Thread:
It was @JohnLaTwC who famously said:
“Attackers think in graphs. Defenders think in lists. As long as this is true, attackers win.”
If you’ve seen more than one of my talks, you might think I’m contractually obligated to include this quote in every talk I do.
It was @JohnLaTwC who famously said:
“Attackers think in graphs. Defenders think in lists. As long as this is true, attackers win.”
If you’ve seen more than one of my talks, you might think I’m contractually obligated to include this quote in every talk I do.
This quote means a lot to me. A LOT. Graph theory, to me, almost seems like it was invented solely for the information security field. Its purpose and reach is obviously waaaaaaay further than our field, but…
… we have BARELY scratched the surface of what’s possible with applied graph theory in information security. The core feature of #BloodHound is finding the shortest path between two nodes. The algorithm this is based on was first published in 1959.
If you think about it this way, infosec is actually playing catch-up with graph theory, and mathematics as a whole. In playing catch-up, there are fundamental concepts like falsifiability that so far have not really existed in our field yet.
More immediately, there are practical concepts we can apply to infosec very soon that I believe will pay huge dividends.
The most obvious is the graph concept of “reachability” - how many nodes can reach this node, or vice versa, and in how many steps?
Don’t be turned off by this 3 dollar word, “reachability”. Think about it in a more practical sense - how many computers can be compromised if this one particular computer is comprised? That’s what reachability means.
Graph theory enables this kind of measurement. And just like shortest path, there is existing literature and math to help us figure out how to calculate these things in polynomial time.
So what does that mean, practically? Remember the OMIGOD vuln? This bug let you get a root shell on an Azure-hosted Linux box. This bug has an associated CVE. The “impact” of that CVE is limited to the host.
Now: think about reachability again. Think about it in the context of OMIGOD. Think about it in the context of every Azure subscription hosting a Linux VM. The context of every tenant trusted by each sub. The context of each tenant that trusts each of those tenants. Etc.
The real impact of OMIGOD reaches far beyond the individual host. The real impact of EVERY bug reaches far beyond the affected host. That impact is measured as reachability.
Imagine the difference between a vanilla vulnerability management system and a modern attack path management system. The vulnerability management system tells you impact to the host. The attack path management system tells you the impact to the entire environment.
Now: imagine knowing the potential impact of such a bug before it’s even discovered. Imagine eliminating that impact before those bugs are discovered. Imagine *not giving a fuck* about CVEs anymore. That’s what graph theory and mathematics will deliver over the next 10 years.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
