threat model, password, HD Moore, metasploit, DDoS, denial-of-service

Growing beyond the speed of HD Moore's Law

Joshua Corman is generally credited with coining "HD Moore's Law" to state:

Casual attacker power grows at the rate of Metasploit

![](/img/threatmodel_full_CC.png)

I have recently come to believe that the widening gap between Information Security defenders' and attackers' capabilities - and especially the pace at which they can evolve - is perhaps the single biggest technology challenge facing InfoSec today. This is not only because, in my threat model, the "casual attacker" of Corman's generally takes up most of the real estate, a.k.a. groups 1 and 2. It's also because HD Moore's law is scaling eerily well. How well? Let's look at the traditional triad of confidentiality, integrity, and availability and see how attacker capabilities have fared in this decade.

Integrity: if we use the number of "weaponized" exploits shipped with Metasploit as the barometer, attacker advantage has grown fairly consistently year-over-year. Starting at 177 exploits in 2007, the Rapid7 exploit database has shown steady growth of several hundred exploits being added annually since 2010.

Availability: Not long ago (by Internet standards), denial-of-service attacks were often aimed at blackmailing offshore casinos, and defense was about having enough bandwidth to absorb the spike in traffic. Outspending the attacker is never a sustainable strategy, and few enterprises (or ISP's, for that matter) have been able to individually keep up with the growth curve - an entire industry of CDNs and appliance makers has sprouted to attempt to address this problem. While surges of 100 gigabits per second (Gbps) were virtually unheard of in 2011 (the largest monitored attack that year was 70 Gbps), 133 such attacks were observed through 2014Q3 alone by Arbor Networks.

Confidentiality: with few exceptions, we still rely on passwords - and some arcane rules on how to secure them - to protect much of our data and systems. The attacker advantage here is perhaps the most striking. Taking advantage not only of Moore's Law, but also of the commoditization of specialized processing suited ideally for passwod cracking, the advent of pre-calculating password hashes, an ever-growing corpus of valid passwords from which to build statistically-advantageous algorithms, and advances in distributing computing, the sheer rate at which a modestly-funded attacker can grind through an encrypted password store has gone from an already staggering 25 million per second (circa 2012) to billions (on a single computer) or hundreds of billions (on an academic-scale cluster) today in 2014.

As a defender, I wouldn't mind if most attacker capabilities scaled at the speed of Metasploit; other recent advances make that look positively glacial and downright manageable by comparison.