Another HAck-bAck Blog

Thursday, October 04, 2012

Jim Palazzolo


I recently reviewed a video from Defcon 19.  The video was of a panel speaking about the Anonymous / HBGary incident.  Although the events are interesting enough, what was more interesting to me was the mention of offensive security.  To drill down on this subject a bit more, a speaker had commented: defense is just not enough.  Leaving out the extra explicative, I thought the speaker’s estimate of a defense only approach held some weight within the context of the discussion.  However, in truth, the subject of hack-back is still quite taboo. 

So, is it the legal structure regarding this topic that makes it so taboo, or the ambiguity of the target?  What are the implications?  Could a corporation accidentally set off a cyber flashpoint by attacking targets in other countries?  And, is it an organization’s legal right, like an individual, to defend itself?  Are UFOs real?  I would assume today would be a good day to start talking about this subject.  I don’t foresee the younger generation of students and researchers having the ability to constantly sit on their hands in a defensive posture, nor do I see an organization having the constitution to do the same.  It is good to understand that if you have not looked at a college’s Information Security program lately then know this:  colleges are teaching students to be both offensive and defensive operators.

Flash to the future.  Imagine a scenario whereby an organization retaliates for trespassing.  A few things could happen out of this.  To begin with, due to the anonymity of cyberspace, they could hit the wrong target in retaliation and possibly stir up another “hornet’s nest”.  This scenario has ultimately escalated the situation.  Another scenario of a cyber flashpoint could result in a stalemate, whereby all parties involved are forced to deal with each other to resolve the issue.  Possibly, during the course of the dialog, they realize that the flashpoint was actually created by an unknown insider(s) within the instigating organization; therefore, inadvertently discovering a malicious individual(s) in their midst.  Would that be a good thing?  Lastly, consider a flashpoint involving two or more enterprise size organizations resulting in the loss of massive amounts of data through the course of the conflict.  Let’s assume that one of the organizations was a health care provider that now has lost its patient database.  How does that affect the little girl battling cancer whose medical information is no longer available?  There are dozens of cascading effects that could happen in the event of a cyber flashpoint.  My point here is that:  everyone wants to be the cowboy, but no one seems to be considering those caught in the middle; and, the power that automation and cyberspace has given us over those whose livelihoods reside in our care.

Another comment was made during the video:  if someone breaks into my house I have the legal right to shoot them.  In many states within the United States that might be the case, but how does that relate to transnational transactions?  In another country is it considered trespassing just to get to the trespasser, and what implications arise when entering another countries cyberspace?  Is cyberspace considered a sovereign domain?  As in the above paragraph, I do not think that any of these questions can be answered with one simple solution.  What is also interesting is that we typically consider an attack as something that was initiated by an entity.  Rarely do we attempt to estimate whether or not the entity was the actual attacker or a separate entity within an entity; and, how you would determine which entity actually initiated the attack?  Would you simply call the host owner(s) and ask them who did it?  I was recently asked by my professor:  how would you deal with jihadist terrorism?  I explained: that due to the fact that jihadist terrorism is more like a franchise than a hierarchical group, each franchise must be assessed individually.  I believe the same applies to the legality and legislation surrounding offensive cyber operations.  However, this process can be very cumbersome.  I believe there will be a vacuum that needs to be filled with regards to legal, legislative, and country correlation for quick reference and look-up by cyber security professionals; and, a need for individuals with the ability to generate positive value-added transnational relationships with foreign counterparts.

In the mean time, one possible interim solution I would suggest would be to fall back on the counter intelligence side of the intelligence profession.  I would suggest that deception efforts are a good place to start with regards offensive security.  Deception could be considered an offensive operation initiated by defensive personnel from an organizational stand point; and, as security professionals, we all know there are various ways to lead a would-be adversary down many fruitless rabbit holes (i.e. honeypot).   However, when you consider deception from a profiteering perspective where and how would you apply it?  I think it would be interesting to see how security companies begin to establish this as a service within the market.  Security ads might read:  John Doe Security – Making those believe what you want them too, while knowing all the while what you need to believe is true. 



Possibly Related Articles:
Information Security
Legal Attacks Network Security Cyber Offense Offensive Security
Post Rating I Like this!
CP Constantine This isn't an entirely new area however - because at least in the criminal arena (let's leave cyberwar hysteria aside just for a minute here), we've seen a very workable model, bring successful results - normally competing organizations collaborating on sharing information, doing the detective work, in conjunction with law enforcement and the trade commission, to successfully bring down botnet C&C clusters and prosecute their operators even across national boundaries.

I'll say now, that I've been in situations where I felt that, were it not for the constraint of law, I could have turned the tables on an intruder and exposed their secrets to the world instead - but what would that achieve other that fulfilling my personal desire for badassery? The results would be largely useless for anyone else to act on.

If we can agree for one moment that 'cyberwar' is merely the evolution of espionage, then the same rules apply - a spy's ability to act covertly is destroyed once his identify is exposed - the same truth arises in the digital world - identifying, exposing and sharing that knowledge to all, is the most effective counterattack, because it destroys their method of operation. If counter-espionage gets involved in that (yes, I think there's scope for 'hacking back' in this regard), so be it if it gets the job done. But so far, all talk of 'hacking back' seems to revolve around some archaic notion that you get root on the enemy's machines and rm -rf them, which somehow cripples their computing ability for longer than the 5 minutes it takes to rollback a VM image...

We've had a decade of experience now with utterly assymetric warfare, where the attackers are easily-trained, mobile and expendable, and can do massive amounts of damage, yet taking them out individually is a methodical and painstaking process, inherent with collateral damage at every step. The same rings true of this obsession with 'cyberwar' - you cannot attack the enemies offensive infrastructure directly, since computing power is cheap and ephemeral - the only option is to strike back at fixed (civilian) infrastructure - "You hack a defense contractor, we erase your hospital records - we steal all your political wires for the last decade, you DDos a major bank for a month". It's a pointless exchange of attrition that modern rules of engagement were written to avoid, and no population would support once it starts affecting their day to day lives. The cloak-and-dagger stuff has always gone on precisely because it doesn't appear on the radar of the average citizen.

And yes, sabotage has always been a part of espionage as well. Occasionally people die as part of sabotage too, and I'm sure over time, we will be able to list a handful of people that have died as the result of digital sabotage as well, but there will never be a national graveyard in their memory.

So, given that 'hacking back' on the part of private enterprise is pointless (since disrupting the attackers' infrastructure is a foregone impossibility) unless it is in the process of acquiring further information about the attacker, information that is useless without sharing and contexting it with information from others, it seems the inevitable path is government and law enforcement coordination (and that is hardly a situation I recommend lightly).

Why? because those organizations can do something that others can't - go after the actual actors and their financial infrastructure (which actually /can/ be damaged)

Tl;Dr version: this entire topic is a moot subject, the realities of which have already been determined in related fields,decades ago. Sometimes the internet does /not/ 'change all the rules' at all.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.