Archive for the ‘PCI DSS’ Category

HD Moore

HD Moore - Creator and Chief Architect of Metasploit and CSO of Rapid7

You Must Be THIS TALL To Ride

You Must Be THIS TALL To Ride

Most people understand “Moore’s Law“:

Compute power grows at the rate of doubling about every 2 years

At Metricon6, I asserted “HDMoore’s Law” version 1:

Casual Attacker power grows at the rate of Metasploit*

*HD Moore (@hdmoore) gave the industry the Metasploit Project in 2003 – a wildly successful and leveraged open-source penetration testing platform.

Perhaps the greatest value of this concept is it is DEMONSTRABLE. While it won’t tell you you’ve done “enough” to prevent breaches, it just might prove if you haven’t.


While this post is not about PCI DSS, HDMoore’s Law concept came to me after a year of me asking “Is PCI the ‘No Child Left Behind Act’ for IT Security?” and subsequently my intuitive allergy to the following two pervasive, thought terminating clichés / platitudes… perhaps you’ve also heard them:

I know PCI won’t stop a determined attacker, but it will at least stop a casual attacker

Really? Will it? Is that still true? and second:

PCI is better than nothing – it at least raises the bar.

But has it raised the bar enough to matter? to stop even the least skilled adversaries?

Contrary to our wishes, “security” doesn’t grow linearly with our effort. With sentient adversaries seeking to steal valuable information, security gains are realized when a defender has done “enough” to deter/exhaust the resources of an actual attacker.

There was a time when less skilled, “casual attackers” may have had only one or two tricks up their sleeves. If you were patched, a casual attacker would simply “move on”… Metasploit and other tools have shattered this assumption and now the “enough” is a moving target.

Point. Click. Pwn.

The pointy-clicky nature of Metasploit and ever-growing expert contributions makes it the ultimate script kiddie tool – and an greater force multiplier in the hands of more talented individuals/teams.

“Enough” Security – Metasploit as table stakes:

One of the most prevalent questions in all of IT security has long been:

What is “enough” security?

Clearly the answer is “it depends” (on a number of factors). One of which is Who is attacking us (which adversary classes?). If we use the latest version of Metasploit as a proxy for the lower bounds of attack capacity for the least skilled “casual attacker”, then one can measure at any time that you must be “this tall to ride”. Put another way, to stop breach attempts from even our weakest adversary class, defensive power needs to meet or exceed parity with $today’s free version of Metasploit. If you cannot rise to HDMoore’s Law, it’s possible the only adversary you can fend off is the friendly-fire, self-imposed one.

In the few live, graphical presentations on it I’ve given thus far, the recognition of its value, utility, and implications was nearly instantaneous. I’ll attempt to show just a few here in this initial post by example – which will also aid in defining it.

HDMoore’s Law in Juxtaposition – Drop-Off Rates by Adversary Classes (weakest to strongest):

  • Auditor/Assessor – in the case of PCI, this is the QSA – by far the easiest attacker to reliably “make go away”. Though they do not cause breaches (let’s hope), CISOs often see them as their top threat.
  • Casual Attacker – this is an unskilled target agnostic attacker. This is the weakest class of adversary that actually causes breaches. HDMoore’s Law is a measurable proxy for this class, who get stronger as Metasploit adds new exploits, evasions, payloads, features and the like.
  • Chaotic Actors – this class of ideoligically-fueled actors includes the likes of Anonymous and LulzSec and (with a few exceptions) is also fairly unskilled and tracks loosely to HDMoore’s Law. However, chaotic actors can be more determined and target-sticky. Consider them at 1.xx times the strength of HDMoore’s Law, but aimed at different asset types and seek to shame, embarrass, DDOS, targets rather than steal (e.g. credit card numbers).
  • Organized Crime – this financially motivated class recruits and cultivates serious hacking skills within economically rational parameters.
  • State Sponsored Espionage – with the power and resources of nation states behind them this is a whole different ball of wax, When facing what some (kitten killers) call APT and I refer to as Adaptive Persistent Adversaries, the model is more a game of chess and war of attrition if this class of adversary is after your less replaceable assets.
HDMoore's Law: Attacker Drop-Offs by Adversary Class

HDMoore's Law: Attacker Drop-Offs by Adversary Class

I already acknowledge:

  • I’m certain this articulation is imperfect (there are things I don’t like about it)
  • I fully expect to iterate on the following visualizations
  • The concept that all adversary classes conform to the same continuum is an acknowledged and willful oversimplification
  • AND… it is still a valuable abstraction regardless
  • And yes… this is more of a Metasploit’s Law (as HDMoore’s personal prowess is “off the charts) – but come on… HDMoore’s Law is far catchier

That’s enough for today… and I will be revisiting this topic as a building block concept.

A few departing seed questions for upcoming posts:

  • Exactly how fast is HDMoore’s Law growing and can we keep up?
  • Is your Security program tall enough to ride?
  • How can an organization shift from ticking compliance boxes to measuring themselves against HDMoore’s Law?
  • How frequently should an organization measure themselves?
  • How can PCI DSS rationalize/adjust itself to stop any real adversaries?
  • What does HDMoore’s Law mean for the organizations Wendy Nather (@451wendy) calls “Living Below the Security Poverty Line“?

Put your program to the test.

Grab the free version of Metasploit (at least) and measure if you can handle HDMoore’s Law.