Defensible Security Architecture

Design principles and ATT&CK

The complexity of the domain is staggering
and my areas
and my areas of focus
of focus

COMPANY UNCLASSIFIED | NOT EXPORT CONTROLLED | UNCLASSIFIED

4 22.5.2019 NIXU PUBLIC | NOT EXPORT CONTROLLED | CUSTOMER UNCLA

References per slide, at the end.

Trusted go-to partner
for cybersecurity services
Finland
Sweden

Locations
Vision:
Keeping the digital
society running 400 11 Finland, Sweden,
Netherland, US,
Denmark
approx Cyber security services
Romania and
Australia and more
from board decisions to
Cyber security deep forensic investigations
specialists
Mission: Founded in
Be the best workplace for
cyber security 1988 98%
specialists publicly listed of our clients
recommend Nixu
22.5.201 5
2014
9

5
Defensible Security Architecture
SANS SEC530.1

• Defensible Security Architecture

▪ Mindset
▪ Models
▪ Virtual Networking / Software-defined Networking
▪ Micro-Segmentation

• Threat, Vulnerability, and Data Flow Analysis

4
Two types of threats
Non actor driven (not antagonistic) threat

• Possible, unwanted event with a negative outcome for operations,

which isn’t caused by a human actors deliberate actions.

• Generally speaking non-antagonistic threats can be divided into three

categories:
• Natural phenomena (natural disasters, disease)
• Errors in technical systems (bugs, malfunction )
• Non-intentional actions by human actors (accidents, negligence)

5
Two types of threats
Actor driven (antagonistic) threat

• Threat driven by an actor in the form of an individual, group, network,

organisation, state etc.
• Actor driven threats are normally intentional.

6
The post-breach / “assume breach” age

"High-risk enterprises should assume that they are already compromised

- there is no product or combination of products that provides 100% protection"

- 2012, NSS Labs Analysis,

Brief – Cybercrime Kill Chain vs. Defense Effectiveness

7
The post-breach / “assume breach” age
Dwell time – Mandiant/FireEye M-Trends 2018 report

8
MITRE’s “assume breach” initiative
and the rise of the ATT&CK framework
History:
• 2010 - researching data sources and analytic processes for detecting APTs
more quickly through the use of endpoint telemetry data

• 2013 - developed a process for modeling an adversary’s post-compromise

behavior at a granular level. This model is named ATT&CK
(Adversarial Tactics, Techniques, and Common Knowledge).

• 2015 - ATT&CK methodology is released to the world

• 2018 - The first dedicated ATT&CK conference

9
ATT&CK – A more scientific way
Adversarial Tactics, Techniques, and Common Knowledge

An empirical/curated knowledge base

that helps model cyber adversaries’
tactics and techniques – and then shows how to
detect or stop them.

▪ The real hacker playbook (+200 techniques)

▪ Threat-informed
▪ Community driven
▪ Free

10
Think like an attacker

”Think like a chef and see how well you do in the kitchen…”
- Adam Shostack

11
Threat modeling
strategically thinking about what might go wrong

“something you can do while preparing to deploy

or build a system is to think about the threats associated with it.”

12
Threat modeling
Shostack’s four questions

1. What are you deploying/building?

2. What can go wrong?
3. What are you going to do about it?
4. Did you do an acceptable job at 1-3? (For quality assurance)

13
ATT&CK Matrix Use Cases
they start with the threat

• Gap analysis of current defences

• Improve the security posture

• Detection of heavily used techniques

• Prioritize what analysts should to look for

• Information sharing of observed behaviours on the network

• Help collaboration among security teams

• Tracking the evolution of tactics, techniques, and procedures (TTP)

over time.
• Build adversary profiles

• Adversary emulation

Models
• More authentic red team/blue team exercises

14
ATT&CK
A moving target

15
APT groups aka advance threat actors
Advanced Persistent Threat groups came to light in 2013
Currently the ATT&CK framework have 78 different threat actors in its
catalogue.

