MonsterMind – Snowden reveals the US proactive defense system

Snowden revealed the existence of the MonsterMind system developed by the NSA to automatically mitigate and respond cyber attacks.

In his last interview Edward Snowden explained the risks related to use of automated attacks in response to the offensive against the US. Many experts identify with the term proactive defense the possibility to respond instantaneously and in an automated manner a cyber attack, Snowden explained that the US Government is developing a system, codenamed as MonsterMind, that is able to automatically reply to the cyber attacks against the US, but that they can fail in the identification of the source of attacks. A wrong attribution could cause serious problems for intermediate nations, those countries that host compromised systems used in the offensive or that host computers whose IP have been spoofed by bad actors.

“The NSA whistleblower says the agency is developing a cyber defense system that would instantly and autonomously neutralize foreign cyberattacks against the US, and could be used to launch retaliatory strikes as well. The program, called MonsterMind, raises fresh concerns about privacy and the government’s policies around offensive digital attacks.” states Wired Magazine.

Imagine that Russia decides to run a DDoS attack against US systems, but that the attacker is able to spoof the origin IP address of a different country or to route through its infrastructure the malicious traffic, then a retaliatory automated attack could hit the wrong country rather than Russia networks.

MonsterMind attacks

As explained by Snowden in his latest interview with Wired, MonsterMind could compromise countries involved in the attack.

“These attacks can be spoofed,” “You could have someone sitting in China, for example, making it appear that one of these attacks is originating in Russia. And then we end up shooting back at a Russian hospital. What happens next?” said Snowden.

The problem of attribution isn’t unique problem related to the deployment of MonsterMind, Snowden added that an automatic system like this need to receive in input a significant amount of data, including network traffic of all private communications coming into the US, repprenting for this a menace for the privacy of US citizens. MonsterMind need this data to efficiently discriminate normal network traffic from anomalous or malicious traffic.

“If we’re analysing all traffic flows, that means we have to be intercepting all traffic flows. That means violating the Fourth Amendment, seizing private communications without a warrant, without probable cause or even a suspicion of wrongdoing. For everyone, all the time,” he added.

Cryptographer Matt Blaze, an associate professor of computer science at the University of Pennsylvania, said that the algorithm which are implemented by automated scanning system Snowden describes are similar to the ones on which are based the  Einstein 2 (. pdf) and Einstein 3 (. pdf) programs developed by the Government. Both use a network sensors to identify malicious attacks .

Also in this case, the US Government avoided to comment the Snowden’s revelation on MonsterMind.

Pierluigi Paganini

(Security Affairs – NSA, MonsterMind)