I see you
Sandboxing files and detecting unexpected system behaviors is one of the best approaches to finding exploits. FireEye did it really well when they first came out with their network monitoring products. Watch a network, extract files, shove into a sandbox, explode, see what happens. They were credited with finding a ton of 0-day type events. Now, we can do the same with open source software.
Then you hear about malware that can detect it’s in a sandbox or a Virtual Machine. If it detects the virtual environment, then it doesn’t explode, doesn’t infect, doesn’t do the bad things. Then we invest money into figuring out how to hide the virtual host or sandbox from the malware. Arms race! Who can do it better. I hide, you detect, you hide, I detect. It’s one example of the cybersecurity arms race.
In traditional warfare, the winner of the arms race has a bigger gun. Well, a bigger stick, then a bigger rock, then a bigger bow, gun, missile, etc. There’s an end game there. The nukes. Whoever has the nukes is on top. Even when the foe has a nuke, the arms has can’t continue. We’re at a stalemate. Mutually assured destruction if we all use our nuclear arms. When we all have the biggest gun, none of us can use it. (another blog post later about moving the traditional warfare to the cybers, but that’s for later.
What’s the nuclear option for cyber war fare?
The closes thing I can think of for mutually assured destruction would be around taking down the Internet as a whole. It may not even be possible. Can someone wipe out all the core routers, heck, all the routers in the world? Is that the end? It makes me think of my favorite definition of envy (vs Jealousy). jealousy is “I want what you have”.. not totally bad, can help motivate someone, etc. Envy is “I want what you have, but since I don’t, you can’t have it either”. Going nuclear on the Internet would drastically affect every life on the planet (ok, maybe not every, but anyone who’s in a ‘civilized’ place). If it’s even possible…