Threat capability modelling

It's good to understand [Shannon's] conditions, the [Dolev-Yeo] model and "most-capable" adversary posture.

Here are some ways of thinking about networks and computers running on them. It helps us investigate assumptions about protocols, structures and relations between "nodes". Although Dolev-Yeo is an elegant tool for modelling it offers us insights into defensive cybersecurity techniques.

In threat capability reasoning a good layman's explanation is to think of The Matrix and the presence of "Agents". The agents have super-human capabilities. They can be everywhere at once, know and see everything, disguise themselves as anything and accomplish seemingly impossible acts of strength and speed. They have the properties of;

• omniscience
• omnipresence
• omnipotence

Omniscience is the ability to know everything. While it is obviously impossible to know everything, as a defender we cannot assume any critical piece of information is definitely not known by an adversary. For example; we may place a service on an unusual port, but cannot assume an attacker won't have figured that out or just guessed it. This wisdom applies to security by obscurity.

Omnipresence is the ability to be in many places at once. It is another way of saying that the attacker can make multiple copies of itself, all operating in parallel. That's certainly important in the age of hostile bots. When we anthropomorphise an attacker we tend to think of "them" being a singular mind in a singular place. Cyber enemies are nebulous and simultaneous. For example; correlation attacks watch many points in a network, looking at timing and traffic flow, and can de-anonymise secure communications.

Omnipotence is the ability to do anything. In reality this just means the attacker has a lot of power, including computational, financial and political power. They can do things like;

• re-route traffic
• rapidly crack weak encryption
• shut down networks
• forge hashes and signatures
• impersonate trusted principals

Traditionally it's assumed potent adversaries are State actors, but in reality, given the ability to purchase vast amounts of compute, use cryptocurrency for untracable bribes, infiltrate ISPs, or apply commercial and trade oressure, any large criminal gang or corporation can be potent.

The upshot of Dolev Yeo is that you "cannot trust the network". End points and provably secure tunnels are all that really matter. Dolev-Yeo makes hardware security very important. Closely connected is Shannon and Kirkhoff's formulation that "the enemy carries the message".

Against such "agents" the battle looks lost and the future bleak. But that is not the case. This 'worst case' model is a rational if not fully realistic set of assumption about the cybersecurity situation we face. From it we develop defensive techniques that are similar to insurgency or 'guerrilla' thinking. From it we see that cybersecurity is a resistance movement and the best techniques are related to unconventional, non-linear warfare. Many important techniques in defensive cybersecurity are using the enemy's strength, arrogance and overconfidence against him. Big, powerful enemies tend to self-destruct, with a little help.