Symbiotic Relationships in Security

In his keynote at Shmoocon Peiter Zatko brought up a pretty cool example applying game theory principals to security. The redux was “if you think the game is illogical, you’re probably missing something”.

In this case the game involved the new feedstock of AV companies; Botnets. His observation; the botnets writers had implemented a simple XOR cipher that was pretty obvious as part of their protection scheme. This cipher had roughly a ten day lifecycle from release to detection to AV signature release. When the ten days were up the botnet writers would alter the cipher and the cycle would start again.

At one point, the cipher was changed to a stronger AES version. After ten days, nothing. So what happened? According to Zatko, the weaker cipher system was put back. Nuts right?

The theory is that it takes a few minutes to change the cipher, and ten days to get caught. That’s a pretty good investment and the AV companies are happy because they get to say they’re releasing sigs all the time. If you take away the low hanging fruit, maybe the AV companies will figure out how to block the bot in a more fundamental way. Something that takes more than five minutes to fix.

So in the end it’s in both parties interest to keep the cycle alive. AV isn’t providing a solution, and everyone is making money prolonging the problem. And the ironic part is the AV client is probably happier too. I mean, look at all these signatures I’ve applied this month, what a good investment.

I guess the bright side is guys at DARPA like Mudge are digging into this, taking it seriously, and most importantly, being given the latitude to talk about what they’re seeing.

2 thoughts on “Symbiotic Relationships in Security

  1. What was the general reaction to this? Such of a view of the AV industry is obviously one likely to be quickly rebuffed by the AV vendors; it’s also the first time I’ve personally heard such a take. Is that relationship a status quo the vendors are fine with maintaining, or are they struggling to keep up with things, or..?

    • I didn’t get a take on the general reaction; this was also one part of a larger talk. It’s also important to state that the AV vendors aren’t necessarily complicit in creating the current rules of the game. It is in attacking the problem from a pure efficiency point of view, ie, fastest solution to detect and remove wins, that the status quo continues. My take and motivation for the post was that while AV believes they are fighting the good fight, being reactive and efficient means nothing will change. Mr. Zatko’s example is also one theory for the observed behavior, it’s possible there was another reason for removing AES.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s