Monday, July 1, 2013

Please, let it go.

I though it would calm down after RSA earlier this year, all the hype and nonsense about “active defense” and “hacking back”.  But is hasn’t.  Sure, there have been ebbs and flows, but the nonsense continues.  I guess it’s my turn to add to it.

If you have had your first serious discussions about “active defense” and/or “hacking back” in the past year or so you are either new to the business, or are negligent.  Period.

If you make the claim that “active defense” is only a euphemism for “hacking back”, you are either hyping an agenda, or selling a (probably outdated) security model.  Or perhaps you’ve just been misled by the previously mentioned shysters.  By my count that’s three flavors of wrong, although one may be slightly less bitter.

Let’s start with “active defense”.  It is not a new idea, and it doesn’t necessarily mean hacking back.  It may encompass counterattacks, but there are a lot of active defenses far short of attack.  Call it what you want, active defense, or offensive countermeasures (as John Strand and Paul Asadoorian have called it), or devious defense, or maybe just “not lying there and taking it passively”.  If an action causes you or a system to take a corrective or defensive action- that is “active”.  Try too many bad passwords- we’ll lock the account.  That’s active (if somewhat lethargic) and very old.  IPS?  IDS triggering scripts to block traffic?  Those are not new, and are not passive.  (Although, as Chris Hoff posits in a recent post, most inline defenses are deployed in passive mode).  In Ye Olden Days we could even take the “active” defense of contacting an ISP and asking them to block someone (yes, kiddies, once upon a time this actually worked, albeit sporadically).  How about tools like Ben Jackson’s cool WebLabyrinth- that’s certainly active.  Sure, you can cross over to things like setting traps which report back to you when files are taken, or hiding malware in tempting looking docs- but those are one end of a long scale, and still fall short of directly attacking your attackers.  And about that “attacking your attackers” thing- if you have ever defended a network under attack and not done a little “thought exercise” about buying some temporary relief via counterstrike… well, your heart is more pure than mine and many others I know.  Also, if you believe that digital counterstrikes haven’t been an “off-menu” offering for some boutique (and probably not-so-boutique) consultancies for quite a while… let’s just say you can stop waiting for the Easter Bunny.

Oh, and the “but, but, attribution”, “blaming victims”, and “attacking innocent bystanders” stuff?  Yeah, no.  I’m so sick of this nonsense I’m going into dangerous territory and using an inappropriate and incendiary metaphor. You’ve been warned.

If you you fail to secure your firearms and someone steals them, then uses them in the commission of a crime…

(I told you it was going to be bad).  Backing away from extreme hyperbole now- my point is that if you can identify a source or relay point in an attack, you have likely identified a negligent party who is probably also a victim, but I’m not giving them a blanket grant of innocence.  This does not necessarily mean I support attacking them, but let’s be honest about their unwitting complicity in Crimes Against the Internet.  To me, this changes the nature of what *might* be an acceptable counterattack from “rm –rf” to “shutdown –h now”.  Yes, yes- it isn’t illegal to be negligent on the Internet, but the laws are so far behind the technology that they are largely irrelevant until YOU get caught up in them.

A few months ago Dan Geer took a pro- “offensive defense” position on the Risky Business podcast episode 273.  It is worth a listen, and I largely agree.  I’m not suggesting you start attacking things unless and until the laws change and your organization has serious and candid conversations on the ramifications of your actions- it is not a course of action for the unskilled or faint of heart.  For most, I think effort would be better spent improving defense and response instead of engaging in digital combat, but for some I believe it could be a viable option.  For some, it has been and will remain a viable option (debate ethics, legality, and liability all you want, that doesn’t change the fact that it has happened and will continue to happen).

Now can we please have some adult conversations about these topics, and stop the faux-naivety and real hype?  Oh, wait, InfoSec.  Right, nevermind.