13 Matching Annotations
  1. Jul 2022
    1. Its Digital Crimes Unit applies legal and technical solutions to identify, investigate, and disrupt malware-facilitated cybercrime and nation-state-sponsored activity.

      This, and the example below, of Microsoft's actions against malicious infrastructure are worth exploring in greater details. Part of it was taking over malicious domains - that is somewhat legal and certainly welcomed. But were there any 'penetrations' and exploits? I doubt so.

    2. Many U.S. private-sector companies have strong corporate incentives to support conformance with proposed prohibitive norms. Some also have the capacity, capability, and legal standing to engage in responsible, exploitation-based activities.

      A very interesting - and, indeed, dangerous - claim that companies have legal standing to engage in 'responsible, exploitation-based activities' against malicious actors.

      Does Microsoft really have legal ground to exploit any system (be in malicious or not) in another state - or even in US? (Not to ask if this goes against its own philosophy against exploiting vulnerabilities and vulnerable systems)

      Do Huawei or Kaspersky have legal grounds to exploit systems in the NL or US - systems that they, or their governments, deem as malicious? What would the US say in such occasion (even if they dismantle C2 based in US - which is, btw, host of majority of malicious C2s)?

      From the US defence perspective, this is, of course, very acceptable. From an international perspective - including legal and diplomatic - this is very problematic. It could actually put private sector actors on list of 'non grata' for many other countries, as they will be seen in breaching sovereignty of states. It is counter-productive.

      This is not to say that such cooperation - and overall 'defence forward' - against malicious actors is a wrong way to go. It is not about 'if', but about 'how': if it is unilaterally done by the US (and allies), it resembles the US political and military dominance of the 21st century - its understanding of a role of international policeman. We have seen where that lead geopolitically.

      It is much better to approach this 'new approach' through garnering broader international support for such actions - even through the UN. It is slower ,but more legit and with less risks for escalations and further political polarisation.

      ||JovanK|| ||Pavlina|| WDYT - from legal and political perspective?

    3. CYBERCOM’s hunt-forward operations enable anticipatory resilience by discovering adversary malware, techniques, tactics, and procedures as well as indicators of compromise and releasing this information through VirusTotal and Cybersecurity and Infrastructure Security Agency (CISA) alerts to inoculate U.S. companies from malicious cyber activity.

      This is, however, different from active attacks: this is information sharing, which is - no doubt - very efficient and needed

    4. It is time better spent tacitly communicating to the malicious source by exposing, disrupting, and contesting threatening behaviors.

      One 'problem' with many such analysis is that they only observe the US perspective. This is not healthy even from the military point of view, and let alone from diplomatic point of view (norms) which should strive towards a compromise.

      Let's put ourselves in the shoes of Russians, or Chine. For them, the threat is not cyber groups, but Microsoft, for instance. Microsoft is vulnerable; Microsoft is dominating the market and imposing solutions; Microsoft is engaging against their sovereignty... Whether we agree or not with this stand, we have to understand their view. Using this strategy, Russians would legitimately act against a threat to them: Microsoft. Or Cyber peace institute. Or any other institution which they deem causes a threat to them.

      If we 'legitimise' intrusion into other systems as defence, it may have a counter-effect of escalations, and setting erroneous precedents.

    5. revealing publicly indicators and warnings of malicious activity, the techniques, tactics, and procedures associated therewith, and malicious malware itself that was discovered after an opponent’s intrusion or in anticipation of one

      This is a second part of suggested strategy - besides attacking malicious actors: it boils down to publishing the know details about the threat actor and threat infrastructure, and sharing all this intelligence among various actors. This info exchange indeed is a cornerstone of better protection.

    6. exploiting and then closing a vulnerability for the sole purpose of removing malicious malware

      In theory, this looks smart: you attack the attackers. There are good examples of successful campaigns (also illustrated below).

      In practice, it is not so smart: any exploitation of an existing vulnerability involves developing an exploit - usually a sophisticated one, if developed by the US security services, say. That exploit can leak (as we have seen before, from CIA stockpiles), and can get in hands of malicious actors including petty criminals (we have seen that as well).