Roughly 43% are attributed to countries

• 13 are presumed to be Chinese-based
• 12 are presumed to be Iranian-based
• 7 are presumed to be Russia-based
• 2 are presumed to be North Korea-based

16
The cyber kill chain and ATT&CK

PRE
ATT&CK

17
The cyber kill chain and ATT&CK

ENTERPRISE
ATT&CK

18
The cyber kill chain and ATT&CK

Device Access Mobile Network-Based

Effects
ATT&CK

19
The ATT&CK Matrices

ENTERPRISE
ATT&CK
PRE • Tactics: 11
• Techniques: 223
ATT&CK
• Tactics: 15
• Techniques: 174 Mobile
ATT&CK
• Tactics: 13
• Techniques: 66

20
Enterprise ATT&CK focus areas (tactics)
• Initial Access
• Execution
• Persistence
• Privilege Escalation
• Defense Evasion
• Linux
• Credential Access ENTERPRISE • macOS
• Discovery
ATT&CK • Windows
• Lateral Movement
• Collection
• Exfiltration
• Command and Control
21
The post-breach / “assume breach” age
and how ATT&CK can help you leverage what you already have

1. “Think like an attacker”

by studying their blueprints

2. Fighting the digital sleeper

agents of modern IT-systems
by behaviour monitoring
through Tactics, Techniques
and Procedures (TTP)

22
The digital sleeper agents of modern IT-systems
or the rise of Living Of the Land Binaries (LOLBins)

Living of the land binaries:

• Authorized, trusted applications that are used by malicious actors
• Usually never writes to disk (they are already there)
• Live in memory
• Be one with the network
• Use tools already in place, use protocols already used
• (Don’t talk when the network is quiet)
• Make their infrastructure work for you

23
ATT&CK - living off the land binaries (LOLBins)
or homesteading in the enterprise with fileless attacks

“Fileless Malware Attacks on the Rise, Microsoft Says” – 2018, october

• LOLBins have been around in the wild since 2014

• Recently experienced explosive growth

• 52% of non-malware attacks in 2017 involved the abuse of two
legitimate programs (powershell & WMI)
• increasing at a rate of 6.8% per month

24
Simple examples of TTP
Tactics, Techniques and Procedures

TTP in a windows environment

• “a privilege escalation via the Microsoft Connection Manager Profile
Installer (CMSTP.exe) ”

Using a non-cyber analogy

• “a specific approach to counterfeiting $100 dollar bills can be thought
of as a TTP while the specific guidance for detecting bills (wrong
color, bad watermark, etc.) using this approach can be thought of as
Indicators.”

25
Biancos “Pyramid of Pain”

26

The Pyramid of Pain is a conceptual framework in cybersecurity that illustrates the

different levels of indicators of compromise (IoCs), ranking them from the easiest to the
most painful for adversaries to change.
How to start with ATT&CK
Tactics: the adversary’s technical goals

ENTERPRISE
ATT&CK
PRE • Tactics: 11
• Techniques: 223
ATT&CK
• Tactics: 15
• Techniques: 174 Mobile
ATT&CK
• Tactics: 13
• Techniques: 66

27
How to start with ATT&CK
Tactics – Techniques – Threat Groups - Tools

28
How to start with ATT&CK
Work from tactics and break it down from there

Tools

Threat Groups

29
33 22.5.2019 NIXU PUBLIC | NOT EXPORT CONTROLLED | CUSTOMER UNCLASSIFIED
Defensible Architecture
Separation as a security boundary

31
Security Design principles

There are many sets of security design principles

They share a lot of similarities between them at a fundamental level

For defensible architecture I recommend to start with these

ten (10) security design principles

32
Security Design Principle

A declarative statement
made with the intention of
guiding security design decisions
in order to meet the security goals of a system

33
10 design principles for defensible architecture
1. Assign the least privilege 6. Fail securely & use secure
possible defaults

2. Separate responsibilities 7. Never rely upon obscurity

3. Trust cautiously 8. Implement defence in depth

4. Simplest solution possible 9. Never invent security technology

5. Audit sensitive events 10. Find the weakest link

34
10 design principles for defensible architecture
# 01 LEAST PRIVILEGE

Why? Broad privileges allow malicious or accidental access to protected

resources

Principle Limit privileges to the minimum for the context

Tradeoff Less convenient, less effecient, more complexity

Example - Run server processes as their own users with exactly

the set of privileges they require
- No root or super-admin access, ever

35
10 design principles for defensible architecture
# 02 SEPARATE RESPONSIBILITIES AND SYSTEM FUNCTIONS

