« Back to Blog

Weaponized Authentication

By Pete Herzog

Just a meager 15 years from now you’ll be slotting a hot code pack into your server which teaches it to be like a person walking down the street in a shady neighborhood. How do I know? Because I’ve been working on it for a few years now.

Why wait fifteen years? Wait, that’s not actually a question you’d ask. Actually, you wouldn’t ask anything at all. Instead, you’re probably presuming this is an article about Artificial Intelligence security or some other form of machine-based personality disorder.


So let me tell you why your server should act like a person walking down the street in a shady neighborhood.

We’ve surmised some thirty and then some attributes of inherited paranoia associated with how you humans deduce the intent of a person you don’t know. So this is more biomimicry than about machines pretending that they can think like people. Now you’re thinking machines that think like people is also biomimicry… And while that's true, have you ever considered shut up?

The point of this is article is to prepare you for supplanting identification techniques with intentification techniques. And I can do it. I already prepared a crowd earlier this year at the illustrious Troopers conference in Heidelberg, Germany and the sublime Paranoia conference in Oslo, Norway, so now it’s your turn.

While examining a large variety of forms of authentication, I realized that damn, this authentication thing does not hold up. I'm not saying it doesn’t work (although it doesn’t). It's shockingly empty of any notions of consistency vital to maintaining security. And it’s all because of identification, one half of the mechanism that makes up authentication (the other half is authorization for you who fell asleep in authentication class).

Identification, you know, is a great thing that just works for people 100% of the time because you’ve never waved back at that person who was waving to the person behind you. Man that was awkward; we all saw it and we’re still laughing at you about it. For real. Also, because you’ve never delivered a pizza to the wrong house. You’ve never used a baseball bat to destroy the wrong car. You’ve never had to say to your stunned friend, “Oh THAT Bob. Oh lord no, not THAT one.” Because identification just works <Editors note: please change to a sarcastic font>.

Now since our inability to tell if that’s our girlfriend or our mom on the phone has led to one too many family interventions and the invention of caller ID <citation needed> us humans have had to rely on a somewhat paranoid means of dealing with the unknown. Intent.

You can thank your tree-swinging ancestors, the Australopithecus kind not the eco-key-swap party kind, for leaving their paranoia in your genes which your kin has been able to refine for you over generations to determine a stranger’s intent. Because that’s a helluva weapon. And it’s that weapon that we are refining to make online authentication a lot more reliable. Yes, I’ll say it, we’ll weaponize Authentication.

How you ask? If it helps you understand, imagine if there was a filter that makes an interactive challenge to a stream rather than just check it’s supposed origin and supposed destination. Oh wait, you already know one, it’s called CAPTCHA. It’s a challenge tactic used as a means of authenticating humans, and really ironically some use that info to train bots to behave like humans. But CAPTCHA is how we keep robots out of our human stuff, at least until they learn enough humanity to bypass it. And it’s truly a good thing that there’s no real AI yet because that’s just sentientist. Yes, that’s totally the right word in the future for right-wing pro-human, anti-AI attitudes so hold onto it for 15 years or so when you’ll need it.

So imagine a type of CAPTCHA for determining malicious intent instead of botness. But instead of showing you illegible scrawl it automatically challenges you in one or more ways like people do to determine if another person might want to be doing them harm. Except instead of doing this to just people’s logins, we also do this to packet streams.

Still don’t see it?

If you use greylisting for e-mail then you already know an automatic stream challenge from server to server. Greylisting is an anti-SPAM defense that temporarily rejects mail from senders it doesn’t know as a challenge tactic. If the mail is legitimate then the sending server should retry to send after a little while and then greylisting server accepts it. This is a challenge to the SMTP mail process that, despite having some problems, solves the issue of mass send SPAM from temporary mail daemons and single-instance-created virtual mail servers. And it does so by challenging the sender.

In the Jack of All Trades, an ISECOM project originally designed to hire better cybersecurity personnel but now also used for teaching it, there’s a scenario called the Postman. It went like this:

2. You are a postal carrier for an independent express postal service. You have a book-sized package to deliver.

1. List 10 ways to identify the RECEIVER of the package.

2. List 10 things which would stop you from delivering the package.

3. List 10 reasons for delivering the package at all.

4. List 10 ways to identify the SENDER of the package.

Now the point isn’t to necessarily get 10 answers but rather to open your mind and show how you can break down a problem into hackable pieces. And this is one of 10 different scenarios. But do this Postman exercise and you’ll quickly see two things: first, that finding the sender is really hard and secondly, that the reasons for stopping the package require a lot more information about the package then you have. If you combine this with Scenario 5, the Soldier protecting the bridge, you come across a similar problem even when you don’t need to know where the threat comes from.

5. You are a soldier in full field gear during war time. You are stationed at the only bridge which crosses over the gorge.

1. List 10 ways to prepare for the coming enemy.

2. List 10 ways to prevent the enemy from crossing the bridge.

3. List 10 ways to discern friendly bridge users from the enemy.

4. List 10 problems the enemy could cause if they crossed the bridge.

Once again you learn that the answers require challenges you need to perform. Whether it’s an inspection or forcing other hoops to be jumped through before you’re satisfied, you need to challenge everything you face to know if it’s a threat or not. But we don’t really do that in cybersecurity. We make lists of what looks bad and match the traffic to that. We let it pass and watch if it behaves. What we don’t do is challenge it.

When you humans walk down a shady street, passing unknown corners, strangers and nefarious raccoons, you invoke your inherited method of determining what’s safe. You may call it situational awareness but really it’s more than that because you do more than watch. You watch how they watch you. You move away and see how they move toward you. You make eye contact and see how that changes their movements. You say hello or maybe you nod your head and grunt and see how they respond. But you interact with the creatures around you to understand their intent. That way even if they look harmless we can have more assurance and possibly unmask false friends. That’s what humans do. It’s something we feel in our guts rather than calculate in our heads. But we do it.

So weaponizing authentication is the means of giving firewalls a gut instinct. To do that, we need to train them to interact in specific ways with packet streams. These interactions let us determine intent. This lets us challenge traffic in real time before we try to identify it. That’s what we call intentification and it’s coming to a server near you, in about 15 years.

About Pete Herzog

Pete knows how to solve very complex security problems. He's co-founder of the Institute for Security and Open Methodologies (ISECOM). He created the OSSTMM, the international standard on security testing and analysis, Hacker Highschool, cybersecurity for teens, and the Cybersecurity Playbook, practical cyberdefense for everyone else. More about him here.

The opinions expressed in guest author articles are solely those of the contributor, and do not necessarily reflect those of Cylance.