The Board Room guide to hacking EFTA01735540

"GET YOUR FACTS FIRST, T DISTORT THEM AS YOU PI: MARK TWAIN Lifehack Quotes .0 EFTA01735541

Are you compromised? Yes EFTA_R1_00019494 EFTA01735542

Why is everyone compromised? 1 Your network is a replicable monoculture 2. Compromising is a one-way street: You can't "un- compromise" something 3. The internet and your network are a graph of trust: compromising is viral and exponential 4. Your defense is reactive and slow, it must be proactive and fast EFTA_R1_001,19495 EFTA01735543

•• • f•• a • • •• • • • I 4.- *a' • 4 * • 4 • •••- „ • ' • t t • fa. OP• • •• • • -. • •• fam-res .... Ana - ; •••.. ; - • • - • - -• . • r .‘44 IF.. • ti aa. • 1. - • • • • ea a a • • 'a 41110 • eifffir • •••• " • • • • • 4. a a . ea a s a e _ - . a all • a .aa • • a . . a . • a .... a - • 111-•• 40. • -Mr .0, a. OK IN -t .41•• • •••• • • THAT'S YOUR • MPET I • caw'. - • • • V 49. 4 • • ••-a e'L • a aSeaSOO • 0 ..... _lb a i ii. • ;. ... ....---- - • p. L- sea mite"r" • • • • • 41 **- • 463•1* • .1 f . r. • • • - • . aft ' • • • • • • . alma • r • ap "re I iv • ,f • • • „ • •••• • a I # I • • • I • • . • I • it • •-• ego I . ok • • • e w • - • - • 4. * # • • 4 .^ dr- • a • • 41. • _en= • ..t•• gp • I •.• . • • • • sob - S • 44 - • ••••'"I" • 4 • • a. I • • a . • • t . • • EFTA R1 00019496 EFTA01735544

Monoculture • The attacker can download the same software you have and attack it until he finds a way in. • An attacker can replicate an almost-exact copy of your machine and go at it until he finds an "in" • Once the attacker is on a machine he can experiment and explore the trusted neighbors until he finds an "in" EFTA_R1_00019497 EFTA01735545

EFTA R1 00019498 EFTA01735546

"Un-compromise"-able • A maxim: there's always a deep enough level in a machine that is not defended/defendable • It used to be the kernel, now it's the bios, the firmware, the hardware, the secret co-processor, you name it • You can't "un-compromise" because it's impossible to know what's compromised EFTA_R1_00019499 EFTA01735547

EFTA R1 00019500 EFTA01735548

Graphs of trust • A lot of security today happens at the "perimeter", once you're in it's game over. This is called "lateral movement" • Implicit trust: we trust somebody else servers to download executables, we trust certificate authorities keys, we trust our partner servers • This means that your threat model is in large part outside of your control EFTA_R1_00019501 EFTA01735549

• • . .:•••.• • •1 • en) . • • ile4; err.. • • • •Ir;•••;,.:' •re • • •••••• r i " ' • • • -••••••,....) ar t S . - p• P:(201,14. :• Q • ; r • / 11, iee l e 0; .41• 10 • 111•1, • I .6 C b - • 00 • II vi k 4 • , • • •• • I ; ' • ••• *I ••. I . •• io cr'IJC: 1. •:• • *- • -.*-- . A I-1 -1 • ,- J • -Pile, • •..(cas•- • • - • '.. I • • •.; -• • • '114 .0° • Le 11/4 • • • A* . ei gOi • ( re ar/ t di ctith it •• ••• :2. • ‘Vt isto,c. r • • ! ••••'•-• • hit/ • ; . : r.•• •••• ;•7411:.••••.; • • . • / • tY „„ • . • „, . ,,,, • • r , P"..:':•. , -. . ,.. ^ . ...A•T 1,ii. • i •••• -4. of • • •.- /1... ea. • i• fr.% .... • p • . . i I • , ••• r 1 '14 .1 I ' • .. . ., • .•.•; "roe," •II• • - • ' .• • I I . ./• 1 it d. " i f I . Ph I . ••:', t •••: 7 , •••• .'..‘ Via vie.i II/1"..A. I .. 1.... •• -1 • " • • . ' ' i s i • r e•••••%•-. I i• .1 f • • ' : •• PT •,•• •.siC VS l 'i Ct 1 • *). •• e " * " l• i f 1')/ ..• • . I Al %. •• i • A . y • • • • •• : ] I. il.te.•: . •5‘,..9 1.11t i ( 1 . • •, • • ‘ agt•ai •::$•4 1 1)4 4 • /..•• . • ; * . 1 1; . 4 I.'s'''. I • .•• r • • . • . ..• • • • ,.-ke'r 1 • • EFTA01735550

Reactive and slow • Most security tools today work by identifying an attack somewhere else and then try to protect everyone else • This is reactive in nature and ineffective: most attacks stay latent for a very long time • Even with almost-real time detection, the attacker needs to beat you at the race just once EFTA_R1_00019503 EFTA01735551

EFTA_R1_00019504 EFTA01735552

The recursive guide to compromise anything 1. Compromise a machine (exploit, social engineering, backdoor, physical access) 2. The maxim: there's always a deep enough level in a machine that is not defended/defendable. Go there and stay put 3. For every node in the graph that trusts your machine, go to 1 and be fast EFTA _R1_0019505 EFTA01735553

Digital immune system EFTA01735554

Digital immune system • We have the technology to build 80% of the digital immune system • We need network effects and board-level decisions to make the remaining 20% true • This will not solve computer security but it will leap it ahead by a lot EFTA_R1_00019507 EFTA01735555

) EFTA R1 00019508 EFTA01735556

"Shape-shifting" software • No two copies of the same app, (kernel, firmware, etc etc) should behave the same way at the micro level • Code should adapt to its users/owners, detect and log anomalous behavior on a distributed ledger EFTA_R1_00019509 EFTA01735557

"Accountability breeds response- ability." -Stephen Covey QuoteAddicts EFTA01735558

Code Signing • Every piece of code that is executed on a machine should be signed by a trusted entity • We can't trust a single company/machine: create a distributed ledger of valid signatures for every piece of code EFTA_R1_00019511 EFTA01735559

I EFTA_R1_000,19512 EFTA01735560

Self-destructing machines • Every machine should have a "known-good" state to revert to • Every time a machine is thought to be compromised it should be destroyed immediately and reverted back to the "known-good" state EFTA_R1_001,19513 EFTA01735561

EFTA_R1_00019514 EFTA01735562

Adaptive network structure • The trusting neighbors of a machine must be able to shut down communication with the allegedly compromised machine • The trusting neighbors should be able to adapt their network topology to use a mirror copy of the compromised machine EFTA_R1_00019515 EFTA01735563

EFTA R1 00019516 EFTA01735564

The Al future • In the future a lot of offensive security will be Al/ML- driven • In the future security will be much faster and much more complicated • We can't have proper defense against that without these building blocks EFTA_R1_001,19517 EFTA01735565

O&A EFTA_R1_00019518 EFTA01735566