Why? Achieve control and accountability, limit the impact of successful

attacks, make attacks less attractive

Principle Separate and compartmentalised responsibilities, privilegies and

admin/user systems
Tradeoff Development and testing costs, operational complexity,
troubleshooting more difficult
Example - System admin are separate from security log admin
- admin interfaces are not allowed to run in the same domain as user
interfaces

36
10 design principles for defensible architecture
# 03 TRUST CAUTIOUSLY

Why? Many security problems caused by inserting malicious inntermediaries

in communication paths

Principle Assume unknown entities are untrusted, have a clear process to

establish trust, validate who is connecting
Tradeoff Operational complexity (particularly failure recovery), reliability, some
developement overhead. Not a trivial problem…
Example - Two-way-authentication (client – server)
- Two-factor authentication for user auth
- Only use trusted PKI that you control
- Never share underlying HW for VMs in different sec. domains

37
10 design principles for defensible architecture
# 04 SIMPLEST SOLUTION POSSIBLE ”The price of
reliability is the
Why? Security requires understanding of the design – complex design is pursuit of the
rarely understood – simplicity allows analysis. utmost simplicity”

– C.A.R. Hoare
Principle Actively design for simplicity – avoid complex failure modes, implicit
behaviour, unnecesary features…
Tradeoff Hard decisions on features and sophistication. Needs serious design
effort to be simple.
Example - Fixed configuration (defined configuration as in CIS Benchmarks)
- Hardening (minimize attack surface) in terms of no unused services

38
10 design principles for defensible architecture
# 05 AUDIT & ANALYZE SENSITIVE EVENTS

Why? Provide record of activity, deter wrong doing, provide a log to

reconstruct the past, provide a monitoring point

Principle Record all security significant events in a tamper-resistant store

Tradeoff Performance, operational complexity, development cost

Example - Record all unsuccessful login attempts, IPS/IDS events of

relevance
- Use a data-diod in order to safe guard the security logs

39
10 design principles for defensible architecture
# 06 FAIL SECURELY & USE SECURE DEFAULTS

Why? Default passwords, ports & rules are ”open doors”

Failure and restart states often default to ”insecure”

Principle Force changes to security sensitive parameters

Think through failures – must be secure but recoverable
Tradeoff Convenience

Example - On failure don’t disable or reset security controls

- Don’t allow default accounts with default passwords

40
10 design principles for defensible architecture
# 07 NEVER RELY ON OBSCURITY

Why? Hiding things is difficult – someone is going to find them, accidental if

not on purpose

Principle Assume attacker with perfect knowledge, this forces secure system
design
Tradeoff Designing a truly secure system takes time and effort

Example - Use reputable crypto

- Assume that an attacker will be able to guess password encodings,
port knocking etc

41
10 design principles for defensible architecture
# 08 DEFENCE IN DEPTH

Why? System do get attacked, breaches do happen, mistakes are made –

need to minimise the impact

Principle Don’t rely on a single point of security, secure every level, vary
mechanisms, stop failures at one level propagating
Tradeoff Redundancy of policy, complex permissioning and troubleshooting,
can make recovery harder
Example - Access control in UI, services, database, OS
- Multiple layers of authentication (HW, SW, Users)

42
10 design principles for defensible architecture
# 09 NEVER INVENT SECURITY TECHNOLOGY

Why? Security technology is difficult to create – specialist job, avoiding

vulnerabilities is dificult

Principle Don’t create your own security technology

Always use a proven component
Tradeoff Time to assess security technology, effort to learning it, complexity

Example - Don’t invent your own SSO mechanism, secret storage or crypto
libraries. Use industry standards!