      That's why 'closing a vulnerability' is done to prevent? Can't work. Even though 'zero days' are most dangerous ones, most exploited vulnerabilities are actually years (and even decades long) - a CISA list of most exploited vulnerabilities, which it publishes regularly to motivate CI sector to patch, shows just that. Thus there is no way to instantly close an old vulnerability around the world (even in US) - and creating a powerful exploit for it doesn't help at all. If it is about a zero-day exploit, it is certainly welcomed that it would be reported to a vendor which would immediately patch it - but again, the existing exploit is even more dangerous, since patching process will take years.

      In a word - very dangerous strategy.

    7. cyber persistence, which manifests as a threat through the malicious exploitation of cyber vulnerabilities.

      new concept explained below - basically, 'defence forward' ie a) attacking malicious groups and infrastructure preemtively and b) sharing publicly information about those structures and attacks

    8. Interesting blog that comments on lack of conformance of states to cyber norms: that OEWG/GGE norms don't reflect the reality of attacks, while GCSC which reflect better are not in the game; and on three ways conformance is currently cultivated (persuasion, socialization, and incentives) - all three failing.

      Then, it proposes 'a new way' which should complement this process of turning norms into customary law - by inhibiting the ability for misbehavior/irresponsible behaviour . This should be done through 'defence forward': actively disrupting malicious groups and their systems (malware, botnet C2 infrastructure, etc) before they strike (includling through exploitation of vulnerabilities!), and publicly disclosing the information about such operations. To them, this would support better conformity to norms (by preventing them to misbehave?)

      There is a number of valid points in the doc. But, there are also many problematic ones; to start with - do you, by preventing someone to misbehave, actually promote adherence to norms? Or are these two distinct issues - norms, and defence/military strategy.

      I added number of comments throughout.

      ||Pavlina|| ||AndrijanaG|| ||JovanK||

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

  2. Sep 2021
    1. Mr.President,SaintLuciaiscallingfortheadoptionofaglobalvulnerabilityindexbyinternational institutions.This index should include variables such as vulnerability to adverseweathersystemsandnaturaldisasters,historicaldisadvantagesarisingoutofplunder,colonialismandexploitation,andthevagariesoftheeconomicactivitieswhichsuchstatesdependforsurvival.Such a global vulnerability index would ensure that access to concessional development financeis granted based on criteria that consider the true contexts of our fragile economies, which areconstantlyunderthreatofregression,dueto natural, man-madeorpoliticaldisasters

      Interesting proposal by St Lucia, for a global vulnerability index, on the basis of which, countries would have access to development finance.

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

    1. It is imperative that we work together to build consensus and cohesion in respect of the plight of those facing threats of an existential nature, most notably SIDS.Our vulnerabilities are well known and they need not be expounded on here. What needs to bestressed, however, is that a “one-size-fits-all” approach to debt relief and concessionary financial flows is
    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

  3. Mar 2021
    1. The continuing increase in incidents involving the malicious use of ICTs by State and non-State actors, including terrorists and criminal groups,is a disturbing trend

      It is pity this language has not been stronger, and more explicit. In particular, exploiting vulnerabilities should have been explicitly mentioned as 'disturbing' - if not condemned (having in mind SolarWinds and other examples).

      Exploiting a vulnerability against one system discloses the vulnerability of a whole classes of commercial systems to the broader public. This then ends up being exploited by criminals against other such systems around the world, thereby weakening the entire cyberspace.

      While it may be understood to fall under "malicious use of ICT", it is important to clearly spell it out.

    2. The continuing increase in incidents involving the malicious use of ICTs by State and non-State actors, including terrorists and criminal groups,is a disturbing trend.

      It is pity this language has not been stronger, and more explicit. In particular, exploiting vulnerabilities should have been explicitly mentioned as 'disturbing' - if not condemned (having in mind SolarWinds and other examples).

      Exploiting a vulnerability against one system discloses the vulnerability of a whole classes of commercial systems to the broader public. This then ends up being exploited by criminals against other such systems around the world, thereby weakening the entire cyberspace.

      While it may be understood to fall under "malicious use of ICT", it is important to clearly spell it out.

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL