Intelligence Agency Calculus
The “ShadowBrokers” dump of an NSA firewall ops toolkit continues to generate page views and outrage about how national intelligence agencies handle software vulnerabilities. This post won’t address that issue, but rather look at the sort of mind game calculus that goes on between the intelligence services. This international level mind game includes espionage, intelligence and counterintelligence all bundled together, very exciting to observe.
That NSA knows the toolkit was compromised is a secret which exposes a vulnerability in the foreign intelligence service — they do not know that NSA is aware the toolkit was compromised. Revealing this secret would patch the vulnerability in the foreign intelligence service — NSA’s opposition. Providing adversarial intelligence services with secrets is not in NSA’s mandate.
Not How Intelligence Works
Nicolas Weaver has written a piece on Lawfare which ignores the intelligence calculus and just goes straight for “NSA should provide American companies with software QA assistance.” Personally, I’m not sure that is the mandate of an intelligence agency:
According to a Reuters exclusive, the NSA was aware that their tools may have been exposed almost immediately after it occurred, and yet never notified Cisco and Fortinet about the vulnerabilities in their system. There is a defensible argument for not informing a vendor about a zero-day where the Agency is confident nobody else knows about it. But if the NSA has reason to suspect an adversary has captured a zero-day — the use of which could substantially impact US interests — it is critical that the NSA report it to the vendors in the interest of defense. — Source
This analysis is simplistic and ignores the complexities of The Great Game. Here are the salient points that we’ll need to understand the sort of calculus the intelligence agencies have to go through as they deal with this situation:
- NSA Firewall Ops kit stolen by a foreign intelligence service (FIS) in 2013
- NSA suspects that the kit has been compromised shortly after this occurs
From here, things get interesting…
Exploitation of Intelligence 101
The foreign intelligence service (FIS) can exploit the NSA’s firewall ops kit in a number of different ways, but they broadly fall into two categories — active and passive.
- Use the contents of the toolkit (e.g. the 0day) to penetrate networks
- Monitor for signatures from the toolkit (e.g. NOPEN the NSA RAT, or the exploits themselves) to discover new operations by the opposition
- Prepare honeypots to lure the opposition (i.e. set up vulnerable routers for NSA to exploit)
- Review full packet capture logs for signatures of past operations by the opposition
- Trade the toolkit (or a subset) with a friendly intelligence agency for access to something (e.g. “two Ciscos and a Fortinet for one Android RCE and a mailspool”)
- Study the kit to learn about the tools, techniques and procedures of the opposition (hint: for a good time, read the comments in the dump)
Possibly more options, because this is certainly not an exhaustive list of how a FIS would derive value from a stolen cyber operations toolkit. The important point here is that passive exploitation for intelligence offers a lot of value even without actively using the contents in one’s own offensive cyber operations.
Cisco Exploits? No Thanks, We Already Have Some
In a quick note against using the toolkit 0days, the FIS almost certainly has their own firewall ops kit. This kit will include 0days against Cisco and Fortinet (and Huawei, and so on.) Those 0days may, or may not, be the same ones that the NSA was using. There is almost no chance that the FIS needed those NSA 0day in order to operate (remember, this FIS was able to detect, trace and back hack an NSA operation — they’re pretty good with computers.)
- Passive exploitation of the firewall ops kit is already extremely valuable.
- FIS are (probably) not short of Cisco 0day (no one is. zing!)
Intelligence Services’ Calculus
Now we are ready to explore the calculus that intelligence services have to go through. Using the patchwork of information that they have available, they must try to determine the best solution to achieve their mission (in addition to all the other normal office politics and problems of bosses and budgets.)
This is where the mind games begin:
- FIS has NSA’s firewall ops kit (FIS knows)
- NSA suspects that FIS has the firewall ops kit (NSA knows that FIS knows)
- FIS does not know that NSA suspects the kit is compromised (FIS does not know that NSA knows that FIS knows)
At this point, there some major vulnerabilities facing both the services.
Their firewall ops kit is potentially compromised. Now what?
- If they continue to use it, it may contaminate and compromise future operations.
