Adversary Resistant Networking

Much like our thinking regarding Adversary Resistant Computing, we have some ideas on dealing with opponents who exhibit enough situational awareness to spot a visitor originating in a certain place, and then devise some way to cause trouble for them.

First, what hunts you?

Our taxonomy of threats from the ARC article is a bit much here. Any foe you might encounter will fall somewhere on this spectrum:

  • Simple detection via web site logging or documents seeded with some means of ‘phoning home’. Threats are doxing, civil discovery, or maybe an attempt to involve law enforcement.
  • Detection and fingerprinting for browser, OS, and the like. Threats as above, adding perhaps browser hijacking or spearphishing attempt.
  • Detection, fingerprinting, temporal analysis, and other corporate defense tactics. Threats as above, adding much more likely civil or criminal trouble.
  • Competent nation state or Five Eyes, curious and tracking large classes of anomalous behavior, watching (and interfering) in ways you can not quite imagine. Threats scale up with their perceived value of what interests you.

Second, what role does your organization play?

If you are noticed, what does your presence convey to the entity that has detected you? Are they about to get some negative press? A lawsuit? A raid by authorities? Are you a vanguard for a sanctioned intrusion or some sort of subversion of their systems? They will be doing a threat assessment on you, just as you should be doing on them.

Third, how much are you willing to give up?

You can not interact with a remote system without leaving some sort of trace. There are a variety of ways to hide, from the Tor anonymizing network, to various VPNs, to physical travel away from your normal haunts. And if you have a budget, there is realm beyond this one.

Some Real World™ scenarios:

The Tor network provides a multi-hop routing architecture, hundreds of global exits to the clearnet, and a private darknet of websites with onion addresses. Entry level opponents will be baffled by this, wary ones will simply use the Tor exit nodes list to block access, and nation states are in a position to attempt traffic correlation and other mischief.

There are many VPN providers out there. If they require you to use a binary bundle, you should turn and run. Free services that accept OpenVPN connections are profiling you, injecting ads, and likely trying to hijack your system. We trust ProtonVPN to not be doing this, and for certain other activities the very feral Cryptostorm is a good choice. The problem with each is that their exits are discoverable by anyone willing to spend $5 to $125 to explore, and once your pattern is recognized,

Tor will happily engage its network after exiting a VPN node. Some VPN providers, like Cryptostorm, offer free low speed services, and they will accept TCP connections that arrive from the Tor network. The first is good discipline if you might be facing one of those nation state opponents, the latter is a technique used to circumvent Tor access bans while still enjoying its protection.

The real hazards here are forgetting to do some certain step, say turning on a VPN, or having a a failure that in some way exposes your location. We are big fans of “fail closed networking” – if something isn’t right with your connection, it should behave in such a way that you must repair it before resuming your work.

There are tools that purport to do this for desktop operating systems; we find all of them to be less than comforting. Linux can be made to behave in this fashion, and Linux based firewalls can enforce such discipline for your entire network, including those devices which otherwise have no hope of operating safely.

 

 

Adversary Resistant Computing

The very first question asked when one begins to awaken to the hazards in the world today will be “How do I ensure my current phone and computer safe?” Serious practitioners ask themselves this each day, when they first rise in the morning, and then again when the close their eyes to sleep.

We answer this simple question with a number of others, to sharpening thinking.

First, what hunts you?

Your answer(s) to this conditions the required level of discipline, as there are a spectrum of threats:

  • Largely civilian OSINT practitioners, law abiding, usually lacking a budget.
  • Sanctioned civilian investigators, corporate security or private detectives, with some skills, some budget, and some degree of law enforcement support in their jurisdiction.
  • Cyber specific adversaries, specialty vendors with skills, tools, and the talent to properly pursue threats to their interests.
  • Violent action groups, able and willing to engage in extralegal activities, or operating in areas where there are no surviving authorities providing law and order.
  • Nation state actors, who have less talent and flexibility across the board than the other threats, but much larger budgets, and who bring a long term perspective.
  • Global intelligence players, such as the Five Eyes everywhere, China and Russia in their own territories, and the set of competent regional powers such as Iran or India.

Once you have a sense of your peak problem, and understand that it can and will employ the smaller fish, you have a starting point to understanding what is required.

Second, what role does your organization play?

If you are reading this you presumably fit into one of those six very general threat buckets we just named. Depending on the day, we fit into the first three, we might be working for the upper two, and we have been involved in the study of, but not direct conflict with violent extralegal actors.

Third, what role do you yourself play?

If you are reading our internal documentation you’ll find that we partition people into three types of roles:

  • Actors – those who travel, who may interact with an observation target in some fashion, who face the risks of identification, device intrusion, device seizure, and so forth.
  • Collectors – typically passive observers whose intent is to go unnoticed, and who largely succeed. One the strengths of our system is the ability to capture cognitive surplus and the free time of motivated observers, who may be equipped with as little as a prepaid Android device.
  • Directors – those who can assess risk and advise Actors, who have overall situational awareness for group activity, who guide and motivate Collectors.

Having considered this, you now understand some of what we are thinking when we answer that first query about device safety.

What to NOT do …

If “Microsoft Windows” is ever meant to be a serious answer, the original question was poorly phrased. We just don’t use it unless there is a specific need to look like a Windows user, with the implication being that one is actively nosing around an adversary and wants to blend into the background noise.

