HD Moore - Creator and Chief Architect of Metasploit and CSO of Rapid7
You Must Be THIS TALL To Ride
Most people understand “Moore’s Law“:
Compute power grows at the rate of doubling about every 2 years
At Metricon6, I asserted “HDMoore’s Law” version 1:
Casual Attacker power grows at the rate of Metasploit*
*HD Moore (@hdmoore) gave the industry the Metasploit Project in 2003 – a wildly successful and leveraged open-source penetration testing platform.
Perhaps the greatest value of this concept is it is DEMONSTRABLE. While it won’t tell you you’ve done “enough” to prevent breaches, it just might prove if you haven’t.
Genesis:
While this post is not about PCI DSS, HDMoore’s Law concept came to me after a year of me asking “Is PCI the ‘No Child Left Behind Act’ for IT Security?” and subsequently my intuitive allergy to the following two pervasive, thought terminating clichés / platitudes… perhaps you’ve also heard them:
I know PCI won’t stop a determined attacker, but it will at least stop a casual attacker…
Really? Will it? Is that still true? and second:
PCI is better than nothing – it at least raises the bar.
But has it raised the bar enough to matter? to stop even the least skilled adversaries?
Contrary to our wishes, “security” doesn’t grow linearly with our effort. With sentient adversaries seeking to steal valuable information, security gains are realized when a defender has done “enough” to deter/exhaust the resources of an actual attacker.
There was a time when less skilled, “casual attackers” may have had only one or two tricks up their sleeves. If you were patched, a casual attacker would simply “move on”… Metasploit and other tools have shattered this assumption and now the “enough” is a moving target.
Point. Click. Pwn.
The pointy-clicky nature of Metasploit and ever-growing expert contributions makes it the ultimate script kiddie tool – and an greater force multiplier in the hands of more talented individuals/teams.
“Enough” Security – Metasploit as table stakes:
One of the most prevalent questions in all of IT security has long been:
What is “enough” security?
Clearly the answer is “it depends” (on a number of factors). One of which is Who is attacking us (which adversary classes?). If we use the latest version of Metasploit as a proxy for the lower bounds of attack capacity for the least skilled “casual attacker”, then one can measure at any time that you must be “this tall to ride”. Put another way, to stop breach attempts from even our weakest adversary class, defensive power needs to meet or exceed parity with $today’s free version of Metasploit. If you cannot rise to HDMoore’s Law, it’s possible the only adversary you can fend off is the friendly-fire, self-imposed one.
In the few live, graphical presentations on it I’ve given thus far, the recognition of its value, utility, and implications was nearly instantaneous. I’ll attempt to show just a few here in this initial post by example – which will also aid in defining it.
HDMoore’s Law in Juxtaposition – Drop-Off Rates by Adversary Classes (weakest to strongest):
- Auditor/Assessor – in the case of PCI, this is the QSA – by far the easiest attacker to reliably “make go away”. Though they do not cause breaches (let’s hope), CISOs often see them as their top threat.
- Casual Attacker – this is an unskilled target agnostic attacker. This is the weakest class of adversary that actually causes breaches. HDMoore’s Law is a measurable proxy for this class, who get stronger as Metasploit adds new exploits, evasions, payloads, features and the like.
- Chaotic Actors – this class of ideoligically-fueled actors includes the likes of Anonymous and LulzSec and (with a few exceptions) is also fairly unskilled and tracks loosely to HDMoore’s Law. However, chaotic actors can be more determined and target-sticky. Consider them at 1.xx times the strength of HDMoore’s Law, but aimed at different asset types and seek to shame, embarrass, DDOS, targets rather than steal (e.g. credit card numbers).
- Organized Crime – this financially motivated class recruits and cultivates serious hacking skills within economically rational parameters.
- State Sponsored Espionage – with the power and resources of nation states behind them this is a whole different ball of wax, When facing what some (kitten killers) call APT and I refer to as Adaptive Persistent Adversaries, the model is more a game of chess and war of attrition if this class of adversary is after your less replaceable assets.
HDMoore's Law: Attacker Drop-Offs by Adversary Class
I already acknowledge:
- I’m certain this articulation is imperfect (there are things I don’t like about it)
- I fully expect to iterate on the following visualizations
- The concept that all adversary classes conform to the same continuum is an acknowledged and willful oversimplification
- AND… it is still a valuable abstraction regardless
- And yes… this is more of a Metasploit’s Law (as HDMoore’s personal prowess is “off the charts) – but come on… HDMoore’s Law is far catchier
That’s enough for today… and I will be revisiting this topic as a building block concept.
A few departing seed questions for upcoming posts:
- Exactly how fast is HDMoore’s Law growing and can we keep up?