- Past operations may be compromised, leading to: loss of access; injection of disinformation; active monitoring of evolving tools, techniques and procedures, etc.
- However, replacing the toolkit is expensive. The resource cost of building an entirely new support infrastructure, plus vulnerability hunting and exploit development, plus migrating to the new infrastructure… this all takes time and money. Not a decision to be taken lightly.
- They don’t know whether the opposition (NSA) is aware that the toolkit is compromised.
- They don’t know if the opposition is actively monitoring for FIS usage of the vulnerabilities within the toolkit. Obviously, the opposition is aware of those vulnerabilities, but are they actively looking for exploitation in the wild?
Best Course of Action: NSA
Assume that the kit has been compromised and begin migrating to a new toolkit. Cease all operational usage of that kit against the FIS most likely in possession of the tools. Assume (some) past operations are compromised and proceed accordingly.
Start actively looking for evidence that the toolkit has been compromised. This includes monitoring for use of the vulnerabilities within the toolkit, probably also information collection from other channels (HUMINT, SIGINT, OSINT, checking Tumblr for Bitcoin based auctions, etc.)
Best Course of Action: FIS
Assume that the opposition suspects that the toolkit is compromised. Do not actively use anything from the toolkit because that would immediately provide proof that the kit is dirty. If the opposition never has proof that the ops kit is dirty, they may grow complacent and continue to use it, thus allowing FIS to detect and monitor them.
Begin full passive exploitation of the toolkit for maximum intelligence value. Primarily, focus on detecting previous breaches by the opposition. Consider preparing and laying out honeypots for the opposition (this could backfire if the opposition discovers it is a honeypot, thus revealing to NSA that FIS has the toolkit.)
Not In The Picture: Software Companies
The intelligence services are in active competition to steal each other’s secrets while protecting their own. They have to consider what their actions will reveal to the opposition about their own knowledge. For the FIS, that means avoiding taking active steps to reveal they possess the firewall ops kit. For the NSA, this means avoiding taking actions to reveal that they know the kit has been compromised.
Option: Burn The Bugs
If NSA informs the vendors — Cisco, Fortinet, Huawei*, etc — about the vulnerabilities that were used in the kit, that will automatically alert the FIS that NSA knows the kit is compromised. This is a security problem. Additionally, other FIS (who didn’t capture the kit), would immediately be able to conduct a portion of the passive intelligence exploitation (they can trawl packet captures for exploitation of the vulnerabilities.) This is also a security problem.
*Many companies use Huawei products and they deserve just as much protection against “lost” 0days as companies that use Cisco. Unless the US is advocating using their intelligence services to directly aid only their own national companies, in which case I’m sure the Chinese would be happy to discuss the parameters of “acceptable economic intelligence”…
Option: Play The Waiting Game
On the other hand, the kit may not be compromised, so all of the above issues may be incurred for… I guess, helping Cisco and Fortinet fix a small number of the vast quantity of security vulnerabilities that plague their products (not to single them out — security vendors have consistently scored at the low end in “secure software” evaluations.) Although part of the NSA (IAD) is tasked with protecting the US against FIS, their mandate is not actually “perform software QA for American companies.” It is also debatable as to whether they would be informed that the firewall ops kit was compromised which would likely be classified compartmented information.
For both the FIS and NSA, the best solution is to passively collect as much intelligence information about the firewall ops kit as possible. This minimises the security risk of exposing their own secrets to the opposition, while maximising their opportunities to collect additional secrets from the opposition. Neither service benefits from revealing the vulnerabilities to the vendors.
For the FIS, actively using the vulnerabilities from the firewall ops kit is literally the least valuable and highest risk method of exploiting the toolkit. Both they, and NSA, would be aware of this and so NSA would (rightly) determine that it is not a particularly likely event.
This is The Great Game. It has been going on for centuries, but it is only very recently that civilians have become significant active players and participants. The game is no longer the exclusive domain of nation states, but also software vendors, companies, and civilians. The rules, both implicit and explicit, that govern the game are changing to accommodate the new players. We live in interesting times…