Archive for the ‘HDMoore’s Law’ Category

DEF CON 19 Whoever Fights Monsters Q&A

DEF CON 19 Whoever Fights Monsters Q&A [No. Josh is not a member of Anonymous]

Will you be headed out to Vegas for this year’s MegaHackerWeek ? If so, I’d love to meet you.

I know some people get fatigued with the scene and some of these conferences, but I personally find the week incredibly valuable. Like with most things, you get out what you put in. Much like the RSA Conference does for the corporate/commercial side of the industry, this week in the desert is the heartbeat of the research and hacker community for the year.

While our challenges in security are tremendous, the intellectual potential in the hallways and bars of Vegas is humbling and inspiring. I look at this week as an asymmetric window of opportunity to:

    • determine the thrust and Zeitgeist of our demographic (in the now)
    • help to frame and set the tone for the next 12 months
    • challenge my various colleagues and teammates (and myself) out of respective ruts and comfort zones
    • meet new people and get to know people better in meat space
    • find new collaborators
    • stimulate new research topics and insights
    • eat bacon wrapped, almond stuffed dates (#BWASD) with red wine reduction and bleu cheese crumble
Bacon-Wrapped, Almond Stuffed Dates with Red Wine Reduction and Bleu Cheese Crumble

Bacon-Wrapped, Almond Stuffed Dates with Red Wine Reduction and Bleu Cheese Crumble

Highlights of Last Year

Here are a few of the things I fondly remember from last year:


At #BsidesLV in 2011, a few of us launched the beginning of acknowledging and studying the levels of fatigue and burnout in our industry and demographic. The room was honest and cathartic and intense. Seeing we had clearly struck a nerve, we later invested in the formal Maslach Burnout Inventory and presented more data at the RSA 2012 conference this spring. While there is much more to do, we’ve brought some of the challenges and support gaps to the surface and have started something needed. You can follow @SecBurnOut on twitter and the expanded IT Burnout Project. Many thanks to Jack Daniel, Dr. Stacy Thayer, KC Yerrid, Martin McKeay, and Gal Shpantzer who helped to kick-start the initiative.

Confronting Anonymous:

At DEF CON 19, we braved our “Whoever Fights Monsters” panel where we tackled the rise of Anonymous in a substantive way – perhaps for the first time. After Aaron Barr was legal-threatened off the panel and another quit fearing retaliation, we pulled together:

    • Joshua Corman (@joshcorman) <- me
    • Brian Martin / Jericho (@attritionorg)
    • “Baron von Arrrr” / Scot Terban (@krypt3ia)
    • Paul Roberts (@paulfroberts) <- As Moderator

The video of our panel and the more intense and meaningful audio of our Q&A room are both posted in the conclusion of our Building a Better Anonymous Series – which Jericho and I researched and wrote over this past year. The exchanges were so intense – and the press/industry/community knowledge was so poor – that we felt we had to drive this dialectic forward.

Winning Hacker Pyramid:

Somehow I went from watching 10,000 cent Hacker Pyramid to joining Dan Kaminsky in defending the crown. While Rogue Clown and Jayson Street were impressive and fought admirably in the final round, Dan and I squeaked out the win. This year, they are “in it to win it” and all manner of smack talk has already begun.

DEFCON19_HackerPyramid_WINNERS via CoolAcid

DEFCON19 HackerPyramid WINNERS via CoolAcid

HDMoore’s Law:

While technically born during Metricon 6 in San Francisco the Tuesday after DEF CON 19… a concept like HDMoore’s Law can really only be born after spending a week in Vegas, surrounded by brilliant hackers and pentesters, getting the bartender at the 303 party to pour HD Moore some stiffer cocktails while listening to nerdcore and then turning your brain inside out with a bunch of statisticians and risk professionals at a Metrics conference. While my brain felt as if it had been through an unnatural act, HDMoore’s Law turns out to have been a pretty useful concept – and many a practitioner is putting it into action in their environments.