43
10 design principles for defensible architecture
# 10 SECURE THE WEAKEST LINK

Why? ”Paper Wall” problem – common when focus is on technologies not

threats

Principle Find the weakest link in the security chain and strengthen it – repeat!
(Threat modelling)
Tradeoff Significant effort required, often reveals problems at the least
convenient moment
Example - Data privacy threat met with encrypted communication but with
unencrypted database storage and backups

44
The Force Multipliers
Technical Controls

• Strong authentication (two factor: smart cards, yubikey, sms etc)

• Separation (physical and logical)

• Security logging

• White listening

• SANS/CIS 20 Critical Security Controls

45
The Force Multipliers
Engineering

• Know your network

• Documentation vs Implementation

• Threat modeling
• Crown Jewels

• Think in graphs
• Not everything is equal

46
Strong authentication
One of the few good security measures, every time!

Out of band authentication

▪ Civilian: Sms, google authenticator, mobilt bank-ID
▪ Military: Smart cards with external num-pads

In band authentication with physical token

▪ Smart cards
▪ Yubikeys

47
Separation (physical and logical)

Separation of
▪ duties
▪ user space / kernel space
▪ admin console / user console
▪ Infrastructure management / operational management

Physical separation holds

▪ No virtual overlap between domains

48
Security logging
Do you even know what to log in your systems?

• Information flow diagrams

• Who’s watching the results?

▪ Automatic analysis
▪ Manual analysis

• How do you protect your logs?

• How do you handle incident response?

49
White listening

Most popular operating systems (Windows, Linux,

etc.) have some sort of “deny-by-default” technology
built into it:

• Windows has AppLocker

• In newer versions of Linux, using the integrity
measurement architecture, module signing, and
Secure Boot, it’s possible to have a system where
almost any change is detected. Also selinux
• NetBSD has the Veriexec subsystem

50
Graphs vs lists

51
 ”If your security engineers don’t like hard problems and
novel solutions you have the wrong ones”
- Rich Smith, Etsy

52
The security goal flow chart
Security Metric Measures effectiveness of

demonstrates achievement of

Security Goal Helps to achieve Security

Mitigates Mechanism

Derived based on Protects

the categorisation May have

of
Induces Risk Increases

To

Threat To Asset Vulnerability

May exploit
53
 Credits and prior art 1/7
"discovering truth by building on previous discoveries“

Me, Myself & I

S02-05: Saab, the corporation video (6 min) - https://www.youtube.com/watch?v=2KsdPHsgR9Q
S02-05: The domains of war - https://saab.com/land/, https://saab.com/air/, https://saab.com/naval/, https://en.wikipedia.org/wiki/Cyberwarfare
S02-05: LinkedIn Cyber Security Domain Map - https://www.linkedin.com/pulse/map-cybersecurity-domains-version-20-henry-jiang-ciso-cissp
S02-05: Nixu Oy at 600Minutes Information and Cyber Security 2017 (Spotlight) - This is Nixu - https://www.youtube.com/watch?v=pwIIJnZ8pHo

SANS SEC530 – Defensible Security Architecure

S06-07: https://www.sans.org/course/defensible-security-architecture-and-engineering

Två typer av hot

S08-09: Aktörsdrivet vs icke aktörsdrivet hot
H SÄK Grunder, 2013 - https://www.forsvarsmakten.se/siteassets/4-om-myndigheten/dokumentfiler/handbocker/h-sak-grunder.pdf
IT-Säkerhetsarkitektur, 2015 - https://www.svk.se/siteassets/aktorsportalen/sakerhetsskydd/dokument/vagledning-it-sakerhetsarkitektur-final.pdf

The Post-Breach Age - Quote

S10: Cybercrime Kill Chain vs. Defense Effectiveness - https://www.researchgate.net/publication/258112939_Cybercrime_Kill_Chain_vs_Defense_Effectiveness
S10: Conference: Proceedings des 13. Deutschen Sicherheitskongress des BSI –
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Veranstaltungen/ITSiKongress/13ter/Stefan_Frei_16052013.pdf

54 NIXU PUBLIC | NO EXPORT CONTROLLED | CUSTOMER UNCLASSIFIED

 Credits and prior art 2/7
"discovering truth by building on previous discoveries“

The Post-Breach Age - Mandiant/FireEye M-Trends 2018 report

S11: Mandiant/FireEye M-Trends report - https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf

