster with this site)

... at Checkpoint for buying NFR. Matasano and Tom beat me to the laugh, however. This is a lousy consolation prize for Sourcefire, which they attempted to buy last year. Does anyone even run NFR anymore?

December 22, 2006

NFR's Market Penetration.

I don't have any decent figures on NFR's market penetration, but I do know that the Sourcefire/Checkpoint deal was nixed because of security concerns. While the deal was canned shortly after the whole Dubai ports debacle, it was likely not due to xenophobia. The specter of a foreign government having ownership of a network monitoring technology with wide penetration in the defense sector was clearly unacceptable. I guess the implicit message here is that not many people use NFR anymore.

December 23, 2006

If Berkeley is a rockin...

Sophy and I have been feeling earthquakes out of Berkeley for the past few days, including one this morning.


Originally uploaded by Adam J. O'Donnell.
Picture of Sophy and I, taken by our friend Jake Appelbaum.

December 25, 2006

Ada's WaveBubble

Originally uploaded by ladyada.
As a Christmas gift to the world, Lady Ada has posted the design for a microprocessor-controlled RF jammer called WaveBubble. It covers most of the important consumer bands pretty effectively, including WaveLan and GPS. She did an excellent job with the design, especially given the relative lack of equipment available in her lab.

I may have provided some assistance with the specs and layout for the RF chain, which is something I haven't spent much time looking at since I worked here.

About December 2006

This page contains all entries posted to NP-Incomplete in December 2006. They are listed from oldest to newest.

November 2006 is the previous archive.

January 2007 is the next archive.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.33