Casual Attacker power grows at the rate of Metasploit

My Speaking Slots:

Tuesday, July 24 – 4:00 PM – Black Hat Executive Briefings (Caesars Palace)

Closing Panel – Analytical Response and Discussion

    • Joshua Corman
    • Rob Joyce
    • Rich Mogull
    • Kevin Overcash

After a full day of CISO briefings and discussions on this year’s Black Hat presentation themes, we’ll provide some broader context,  framing and friendly debate – to help enhance the CISOs’ experiences through out the rest of the week.

Tuesday, July 24 – 6:00 PM – CodenomiCON 2012 (Bellagio)

Unconventional Adversaries vs Conventional Wisdom

I’ll give give a short but hitting look at how two adversary classes have shattered a lot of security “conventional wisdom”.

Wednesday and Thursday, July 25 & 26 – #BSidesLV (The Artisan)

Interviews and Honey Badgers

Martin McKeay and I will be interviewing speakers and attendees on and off for most of the two days. I’ll also be giving away Honey Badger T-Shirts. There are far too few of you wearing Honey Badger T-Shirts. Find me or Martin.

Friday, July 27 – 8:00 PM (pretty sure) – Track 3 – DEFCON 20 (Rio)

25,000 cent Hacker Pyramid

Dan Kaminsky and I will attempt to retain the title.

Saturday, July 28 – 10:00 AM – Track 2 – DEFCON 20 (Rio)

World War 3.0 – Chaos, Control & The Battle for the Net

    • Michael J Gross – Moderator and author of World War 3.0 piece in Vanity Fair May 2012
    • Jeff Moss (The Dark Tangent)
    • Joshua Corman
    • Dan Kaminsky
    • Rod Beckstrom (playing the part of Vint Cerf)

This panel (FULL ABSTRACT) will build upon the Vanity Fair piece profiling these panelists and the escalating tension/conflict between forces of chaos and control – threatening a free and open internet. The December meetings of the ITU will likely bring these issues to a head. What role will the DEF CON community play in the coming months as this story and the fallout unfold?

Saturday, July 28 – 9:00 PM – Track 2 – DEFCON 20 (Rio)

FILM SCREENING and Q&A: We Are Legion by Brian Knappenberger

We’ll screen Brian’s documentary on Anonymous. I’ve seen an early cut and it was excellent. The film features several DEF CON speakers who will also do a Q&A after the film: Richard Theime, Chris Wysopal (WeldPond), Jericho, myself, Biella Coleman and loads of Anonymous members. Here is the Trailer.


Be sure to:

    • hydrate
    • pace yourself
    • hydrate
    • meet NEW people
    • hydrate
    • see NEW speakers
    • hydrate
    • be diligent about “how you can I bring this back with me and apply it?”

Hope to see you in Vegas!

HD Moore

HD Moore - Creator and Chief Architect of Metasploit and CSO of Rapid7

You Must Be THIS TALL To Ride

You Must Be THIS TALL To Ride

Most people understand “Moore’s Law“:

Compute power grows at the rate of doubling about every 2 years

At Metricon6, I asserted “HDMoore’s Law” version 1:

Casual Attacker power grows at the rate of Metasploit*

*HD Moore (@hdmoore) gave the industry the Metasploit Project in 2003 – a wildly successful and leveraged open-source penetration testing platform.

Perhaps the greatest value of this concept is it is DEMONSTRABLE. While it won’t tell you you’ve done “enough” to prevent breaches, it just might prove if you haven’t.


While this post is not about PCI DSS, HDMoore’s Law concept came to me after a year of me asking “Is PCI the ‘No Child Left Behind Act’ for IT Security?” and subsequently my intuitive allergy to the following two pervasive, thought terminating clichés / platitudes… perhaps you’ve also heard them:

I know PCI won’t stop a determined attacker, but it will at least stop a casual attacker

Really? Will it? Is that still true? and second:

PCI is better than nothing – it at least raises the bar.

But has it raised the bar enough to matter? to stop even the least skilled adversaries?

