1 / 25

Predictability: The Essence of Attacking Systems

Predictability: The Essence of Attacking Systems. Andrew Wilson. Howdy YALL! (that’s how you say it right?!). Who am I? Recovering Developer Professional AppSec Pentester Sandan in Jiyushinkai Aikibudo. Overview. Why predictability matters Analyzing Systems

harley
Download Presentation

Predictability: The Essence of Attacking Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Predictability: The Essence of Attacking Systems Andrew Wilson

  2. Howdy YALL! (that’s how you say it right?!) • Who am I? • Recovering Developer • Professional AppSecPentester • Sandan in JiyushinkaiAikibudo

  3. Overview • Why predictability matters • Analyzing Systems • Complexities In Vulnerabilities • Approaches to Taking Advantage

  4. Historical Context • The slides represent the life work of the above people.

  5. Predictability • The essence of science is based on predictability. • Computer science is all about algorithms and rules. • Computer security is all social engineering.

  6. Why Predictability • Knowledge == Power • Consistency leads to success • All the cool kids are doing it!

  7. Analyzing Systems • You can’t measure results without understanding a system • Consistency comes from knowledge and experience • Two categories: • General Theory • Specific Implementation

  8. Systems in Theory • The human body is a set of complex systems • Nervous, Muscular, Cardio Vascular, Structural • Computers are a set of complex systems: • Processor, Disk, Networking, Memory, Logical, Graphics

  9. Systems in Reality • Systems don’t exist in theory • Implementations are often different than the “ideal” • Flaws come from: • External forces • Choice

  10. Where’s Vulndo? • Essential components • Dependencies & Commitments • Relationships & Expectations • Data Processing • Flow & Recovery • What isn’t needed • What is “default”

  11. Innate Vulnerabilities • Every system has vulnerabilities • Everything is broken! • Some are more likely to occur than others

  12. Complex reality • Why don’t things get beat up more often? • GedanBudo: It’s not that easy. • Functional Example

  13. Strategy Goals • The goal in both attack & defense is the same: • Reduce possibility of being wrong • Increase possibility of being right • To accomplish this we: • Remove variables • Increase Control • Constantly Adapt

  14. Elements of Strategy • Target • What am I interacting with • Distance • How far am I from it • Timing • When to attack

  15. Target • What is the closest target I can attack? • How will I interact with it? • Why choose it? • Effect of impact • Opportunities to expose other openings

  16. Relative Distance • To-Ma (Long Distance) • Uchi-Ma (Striking Distance) • Chica-Ma (Short Distance)

  17. Timing / Initiative • All cycles have a beginning, middle and end. • Our actions related to cyclical timing is called Sen. (Initiative) • There are three versions of Sen: • SenSen no Sen (Superior Initiative) • Sen no Sen (Early Initiative) • Go no Sen (Late Initiative)

  18. Taking Advantage (Waza) “The nicety of Judo / Aikibudo technique lies not in the action of performing techniques, but rather in the skill with which the preparing is done as a preliminary” – Kenji Tomiki Sensei

  19. Unbalancing (Kuzushi) • Altering an intended cycle : (Extending, Interrupting) • Caused by changing any one of the components of the interaction • (target, distance, timing) 崩し

  20. Fitting (Tsukuri) • Once a cycle has been broken, surrogacy must occur or the system will fail. • There are two primary points to fitting: • Jibun no Tsukuri (fitting yourself) • Aite no Tsukuri (fitting the other) 作り

  21. Technique (Kake) • Kake doesn’t mean technique per say, it means to begin. • This is the nature of the payload itself, what does it do, how does it succeed? 掛け

  22. Story Time!

  23. Summary • Systems, by their very nature, are vulnerable to manipulation • Attackers and Defenders have the same toolbox • Awareness is the essential tool attack and defense

  24. QA

More Related