- Is your Security program tall enough to ride?
- How can an organization shift from ticking compliance boxes to measuring themselves against HDMoore’s Law?
- How frequently should an organization measure themselves?
- How can PCI DSS rationalize/adjust itself to stop any real adversaries?
- What does HDMoore’s Law mean for the organizations Wendy Nather (@451wendy) calls “Living Below the Security Poverty Line“?
Put your program to the test.
Grab the free version of Metasploit (at least) and measure if you can handle HDMoore’s Law.
Cognitive Dissidents 
[…] co-worker, and HD Moore, creator of Metasploit and Rapid7 CTO. Josh came up with the idea of HD Moore’s Law a couple of months ago, the idea that the strength of the casual attacker is roughly equivalent to […]
[…] co-worker, and HD Moore, creator of Metasploit and Rapid7 CTO. Josh came up with the idea of HD Moore’s Law a couple of months ago, the idea that the strength of the casual attacker is roughly equivalent to […]
I will ponder the model. It certainly seems useful for articulating the conditions surrounding the ever-advancing arsenal of the attackers in juxtaposition to the stagnation without weaponization of the auditors.
It would be worthwhile to evaluate how the graphs change with the introduction of Risk. For example, as drawn, the curve for each attacker class seems to represent the rate of ABILITY for success (i.e., potential) — not the actual success rate. The actual success rate would be a combination of ability and RISK (read: probability, if you like).
(A partial proof being that surely not every organization that has installed only a smattering of “SecureOns” (e.g., only enough to pass an audit, therefore to the left of the HDMoore’s Law dotted line) will experience 100% of success (failure) for each and every attacker class? If this were true, nearly every business would have lost everything already.)
I encourage exploration of factoring in risk, not because I think it changes the major points, but because we know that many organizations argue (overly-rationalize) that once the attack curve is multiplied by the risk probability, at a quantity of SecureOns just greater than the audit level, the actual risk of success (failure) tends toward zero. If one expects that this is false, the graph needs to address.
Josh, what this “minimum bar” line of thinking advocates is some form of government regulation. I like to think of it like car insurance. Although I wasn’t around to know what it was like before insurance was mandated, I would imagine that people thought “what do I need insurance for, I won’t get in any accidents”. But inevitably accidents happen and no amount of car safety features (security) can completely prevent it from occurring.
So like security spending people needed to be told that they have to have insurance to drive on the road (have internet connected sites). Not to protect themselves from loss (although this is a nice side benefit), but to protect others from the losses of their data/trust.
Now the question, which your thoughts take a good shot at addressing, is how much is that minimum bar that can be regulated – and how can it slide with the increasing threat? More than auto accidents, threats to security are intentional.
I’m testing my own theory. More on that at the end.
Some thoughts:
– Does an attacker, in aggregate, remain casual if he uses a sophisticated tool? For example, if my casual motivations are combined with a rocket launcher, did I just become an advanced threat? Does it matter if my IQ is 80 if I can pull the trigger?
– How is this concept fundamentally different than the one expressed in the old Carnegie Mellon chart, demonstrating that the development of tools puts sophisticated attacks in the hands of less sophisticated attackers? (thus increasing their capability, making the attack more widespread) An add on?
– Can you really pin a standard of competency (if you can beat Metasploit, you’re good…or something) on a moving target like modules available for Metasploit. If HD (or others) feels like it, he adds certain modules (like Google Aurora) within hours of discovery. Other times it takes longer to get a new attack in there. In that first case there was no reasonable defense (can’t patch something for which there is no patch, not going to stop all web traffic or disable all IE browsers in an organization). Ok, perhaps upgrading from IE 6.0 is a response, but you get the idea, the real “unknown unknowns” are a problem, independent of Metasploit, and lack of defensibility against them not a real measure of preparedness.
– How do you determine that organized crime or other actors are more sophisticated than automated attacks in Metasploit? There have been a handful of examples where the cart has been pulling the horse (code directly copied from Metasploit modules used in an attack (ex: AintItCool.com, etc.)).
– Given that an advanced user of Metasploit is different than one that blasts away at an IP (and likely triggers some manner of IDS alerts, which maybe the sleepy SOC operator won’t miss), can Metasploit usage be used as such a constant?
Acknowledging that PCI has its many, many, many flaws, is the point to say this is a better benchmark?
My theory is a hypothesis around your actual desire to get feedback.
I’m joking btw, pressed for it I have no actual feedback theory.
