Between Two Nerds: What the CrowdStrike outage teaches us about cyber war
23:43 Share

Hello everyone, this is Tom Uren. I'm here with, as per usual, the gruck for another Between Two Nerds discussion. G'day, gruck, how are you? G'day, Tom. Fine and yourself? I'm well. This week's episode is brought to you by Tynes. And I have on the channel this week a discussion with Thomas Kinsella of Tynes about exactly what AI is good for when it comes to cybersecurity automation.

So, Gruck, nothing much happened this week. Yeah, it's a bit of a snoozer. So it's not as if a security company pushed out an update that took out eight and a half million computers or anything like that. But what we thought we'd talk about actually is that incident is like a little vignette of maybe what some people imagine cyber war could be. And so we're going to dive into the take home message from that.

Now, if people don't know, it was actually not a huge number of computers in the scheme of things. So I think eight and a half million Windows computers. Windows, there's over a billion Windows devices. So a small fraction, but it did have pretty significant impact, I thought, in that

Some important companies that do stuff for people were running CrowdStrike and they ended up, or parts of their operations ended up dead in the water. And some of those had ripple effects. I guess most notably Delta. Second order effects. Yeah. Delta, the airline is still struggling. But I guess you've got a contrarian take.

Okay, so as you said, 8.5, it's not a lot. I mean, it's not nothing. Well, it would take me a long time to count to 8.5 million. So it is absolutely a large number, but relative to the totality of Windows, small number. Right. But I think that the thing that we've seen is that home office prices

computers tend not to have enterprise security solutions installed in them, whereas important mission-critical systems do. So I think that there's sort of a bit of an outsized bias for critical systems. Right. Enterprise EDR is definitely the place you would have an outsized impact, I guess. Right. So it was definitely tilted towards proper disruption. Yeah.

And I think that if we were to consider this a cyber attack, for example, with that sort of scope, we would be hard pressed to find an adversary who could actually do that, who could pull off a simultaneous attack against all the airlines, hospitals, banks, you know, so many different groups.

Sort of critical parts of society. One take-home message might be, if you're an adversary, the place to attack is in fact security vendors. Because, you know, here's a perfect demonstration of you do something bad at one vendor and you could potentially have these outsized effects. Is that what you're arguing? Absolutely. Absolutely.

It reminds me actually of the Veracode study, which showed that the security companies had the worst code quality overall out of all of the software verticals. But I think what this shows is that cyber attacks by themselves as a standalone capability are just, they're not very impressive. They're not very useful. They don't get that much for you. If we look at the concept of cyber terrorism, this would be a cyber terrorist attack that

And so what? It lasted a few days, not even. It was clearly not great.

But it's not exactly disrupting civilization. I think the way I would describe it is it's not an existential threat to any country. So in terms of an adversary using it to try and coerce, you're going to get nowhere. And I would say it's not even an existential threat to any company. Right. So the Sony attack of over a decade ago, where the DPRK, the Guardians of the Peace,

a whole bunch of emails and internal documents and sort of threatened Sony not to release a particular film whose name I forget because it was a... The interview. Yeah, it was a forgettable film. All of that

I think was more disruptive. Like I think ransomware overall is more disruptive than this attack against any particular company. I mean, in effect, it is like a ransomware attack, except you can get the key just by deleting a file. Right, right. That's easier to recover from.

In a way, I'd say it's fairly comparable in some ways in that you have to physically visit every device that was impacted and physically reboot it sort of manually at the keyboard, which is a very long and slow recovery process. So you're arguing, okay, this kind of disruptive widespread cyber attack is just no good because it is too short. It's disruptive, but it's not disruptive and long lasting enough. Okay. So I'm a bad state. Yeah.

I managed to compromise some EDR type platform. One of the hacks I looked at a while ago, they used, might have been Kaspersky, but whatever the antivirus product was on that computer to encrypt all the devices. And then they just threw away the key. So it was Guacamea, the hacktivist group in South America.

So they actually rinsed this network three different times and effectively deployed ransomware using three different methods. And one of them was either the antivirus, maybe one of them was also Windows BitLocker. That sounds plausible. I guess my point is that if you were actually malicious and you managed to gain that kind of access... It could be worse. Yeah, it could be worse. So maybe what the lesson should be is that

This is just a foreshadowing of how bad it could be. But I think... I disagree. I still disagree. I think it could be worse, but it would only add like a day or two. Companies are getting pretty good at recovering from IT disasters. Things like this, this incident...

actually make cyber less effective in the future. Because companies get better at it. Right. They realize that there's a real threat. And yeah, suddenly backups become like, actually, let's start testing those. And recovery procedures go from the thing that someone wrote in 1993 that's been in a book left somewhere to, right, we should probably do some tabletop exercises and make sure that we're ready for whatever comes next. And so, in fact, you're saying that this incident is a good thing.

This is a good thing. Good on CrowdStrike. Well done, sir. You're making us more resilient to cyber war. The self-sacrifice that they have demonstrated by putting their company profits, their shareholder price on the line just to improve our security is truly amazing. Above and beyond. So, I mean...