NSA employees are known to use Apple products and many of us favor them, for the smooth blend of consumer software and Unix security features. Others prefer Linux.

If you mentally edit every mention of “cell phone”, replacing it with “small, stupid computer, too trusted, and far too easily lost or seized and searched”, you’ll be on the right track. They are a fact of life, but so is the common cold during fall and winter, and you know the steps you should take to avoid that.

There are decent Android products, albeit ZTE, in the second tier of such devices for prepaid services such as GoPhone or TracFone. $25 to $50 will net you a device which you do not need to fund for cell service in order to start using it for some purposes. A slightly dated phone you have retired is also a good choice here.

Some Specific Recommendations

You should be familiar with a type two hypervisor. The solid free one is VirtualBox. The paid solution is VMware Workstation on Linux/Windows, or Fusion on the Mac. Apple owners should avoid Parallels – the price is attractive, it’s a smooth OSX native, but power hungry and the ability to work with other platforms ranges from poor to nonexistent.

TAILS Linux is a live CD distro that defaults to using the Tor network. We like this on small laptops, but hardware support is variable, and they dropped the 32 bit version some time ago. This software works well under both VirtualBox and VMware.

We like the idea of Whonix, a dual VM gateway/workstation environment that will run under VirtualBox. Prior to this existing we rolled a solution of our own in this area, and we still use it, because Tor is not always the right answer when it comes to Adversary Resistant Networking.

The pinnacle for adversary resistance is Qubes, a type one hypervisor based on CentOS that provides multiple exclusive security domains. This system has some very specific hardware requirements and even an experienced Linux administrator is going to face challenges using it.

A minimum comfortable desktop for this sort of work will have an i7 processor, 16 gig of ram, and a solid state disk. Our group has several Dell M4600, which max out at 32 gig, which supports the latest Qubes, and which offers both a 2.5″ drive bay and an MSATA slot on the mainboard.

Leave Windows on the main drive if that is your current comfort zone, install VirtualBox to get started using a hypervisor, and a small MSATA drive will be fine for Qubes or Linux transition. A well appointed machine can be had on Amazon for $500.

 

 

NPC Bot Wave

Earlier today Josh Russell published a list of “NPC” accounts on Twitter. Nominally this seems to be tied to a “New Progressive Coalition”, but there are several humorous takes on the meaning of the acronym.

NPC Bots
NPC Bots

While a deadly accurate send up of Progressive sensibilities this election cycle, there were 450+ very similar accounts on the list when we started the profiling process, so it might have begun as a human wave of image board kids, but there is some sort automation at work here, which makes it interesting.

One of the strengths of our system is the ability to rapidly snapshot a group like this. We quickly collected 425 of them before they began to rename or self-suspend. We collect up to 3,200 tweets, up to 5,000 of those they follow as well as accounts following them, and we extract all mentions. Making a mention map with Gephi is typically our first step; social networks can be voluminous, while mentions are both bounded by the maximum tweet count as well as time stamped. This lets us see what activity the accounts are involved in, as well as slicing by time when appropriate.

425 NPC Bot Mentions
425 NPC Bot Mentions

These 425 sources mentioned 7,687 other accounts – a network motif we refer to as a “monkey pile”. Filtering out individual mentions left 2,333 other accounts, a 66% reduction in complexity. Sizing names by Eigenvector centrality permits us to see who they are messaging.

NPC Bot Targets
NPC Bot Targets

The @NPC691 account is key in this network and examining its timeline we see they are an early adopter of this particular meme – 72 hours before it became this general outburst.

@NPC691's First Tweet
@NPC691’s First Tweet

Collection on this took less than half an hour. If this were anything other than a harmless bit of fun, the 9,230 unique followers of these accounts are preserved, as are the 12,008 accounts they follow. We can see there are 4,793 accounts that are mutually following, so our 425 account sample may only be 10% of this total network.

Trying to do this by eye would be an impossible task. The ability to collect large amounts of information quickly and then rapidly analyze the take is key in an age of cyborgs and botnets mixing with a human operated account population.

Puzzling Over Boundaries

Much like the breakdown of Westphalian Sovereignty in the face of a well connected, easily traversed world, we are pondering just where the boundaries are on what we publish.

Best practices advice regarding Adversary Resistant Computing and Networking is broadly available, but highly variable in quality, and often not conditioned by real world experience. Communications Security advice is even more uneven. We might be educating bad actors by openly publishing, but the good guys are under the gun, and no white hat from inception thinks the way those of us who wear faded gray do. We’re going to put this content out there and count on the nonstop situational awareness required to truly excel keeping a lid on proliferation.

We publish studies on various groups, which can educate them in their failings, if they take the time to read. This is also conditioned on situational awareness and with information operations in particular, characterization is sterilizing sunlight. We use OSINT methods and release collected data in a form that facilitates others using it, but at this time the collection methods and software we use are not freely available.

Analytical Tradecraft is a matter of good systems and the right mindset to get teams using it effectively. There are guides out there, the CIA’s Psychology of Intelligence Analysis  being a well known example. There is no substitute for real world experience when it comes to Sanctioned Irregulars, and that is where we are strongest.

And Field Operations Tradecraft seems to be a bridge too far – we’re not in the business of teaching bad actors how to caper.

The you have it. @NetwarSystem provides a feed of posts here, from LinkedIn, and selected content from other sources. The contact page has advice on who is qualified as a customer and how to reach us. We look forward to hearing from those of you who truly need what we do.