MITRE’s “assume breach” initiative

S12: Finding Cyber Threats with ATT&CK™-Based Analytics –
htps://www.mitre.org/sites/default/files/publications/16-3713-finding-cyber-threats%20with%20att%26ck-based-analytics.pdf
S12: ATT&CK web page - https://attack.mitre.org
S12: ATT&CK conference 2018 - https://www.mitre.org/attackcon

ATT&CK – A more scientific way

S13: A short animated video about MITRE ATT&CK™ Framework - https://www.youtube.com/watch?v=0BEf6s1iu5g
S13: Science – It is the answer - https://www.deviantart.com/dormantflame/art/Because-Science-390410617
S13: The full ATT&CK Matrix - https://attack.mitre.org/matrices/enterprise/
S13: 3 minutes on MITRE ATT&CK - https://www.rapid7.com/resources/3-minutes-on-mitre-attack

Threat modeling
S14-15: Threat Modeling 101: Ten Common Traps Not to Fall Into
https://www.tripwire.com/state-of-security/security-data-protection/threat-modeling-10-common-traps-you-dont-want-to-fall-into/
S14-15: Threat Modeling: Designing for Security (624 pages)
https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998?tag=viglink12354-20

55
 Credits and prior art 3/7
"discovering truth by building on previous discoveries“

ATT&CK Matrix Use Cases

S16: The MITRE ATT&CK Framework – A Sign of the Times - https://www.threatq.com/mitre-attck-framework-blog/

ATT&CK – A Moving target

S17: ATT&CKing 2019 - https://medium.com/mitre-attack/attacking-2019-c05bccefed2d

APT Groups aka advance threat actors

S18: ATT&CK Groups: https://attack.mitre.org/groups/
S18: The famous Mandiant/Fireeye report about APT1 (2013, Nov) - https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
“Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries”
S18: 2013 Report to Congress of the U.S. – China Economic and Security review commission –
https://www.uscc.gov/sites/default/files/annual_reports/Complete%202013%20Annual%20Report.PDF

The cyber kill chain and ATT&CK

S19-21: TripWire, Defend Your Data Now with the MITRE ATT&CK Framework - https://www.youtube.com/watch?v=io4vCTBLa78
Slides - https://www.slideshare.net/Tripwire/defend-your-data-now-with-the-mitre-attck-framework

The ATT&CK Matrices

S22: https://attack.mitre.org/techniques/enterprise/
S22: https://attack.mitre.org/tactics/enterprise/

56
 Credits and prior art 4/7
"discovering truth by building on previous discoveries“

Enterprise ATT&CK focus areas (tactics)

S23: https://attack.mitre.org/techniques/enterprise/

The post-breach / “assume breach” age and how ATT&CK can help you leverage what you already have
S24: Image - https://www.acsac.org/2017/workshops/icss/Otis-Alexander-ICS,%20Adversarial%20Tactics,%20Techniques.pdf

The digital sleeper agents of modern systems, or the rise of LOLBins

S25: LOLBins: Attackers Are Abusing Trusted Binaries to Target Organizations - https://blog.barkly.com/what-are-lolbins-living-off-the-land-binaries

ATT&CK and LOLBins or homesteading in the enterprise with fileless attacks

S26: Fileless Malware Attacks on the Rise, Microsoft Says - https://www.securityweek.com/fileless-malware-attacks-rise-microsoft-says
S26: Carbon Black 2017 Threat Report -
https://www.carbonblack.com/wp-content/uploads/2018/01/CB-Thread-Report-2017-122117.pdf
S26: DerbyCon 3.0 Living Off The Land A Minimalists Guide To Windows Post Exploitation - https://youtu.be/j-r6UonEkUw

Simple examples of TTP

S27: TTP vs Indicator: A simple usage overview - https://stixproject.github.io/documentation/concepts/ttp-vs-indicator/
S27: IOCs vs. TTPs - https://azeria-labs.com/iocs-vs-ttps/

57
 Credits and prior art 5/7
"discovering truth by building on previous discoveries“

Biancos “Pyramid of Pain”

S28: The Pyramid of Pain - http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
S28: Employing the MITRE ATT&CK Matrix to Build and Validate Cybersecurity Mechanisms –
https://www.apriorit.com/dev-blog/582-employing-the-mitre-att-ck-matrix

