Simple Sabotage
Security lessons learned from a CIA field manual
This post is adapted from a talk of the same name that I gave at the North American Bitcoin conference in Miami last week.
Introduction
In 2008, the CIA declassified a World War II Field manual that describes how to recruit saboteurs to fight secretly through small acts of destruction. It’s interesting to read the manual and think about how its contents affected the outcome of such a critical war, but we know it’s no longer up to date because the CIA declassified it and they’re not in the habit of declassifying material that’s still relevant to their operations.
Out of date or no, the field manual caught my attention because it looks like a hacker’s playbook in 2016. It talks about how individual actors hurt the war efforts of a nation with small acts of mischief, and how the tools for destruction are ubiquitous and unavoidable. It describes attackers that aren’t motivated by money, and targets that aren’t of strategic value. This could describe attackers on the Internet as well as it did saboteurs during the war, and so there are interesting lessons to learn from the field manual about how we should think about attackers and ways that we can protect ourselves.
Possible Effects
Before reading the field manual, it’s clear that the top-level goal of the CIA during WWII was to help win the war and to reclaim territory occupied by the Axis powers. However, the manual doesn’t talk about armies or territory at all, and instead focuses on actions which seem insignificant compared to the power of an army.
Similarly in security, the news often talks about the biggest and scariest compromises. The NSA may have put a backdoor into fundamental encryption algorithms that compromise all systems everywhere, or Heartbleed affected the majority of websites on the Internet.
But the on-the-ground reality of security today is that most compromises are much smaller than that. Sometimes a group of users is affected, or a specific, high-value user has their account compromised, but most of the time attackers are just going after single, random user accounts. That makes sense because compromising all systems, everywhere is very hard, but compromising a random user account is pretty easy. Just like taking over a country is very hard, but lighting a factory on fire is pretty easy.
The problem is, compromising a random user is often all an attacker needs.
Motivating the Saboteur
The section of motivation may be the most important and surprising part of the field manual. The CIA was not paying its saboteurs (or at least not most of them), and it wasn’t using national pride to rile them up. Instead, the saboteurs were mostly motivated by much more mundane concerns — a new boss under the occupation who was more demanding, or an inconvenience caused by the presence of soldiers.
For almost any website, a quick peek in the logs will show a barrage of basic attacks. These aren’t motivated by money or political conviction — the attacker is just scanning for an opportunity and will look for a justification later. They are often not rational, or after something of obvious value. Instead, they’re likely looking for something to brag about or are just trying to cause some mischief.
This is one reason why protecting user accounts is so hard. The enemy is not important, motivated, or well funded — but is still very dangerous.
Tools, Targets, and Timing
For the saboteur, nearly anything can be a tool or a target. Sugar in an engine, a candle near a pile of sawdust, or even their own lethargy in a production line. Anything that could be done to thwart or slow down the war effort, even in the littlest of ways, is recommended by the field manual. The field manual goes out of its way to discourage saboteurs from using suspicious tools, go after obvious targets, or to coordinate timing with the war effort, because each of those is likely to compromise the saboteur and perhaps even warn the enemy of larger war strategies.
For the unsophisticated hacker, there are also tools that are ubiquitous and accessible:
- Botnets
- Vulnerability scanners (especially SQL injection)
- DDoS cannons
- Phone calls and emails to support
These are not encryption backdoors, sophisticated intrusions, or specific malware. They’re cheap or free and accessible to almost anyone. They’re simple and basic, but very hard to be vigilant about. These are the tools used to probe your systems and test your defenses, they look for a crack to serve as a foothold for a larger attack.
Specific Suggestions for Simple Sabotage
So when we think about this landscape of security, when we consider unsophisticated attackers who aren’t motivated by obvious value, how do we protect ourselves? Here are three strategies for protection from simple sabotage.
(a) Do not reinvent the wheel.
Security is hard, so you should use the work of experts whenever you can. Especially at a small company, it is often tempting to build something yourself instead of paying for it because saving money is a priority. With security, though, there are a lot of open source resources as well as paid ones. Your little mistakes are easy to find, so look for projects that have been around for a while and have worked out the kinks.
(b) The Squirrel theory of security: Don’t keep all of your nuts in the same place.
It can be tempting to keep everything valuable in one, very secure, place so that you can focus on protecting that one place really well. However, this is really a bet that you’ll never get breached. If you are, you’ll lose everything. Distributed systems spread valuables out into many locations, so that if (or, really, when) a breach happens, not everything is lost at once. This follows from the assumption that you will probably be breached at some point, and that you should minimize that eventual damage instead of pretending like you can avoid it altogether.
(c) Use concentric circles of defense, with alerts when a ring is breached.
In line with the assumption from (b) that you will eventually be breached, focus on building many layers of defense instead of one strong layer. If you have good alerts set up, this will let you know when someone is trying to get into your systems before they get to anything valuable, instead of after they’ve already stolen everything you’ve got.
