Kudu Dynamics
Twisting Asymmetries

Why

In the beginning

Long ago at a large defense contractor, four of us spent our free time studying the asymmetries inherent in the cyber domain rooted in lessons learned competing in DEF CON Capture the Flag. We came up with a plan to scale the national capability-base, groom the leadership structure, and train a workforce. We ended up in front of an Agency director, who put it in front of another Agency director, who pushed it into the Office of the Secretary of Defense. Our large defense contractor CEO called us to the carpet. On the first slide he twirled his show-piece wristwatch. By the second slide he paused the presentation to brag about his vintage car collection. On the third slide he lectured us that he, not us talked to the Secretary of Defense. That is when we understood, properly harnessed asymmetries inherent in the cyber domain threatened the revenue of his large weapons systems. Kudu was born.

In earlier ages most battles were a question of minimal tactics conquering those without any tactics, of some minor degree of excellence conquering those without any capabilities.  -- Wuzi 吳子 ~400BC



DesignPhotoCode

How

Asymmetries

In the 2000s, a Kudu principal's very first task after switching from developing firewalls, intrusion detection systems and end-point security to professional offense was to teach the organization how to circumvent defenses. Offense was a generation ahead of the defense and could ignore the defense.  Today the domain has fundamentally transformed into a negative-sum game. Offense operates unhampered. Defense comes in afterwards and burns much of the Offenses' capability base. They both lose. For Kudu's first four years we took a step back to research why. We researched how automatic exploit re-weaponization interacted with binary diversity; the offensive techniques that custom Windows, Linux and Android modifications could detect and those few building blocks which were inherently undetectable; the offensive building blocks which an attacker could not inherently control; the data sources which provided a vantage into offensive operations and which elements could not be lifted out of the noise floor; etc. These are the asymmetries in which we live.

Flectere si nequeo superos, Acheronta movebo.
(If I cannot bend the heavens above, I will move Hell.)
-- Virgil

Where

龙潭虎穴
Dragon's pool and tiger's den
-- Idiom
  • Boulder, CO
  • Chantilly, VA
  • Columbus, OH
  • Harrisonburg, VA
  • San Antonio, TX