How to start with ATT&CK – Enterprise Tactics

S29: Enterprise Tactics - https://attack.mitre.org/tactics/enterprise/

How to start with ATT&CK - Tactics – Techniques – Threat Groups - Tools

S30: ATT&CK Object Model Relationships - https://www.mitre.org/publications/technical-papers/mitre-attack-design-and-philosophy

How to start with ATT&CK - Work from tactics and break it down from there
S31: relationshipsbetween Tactics, Techniques, Software and Adversary Groups –
https://www.splunk.com/blog/2019/01/15/att-ck-ing-the-adversary-episode-1-a-new-hope.html

One page security architecture

S32: http://www.firegenanalytics.com/downloads/one_page_security_architecture_v1.svg

Separation as a security boundary

S33: https://www.zdnet.com/article/microsoft-recommends-using-a-separate-device-for-administrative-tasks/

58
 Credits and prior art 6/7
"discovering truth by building on previous discoveries“

Security Design principles

S34-S46: GOTO 2016, Secure by Design – the Architect's Guide to Security Design Principles - https://www.youtube.com/watch?v=4qN3JBGd1g8

The Force Multipliers - Technical Controls & Engineering

S48: Strong Authentication - https://en.wikipedia.org/wiki/Strong_authentication
S48: Pass-the-hash attacks: Tools and Mitigation (53 pages)
- https://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283
S48: YubiKey - https://en.wikipedia.org/wiki/YubiKey
S48: Smart Card - https://en.wikipedia.org/wiki/Smart_card
S48: Google Authenticator - https://en.wikipedia.org/wiki/Google_Authenticator
S50: Security logging, DCShadow - https://attack.mitre.org/techniques/T1207/
S50: Security logging, BlueHat IL 2018 - Vincent Le Toux & Benjamin Delpy - What Can Make Your Million Dollar SIEM Go Blind - https://youtu.be/KILnU4FhQbc
S47: Separation, DEF CON 24 - Beyond the MCSE: Red Teaming Active Directory video (64 min)
- https://www.youtube.com/watch?v=tEfwmReo1Hk
S47: Separation, GOTO 2016 • Microservices at Netflix Scale: Principles, Tradeoffs & Lessons Learned • R. Meshenberg video (49 min)
- https://www.youtube.com/watch?v=57UK46qfBLY
S51: Top 10 Common Misconceptions AboutApplication Whitelisting
- http://resources.infosecinstitute.com/top-10-common-misconceptions-application-whitelisting/#gref
S47: CIS Critical Security Controls v6.0 (2 pages) - https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf
S47: CIS Critical Security Controls - https://www.sans.org/critical-security-controls
S47: Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.
- https://blogs.technet.microsoft.com/johnla/2015/04/26/defenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win/
59 NIXU PUBLIC | NOT EXPORT CONTROLLED | CUSTOMER UNCLASSIFIED
 Credits and prior art 7/7
"discovering truth by building on previous discoveries“

The security goal flow chart

S54: The Evolution of Information Security Goals from the 1960s to today (30 slides)
http://users.cs.cf.ac.uk/Y.V.Cherdantseva/LectureEvolutionInfoSecGOALS.pdf

===================================== Other stuff =====================================

A crash course in cyber, by halvarflake (https://twitter.com/halvarflake/status/1126813939499773953):

https://docs.google.com/presentation/d/1FGjvcmlWFtHfI_lEdr_khJFeSsLAYR_-Up0GHXtTCsM/edit#slide=id.p

Books you should read that might have been mentioned but aren’t represented by a slide:
- Site Reliability Engineering, How Google Runs Production Systems (552 pages) - http://shop.oreilly.com/product/0636920041528.do
- Vem kan man lita på?: den globala övervakningens framväxt (304 pages) -
http://www.adlibris.com/se/bok/vem-kan-man-lita-pa-den-globala-overvakningens-framvaxt-9789175453958
- Konsten att gissa rätt - Underrättelsevetenskapens grunder (218 pages) -
https://www.adlibris.com/se/bok/konsten-att-gissa-ratt---underrattelsevetenskapens-grunder-9789144004389
- The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age (384 pages) - https://www.amazon.com/Perfect-Weapon-Sabotage-Fear-Cyber/dp/0451497899

60