I just, I don't think cyber is useful individually as a standalone capability. I think that what makes cyber useful is that it allows you to disrupt and impact systems, that you can use cyber to gain access to a system and manipulate it. And if that's what you're trying to do, then cyber is useful. But if you're just using it to

cyber the cybers it's transient and it's not important and it doesn't really do anything and i think that that's the the key distinction is that if you look at like oh i'm going to interfere with all the traffic lights i mean yeah that sucks but it's kind of so what right so you're saying uh it's disruptive but on its own it's not decisive

Right. Well, I'd say that it's damn annoying. So also this week, there was a Dragos report about some malware that they called Frosty Goop, which is a great name, actually, for malware. The story is it was deployed into Ukraine.

and it affected the heating of apartment buildings in Lviv. Yeah, Lviv. Which is a city in, is it the west of Ukraine? Near the Polish border, perhaps? It is, yes. And so it was an ICS protocol that they abused, I guess. Modbus. The thing that leapt out at me is that according to this CyberScoop report, the actors were in the network for 10 months before the attack.

And it says the attack is then spent. How many, sorry, just so 10 months and then how many weeks of ice cold ice

Apartments that these people have. Two days. Two days. Two days. Okay. So it was, okay, so here's the balance. Ten months. It says in the article that they spent the remainder of the year conducting various tasks to set up the attack, including obtaining user credentials for the energy system.

And it was 600 apartment buildings in two days. And my first thought was, that's a terrible return on investment. Now, of course, they're not 10 months. Well, look at it like this. If you are in the military and you could spend 10 months working on a project or get sent to the front for 10 months...

Like, which would you rather do? Like, yeah, working on it, working on it. This heating thing is really kicking my ass. Going to need more time, boss. Okay, so on the one hand, that seems like a terrible return on investment. Now, I'm sure they weren't working full-time, hands-on keyboards that entire 10 months. That wasn't Hammer and Tong's job.

full at it, I mean that would be really embarrassing. On the other hand what's your alternative? What other way are you going to turn off the heating? For only two days that would be difficult but you'd have to do it for a lot longer so I can see why you might...

I could see why you might want to choose cyber if you want something that's easily reversible and simple to stop and is going to be less effective the next time you want to use it. Which I believe is most of the things that you look for during wartime. You want a munition that is going to be sort of trivial to stop, have low impact, take a 10-month lead time.

have a very sort of narrow scope like 600 apartment blocks like 600 apartments that sounds like a couple of buildings right or even just sort of one 600 apartment buildings so that's potentially a lot of people yeah yeah right and so I mean I think if

If you've got a particular purpose where switching off the heating is useful, I think this is actually... Yes. It could be that this was a really valuable operation. Right. So the way I would look at it is, I mean, exactly as you said, it's if, for example, you needed to gain access to someone's apartment and you... So it wouldn't work during wartime, but hypothetically...

It's just the wrong tool for the job. But if what you wanted to do was gain access to someone's apartment, you could turn off the heat for the entire building, then send everyone a message saying there's a problem with the heating, everyone has to evacuate, and we're going to have someone come in and fix it. And then when people leave, you send in your guy dressed as a repairman,

to go and fix it by breaking into an apartment and getting the thing, right? Which is, I mean, it's kind of noisy, but as a means to an end, it makes sense. As an end, it does not. That's what I'm... Yeah. I think that's my takeaway. And so, I mean, this attack took place in winter, so it's freezing cold. It's not a trivial thing to live in an apartment without heating when it is minus whatever. Right. But in terms of, again, at the level of influencing a state, it's meaningless. Right.

But if you've got that particular narrow purpose of, you know, you're hypothetical of getting into an apartment or whatever, you can come up with any sort of number of James Bond, Mission Impossible style theoretical. Yeah. I mean, so here's another counter take on this. Maybe cyber is useful because unlike strategic bombing, it doesn't turn the civilian population against you in the same way.

So it doesn't have the same uniting effect that, for example, the Blitz had on the English. If instead of their buildings getting blown up and their neighbors getting killed, they were inconvenienced for a couple of days every now and then, it might not have the same unifying effect. Right.

So now we're relitigating World War II and the Blitz. All I'm saying is that if the... If only the Nazis had had cyber. Yeah, it would not have had the same strategic impact. You can harass the civilian population without uniting them as a unit against you.

by just being annoying as opposed to deadly. Right. So, I mean, I'm not sure that that would actually work because as soon as they know they're being attacked, that's basically going to do it. But, you know, maybe you just want to harass them without having them create a unified block against you. So, yeah, this might be the, in terms of the strategic cyber war theory, this might be it. Okay, so let's step back a second and put on our...

PRC state cyber hats. Do you think what's going on with CrowdStrike has any lessons for someone who's thinking about Vault Typhoon as an operation? And so just to explain briefly, Vault Typhoon is the compromise of US critical infrastructure. It appears to be for the purpose of disruption in the event of a conflict situation.

perhaps over Taiwan. And so the PRC has been doing this for a number of years. And in the last year or so, the US has been publicizing that it's happening, talking about it, trying to get people motivated to kick them off their networks. So does this have any lessons for whoever's running Vault Typhoon? Or for the US, for that matter? Yeah, you know, that's an interesting question, because I think that they are approaching it slightly differently. Yeah.