Contrary to our wishes, “security” doesn’t grow linearly with our effort. With sentient adversaries seeking to steal valuable information, security gains are realized when a defender has done “enough” to deter/exhaust the resources of an actual attacker.

There was a time when less skilled, “casual attackers” may have had only one or two tricks up their sleeves. If you were patched, a casual attacker would simply “move on”… Metasploit and other tools have shattered this assumption and now the “enough” is a moving target.

Point. Click. Pwn.

The pointy-clicky nature of Metasploit and ever-growing expert contributions makes it the ultimate script kiddie tool – and an greater force multiplier in the hands of more talented individuals/teams.

“Enough” Security – Metasploit as table stakes:

One of the most prevalent questions in all of IT security has long been:

What is “enough” security?

Clearly the answer is “it depends” (on a number of factors). One of which is Who is attacking us (which adversary classes?). If we use the latest version of Metasploit as a proxy for the lower bounds of attack capacity for the least skilled “casual attacker”, then one can measure at any time that you must be “this tall to ride”. Put another way, to stop breach attempts from even our weakest adversary class, defensive power needs to meet or exceed parity with $today’s free version of Metasploit. If you cannot rise to HDMoore’s Law, it’s possible the only adversary you can fend off is the friendly-fire, self-imposed one.

In the few live, graphical presentations on it I’ve given thus far, the recognition of its value, utility, and implications was nearly instantaneous. I’ll attempt to show just a few here in this initial post by example – which will also aid in defining it.

HDMoore’s Law in Juxtaposition – Drop-Off Rates by Adversary Classes (weakest to strongest):

  • Auditor/Assessor – in the case of PCI, this is the QSA – by far the easiest attacker to reliably “make go away”. Though they do not cause breaches (let’s hope), CISOs often see them as their top threat.
  • Casual Attacker – this is an unskilled target agnostic attacker. This is the weakest class of adversary that actually causes breaches. HDMoore’s Law is a measurable proxy for this class, who get stronger as Metasploit adds new exploits, evasions, payloads, features and the like.
  • Chaotic Actors – this class of ideoligically-fueled actors includes the likes of Anonymous and LulzSec and (with a few exceptions) is also fairly unskilled and tracks loosely to HDMoore’s Law. However, chaotic actors can be more determined and target-sticky. Consider them at 1.xx times the strength of HDMoore’s Law, but aimed at different asset types and seek to shame, embarrass, DDOS, targets rather than steal (e.g. credit card numbers).
  • Organized Crime – this financially motivated class recruits and cultivates serious hacking skills within economically rational parameters.
  • State Sponsored Espionage – with the power and resources of nation states behind them this is a whole different ball of wax, When facing what some (kitten killers) call APT and I refer to as Adaptive Persistent Adversaries, the model is more a game of chess and war of attrition if this class of adversary is after your less replaceable assets.
HDMoore's Law: Attacker Drop-Offs by Adversary Class

HDMoore's Law: Attacker Drop-Offs by Adversary Class

I already acknowledge:

  • I’m certain this articulation is imperfect (there are things I don’t like about it)
  • I fully expect to iterate on the following visualizations
  • The concept that all adversary classes conform to the same continuum is an acknowledged and willful oversimplification
  • AND… it is still a valuable abstraction regardless
  • And yes… this is more of a Metasploit’s Law (as HDMoore’s personal prowess is “off the charts) – but come on… HDMoore’s Law is far catchier

That’s enough for today… and I will be revisiting this topic as a building block concept.

A few departing seed questions for upcoming posts:

  • Exactly how fast is HDMoore’s Law growing and can we keep up?
  • Is your Security program tall enough to ride?
  • How can an organization shift from ticking compliance boxes to measuring themselves against HDMoore’s Law?
  • How frequently should an organization measure themselves?
  • How can PCI DSS rationalize/adjust itself to stop any real adversaries?
  • What does HDMoore’s Law mean for the organizations Wendy Nather (@451wendy) calls “Living Below the Security Poverty Line“?

Put your program to the test.

Grab the free version of Metasploit (at least) and measure if you can handle HDMoore’s Law.