Monday, July 1, 2013

Please, let it go.

I though it would calm down after RSA earlier this year, all the hype and nonsense about “active defense” and “hacking back”.  But is hasn’t.  Sure, there have been ebbs and flows, but the nonsense continues.  I guess it’s my turn to add to it.

If you have had your first serious discussions about “active defense” and/or “hacking back” in the past year or so you are either new to the business, or are negligent.  Period.

If you make the claim that “active defense” is only a euphemism for “hacking back”, you are either hyping an agenda, or selling a (probably outdated) security model.  Or perhaps you’ve just been misled by the previously mentioned shysters.  By my count that’s three flavors of wrong, although one may be slightly less bitter.

Let’s start with “active defense”.  It is not a new idea, and it doesn’t necessarily mean hacking back.  It may encompass counterattacks, but there are a lot of active defenses far short of attack.  Call it what you want, active defense, or offensive countermeasures (as John Strand and Paul Asadoorian have called it), or devious defense, or maybe just “not lying there and taking it passively”.  If an action causes you or a system to take a corrective or defensive action- that is “active”.  Try too many bad passwords- we’ll lock the account.  That’s active (if somewhat lethargic) and very old.  IPS?  IDS triggering scripts to block traffic?  Those are not new, and are not passive.  (Although, as Chris Hoff posits in a recent post, most inline defenses are deployed in passive mode).  In Ye Olden Days we could even take the “active” defense of contacting an ISP and asking them to block someone (yes, kiddies, once upon a time this actually worked, albeit sporadically).  How about tools like Ben Jackson’s cool WebLabyrinth- that’s certainly active.  Sure, you can cross over to things like setting traps which report back to you when files are taken, or hiding malware in tempting looking docs- but those are one end of a long scale, and still fall short of directly attacking your attackers.  And about that “attacking your attackers” thing- if you have ever defended a network under attack and not done a little “thought exercise” about buying some temporary relief via counterstrike… well, your heart is more pure than mine and many others I know.  Also, if you believe that digital counterstrikes haven’t been an “off-menu” offering for some boutique (and probably not-so-boutique) consultancies for quite a while… let’s just say you can stop waiting for the Easter Bunny.

Oh, and the “but, but, attribution”, “blaming victims”, and “attacking innocent bystanders” stuff?  Yeah, no.  I’m so sick of this nonsense I’m going into dangerous territory and using an inappropriate and incendiary metaphor. You’ve been warned.

If you you fail to secure your firearms and someone steals them, then uses them in the commission of a crime…

(I told you it was going to be bad).  Backing away from extreme hyperbole now- my point is that if you can identify a source or relay point in an attack, you have likely identified a negligent party who is probably also a victim, but I’m not giving them a blanket grant of innocence.  This does not necessarily mean I support attacking them, but let’s be honest about their unwitting complicity in Crimes Against the Internet.  To me, this changes the nature of what *might* be an acceptable counterattack from “rm –rf” to “shutdown –h now”.  Yes, yes- it isn’t illegal to be negligent on the Internet, but the laws are so far behind the technology that they are largely irrelevant until YOU get caught up in them.

A few months ago Dan Geer took a pro- “offensive defense” position on the Risky Business podcast episode 273.  It is worth a listen, and I largely agree.  I’m not suggesting you start attacking things unless and until the laws change and your organization has serious and candid conversations on the ramifications of your actions- it is not a course of action for the unskilled or faint of heart.  For most, I think effort would be better spent improving defense and response instead of engaging in digital combat, but for some I believe it could be a viable option.  For some, it has been and will remain a viable option (debate ethics, legality, and liability all you want, that doesn’t change the fact that it has happened and will continue to happen).

Now can we please have some adult conversations about these topics, and stop the faux-naivety and real hype?  Oh, wait, InfoSec.  Right, nevermind.

 

Jack

4 comments:

Matt Brown said...

Just wrote Paul about Dan Geer. Happy to actually be able to listen to those INCREDIBLE MUTTON CHOPS speak. Thanks.

Richard Steven Hack said...

So in other words, "active defense" means...defense which isn't totally passive...

Right. In other words, a meaningless term. More precise terms would identify specific tactics, such as "honeypots" or "deception" or whatever.

Or it means "hacking back" which is painfully stupid, as we all know.

The notion that a gun owner is complicit in a crime because his gun wasn't in a gun safe - you know, those safes the hackers break into every Black Hat conference...Well, that's just stupid, too.

It's irrelevant whether the "complicit" PC owner was too stupid to protect his PC that is now being used to attack yours. First, you're unlikely to catch anyone without massive amounts of effort tracing back such hackers and very few organizations have that capability, and second, it's still illegal.

So "hacking back" or "counterstrikes" or whatever anyone wants to call them are still stupid tactics.

"Active defense" is a religious war of no significance in terms of actually improving security - which itself is a term more likely to be an oxymoron than a reality.

The sole purpose of the active defense discussions is to allow some people to assume a "higher authority" on the issue of security - when in fact it does nothing but demonstrate they know nothing about what "security" really is.

Meditate on my meme: "You can haz better security, you can haz worse security. But you cannot haz 'security'. There is no security. Deal."

lgblog said...

Dan Geer has penned, IMHO, one of the more interesting commentaries on this topic in his 2012 Suits and Spooks keynote "People in the Loop: Are They a Failsafe or a Liability"; we truly have come to a road with at least three forks.

http://www.taiaglobal.com/wp-content/uploads/2012/02/geer.suitsandspooks.8ii12-2.pdf

MikeP said...

"The notion that a gun owner is complicit in a crime because his gun wasn't in a gun safe - you know, those safes the hackers break into every Black Hat conference...Well, that's just stupid, too."

So since locks can be picked and safes opened, there's no point in using either? There's such things as due care and due diligence.