And that when they're deploying, when they're setting this thing up, that's a means to an end. Their goal is not take out all of the electricity for the U.S. so that the U.S. has no electricity. That's not their objective. Their objective is either disrupt things so much that the U.S. takes several days to respond or interfere with the ability of the U.S. to do command and control or some other

some sort of reaction capability. They're trying to delay the US response so that they have additional time to do their thing before the US shows up. And it's not clear to me that that would work because I don't think...

the military cares about any of the infrastructure that... It's a bit hard to know. Like, the US has definitely talked about Vault Typhoon, but it tends to keep it under the umbrella of US critical infrastructure. Sometimes there have been reports that it has been focused on Guam and telecommunications. Other times there's mentions of US logistics. So that does seem to me like...

what you say. There's hints that it's targeted at a way to interrupt or disrupt the US military response. It might take the US more than 24 hours to deploy a Burger King to anywhere in the world. That's right. Right.

I mean, like, I don't think you can quite grasp the size of the U.S. approach. Like, during World War II, they built 151 aircraft carriers. Like, 151, right? They had five ships that made ice cream for the island hobby campaign so that the troops who were fighting in the jungles could have ice cream. Like...

Like the Japanese were starving to death and malnourished and the US troops were complaining because their ice cream was melting too fast. Like the logistics is something else.

But yeah, so I think that they're trying to do a specific thing, right? They're not just trying to annoy people for the sake of annoying people. And they're not just trying to disrupt for disruption's sake. They have a specific goal in mind and that cyber becomes a means to an end. It's not the end, right? That disruption, it helps them achieve something else. And I think cyber is very, very useful for that, right? It's as an enabler.

It can be useful. I don't know if it's that useful in this case, because I don't know that cyber is sort of on the critical path for any of the things that actually matter in terms of a rapid military response. Right. I feel that the army is probably aware of that and has some redundancy and some backups. So the US military forces don't run on computers, they run on orders. Yes.

and Trump computers at times. Even if computer says no, general can say yes. Exactly, exactly. And that's absolutely worth keeping in mind is that

This is a very pro-cyber podcast. But it's got to be the right place in the right time. Yeah, you know, I think you need to be realistic because you can do so much more with it if you're not viewing it as a sort of substitute for a nuclear weapon that can be reversed.

Or if you don't view it as like, oh, it's just, it's exactly the same as artillery fire, but better because it can go further. Like if you, if you break out of that paradigm, you can start seeing like how you can use it to disrupt or interfere or manipulate larger systems that are much more interesting.

So the Yandex hack, I'm going to bring it up again. So the Yandex hack was in September of 2022, and there's a Yandex taxi that

application, which is sort of an Uber for taxis. So this was in Moscow. And what happened was someone or someones created a large number, hundreds and hundreds of ride requests, all at the exact same location. And so all of these different drivers accepted the ride request to go and pick up someone.

And it caused a huge traffic jam. And so it took hours and hours to clear. It seriously disrupted the operation of Yandex taxi, et cetera, et cetera. Now, that very much falls into our so what category in that it didn't have any higher purpose. It was just disruption for disruption's sake. Unless James Bond was there. Right. Or Ethan Hunt, is it?

Yeah, so there was a Mission Impossible campaign going on at the time, and they had to block Yandex Taxi. Well, they had to make sure someone didn't catch a taxi at a particular time. There you go. That's the plot. Right, there you go. It could have been a mean surname, but the thing I find interesting is just how basic the attack was in terms of its mechanics of just creating requests for

But how outsized the impact was because it was attacking the Yandex taxi system, not the cyber. It wasn't the computers of Yandex taxi. It was the system of Yandex taxi where the processes, the people and the technology altogether created that situation and made it difficult to resolve.

And I think that sort of approach of looking at, you know, how can we disrupt something overall and use cyber as a means to achieve something that has an outsized impact for what you're doing, that can be useful. You know, I absolutely believe that, but I don't think it's a standalone. Yeah, yeah. It always seems that it's easy to know with hindsight, right?

Oh, yeah, absolutely. What the key thing would be. Now, I guess in a hypothetical, Ethan Hunt needs to stop all the taxis in Moscow. That is actually a pretty, like, you know, that would come to mind, I think, within five minutes. Right. But, you know, without knowing what the particular purpose is, I would guess that a lot of the time it's not obvious how you would use that kind of capability beforehand. And therefore it makes me wonder how useful it could be.

Right. Well, I think the, so this is one of the things is with systems, the critical variable is discovered retroactively. So CrowdStrike has now discovered that if you have a bug in your parser and you deploy a file that causes it to read from uninitialized memory, it could in some cases cause the computer to crash and start bootlooping.

which, you know, we know that now, so that's a good thing. And so there's this thing of like you learn about what went wrong after it went wrong, and that's great. And it's much harder to do it the other way around. Yeah, yeah. So this is in fact perfect for us because that means that we can retroactively discuss all these things with a huge amount of insight. There you go. Hindsight is 50-50. Yeah.

Thanks a lot, guys. Thanks a lot, Tom.