Slide 5 for the classic “attacker sophistication v. tools” chart: http://www.cert.org/archive/ppt/cyberterror.ppt
[…] conversation with HD Moore and Josh Corman was a good thing. Getting the ideas of “HD Moore’s Law“, the security poverty line and security debt out there so other people can beat on the […]
Hi HD
Enjoyed your blog entry and associated thinking. My colleagues and I worked along similar lines re the HDMoore’s Law: Attacker Drop-Offs by Adversary Class graph: we called it “Mission Assurance Curve”.
Have a look if you like: http://www.slideshare.net/daniel_bilar/da-9747843
Have a great day
Daniel
[…] Josh Corman came up with the term H.D. Moore’s Law at metricon and wrote up a great follow up post on it. His assertion goes like this: “Casual Attacker power grows at the rate of […]
[…] Metricon6 and later on his blog Cognitive Dissidents, Joshua Corman presented his latest discovery – HD Moore’s Law: “Casual Attacker […]
[…] firmato Joshua Corman. […]
[…] Mike Murray’s 2009 Hardest Career (or Geer’s why it’s the most challenging) and finally HDMoore’s Law. Then wrap it up with a review of anything tagged #cyber, #APT or […]
[…] Corman wrote a post entitled HD Moore’s Law in which he raises some valid points around the fact that tools like Metasploit make it incredibly […]
[…] is a black art and a pentest+patch doesn’t show if the organization is 90 % done or 1 % done. HDMoore’s Law could be such a test (works without Rugged too of course). How to actually test against Metasploit […]
[…] Post from Josh Corman on HD Moore’s Law […]
[…] Corman wrote a post entitled HD Moore’s Law in which he raises some valid points around the fact that tools like Metasploit make it […]
[…] as Metasploit. Joshua Corman, Director of Security Intelligence at Akamai, humorously calls this HD Moore’s Law (after Metasploit’s creator, HD Moore). If your security doesn’t protect against a casual […]
[…] advanced attack techniques are commoditized, as described by HD Moore’s Law, the wider attacker community adopts the attacks. There are certainly more advanced attacks we […]
[…] For a full overview of HDMoore’s law and the though process behind it I would point you to the Cognitive Dissedents blog –> https://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/ […]
[…] vulnerabilities exploitable with MetaSploit modules. Josh Corman expanded on this quite a bit with HD Moore’s Law. We built this feature to weed this out of your environment and allow you to hit above the Mendoza […]
[…] of ideas hit me two days ago. Somehow the idea of Alex Hutton’s and Josh Corman’s “HDMoore’s Law” (an InfoSec bastardization of the “Mendoza Line”) combined with having just chatted quickly […]
[…] important to remember is HD Moore’s Law (based on a bad pun), which essentially says that even casual attackers have powerful tools which […]
[…] in our environment.”. He commented that it was a module in Metasploit. Ah, so it was below HDMoore’s line. I asked him how certain simple controls we had in place would mitigate it. His reply, it would […]
[…] the talk, I do have to agree with both Alex Hutton and Josh Corman that HD Moore’s law resonates more with our audience. Perhaps I could create a hockey analogy for the next time […]
[…] The minimum measure of technical endpoint security due care can be viewed as the ability to protect them from generally available and easily used attack methods, practices, tools, and techniques, as well as exploitation of well-known vulnerabilities. Josh Corman, director of threat intelligence at Akamai, does an excellent job of explaining this concept in what he commonly refers to as "HD Moore's Law." […]
[…] in 2011, @joshcorman posited “HD Moore’s Law” which is […]
[…] HDMoore’s Law: Casual attacker power grows at the rate of Metasploit. This observation was especially interesting: not only do defenders have to worry about an increase in vulnerabilities but they need to worry about an increase in baseline attacker sophistication, as open-source security-analysis tools grow in capability and complexity. […]
My biggest issue with PCI is it doesn’t necessarily impart the necessary skills and work ethic into people to make them more It\general security conscious. You can rollout Watchguard XTM or Sophos Antivirus and even follow them up with good policies but you can’t instil into people the ability to be mindful of wants happening around you or the consequences of your own actions.
If people realised that leaving their PC’s unlocked or were watching for the person who kept putting printouts in their bag or the IT tech who thought does it matter if I don’t get around to closing that unused port. I think security would be a much easier practice if you could easily fix these people problems.
[…] with the release of a Metasploit exploit module for CVE-2013-3893. If you’re a believer in HD Moore’s Law, a theory proposed by Josh Corman of Akamai that mirrors Moore’s Law of computing in that casual […]
[…] with the release of a Metasploit exploit module for CVE-2013-3893. If you’re a believer in HD Moore’s Law, a theory proposed by Josh Corman of Akamai that mirrors Moore’s Law of computing in that casual […]