Home > Offensive Computing > Incomplete Thought: Offensive Computing – The Empire Strikes Back

Incomplete Thought: Offensive Computing – The Empire Strikes Back

Failure
Yesterday at IANS, Greg Shipley gave a great keynote that focused on a lot of things we do today in InfoSec that aren't necessarily as effective as they should be. Greg called for a change in our behavior as a community to address the gaps we have.

In the Q&A section, it occurred to me that for the sake of argument, I would ask Greg about his thoughts on changing our behavior and position in dealing with security and our adversaries by positing that instead of always playing defense, we should play some offense.

I didn't constrain what I meant by "offense" other to suggest that it could include "active countermeasures," but what is obvious is that people immediately throw up walls around being "offensive" without spending much time defining what it actually means.

I've written and spoken about this before, but it's a rather contentious issue. It gets shelved pretty quickly by most but it really shouldn't in my opinion.

In a follow-on discussion after the keynote, Marcus Ranum, Richard Bejtlich, Rocky DeStefano and I were standing around shooting the, uh, stuff, when I brought this up again.

We had a really interesting dialog wherein we explored what "offensive computing" meant to each of us and it was clear that simply playing defense alone would never allow us to do anything more than spend money and hope.

There's not been a war yet that has been won with defense alone, so why do we expect we can win this one by simply piling on more barbed wire when the enemy is dropping smart bombs? This is the definition of insanity and a behavior that we don't talk about changing.

"Don't spend money on AV because it's not effective" is an interesting behavioral change from the perspective of how you invest. Don't lay down and take it up the assets by only playing defense is another.

I'm being intentionally vague, obtuse and non-specific when it comes to defining what I mean by "offensive," but we're at a point in time where at a minimum we have the technology and capability to add a little "offense" to our defense.  

You want a change in behavior?  How about not playing the victim?

What are your thoughts on "offensive computing?"  

/Hoff
Categories: Offensive Computing Tags:
  1. March 5th, 2009 at 07:58 | #1

    I think it is a great idea … consequences for actions. Devil is in the details. Say we aggressively respond to an attack from a BotNet, being run on the computer's of some major corporation. Yikes. All I can think about are collateral damage scenarios unless we are really smart about how we respond.
    -Adrian

  2. March 5th, 2009 at 08:51 | #2

    I read offensive security as "do unto other BEFORE they do unto you". Do local laws permit that scenario?

  3. March 5th, 2009 at 10:37 | #3

    I just posted a similar article titled Cloud Warfare & Proactive Network Defenses
    http://www.elasticvapor.com/2009/03/cloud-warfare
    In the modern global computing environment, being a passive participant is no longer an option for most nations, if you are not taking proactive and sometimes offensive network measures you run the risk that your critical infrastructure will be exploited. This very real risk could result in real world casualties. The next big opportunity for the military contractors of the world will be in creating the next generation of distributed computing defense system, ones that can potentially take over a network of civilian compute resources both friendly or hostile. Like it or not, this is the fact we're now facing.

  4. March 5th, 2009 at 13:08 | #4

    "Contentious" almost feels like an understatement when it comes to this topic. The classic "hack back" debate seems to have faded from memory (under that moniker, at least) but it's still valid — should Estonia and Georgia have just lied down and "taken it up the assets", as so colorfully worded above, or should they have attempted to retaliate against their attackers? (Of course, if their attackers were some LARGE countries, it would be ludicrous to think they'd match arms.)
    Numerous state and non-state actors leverage offensive tactics and tools on a frequent basis, so why shouldn't we (as an organization, country, etc.)? At the very least, I think offensive computing approaches have their place for testing the resiliency and survivability of our own systems, networks, and apps. And no, I'm no longer a full-time consultant, so I'm not getting much out of pulling the "PEN TESTING IS ESSENTIAL!!11" routine.

  5. March 5th, 2009 at 14:54 | #5

    See Dave Dittrich's page on "active response" http://staff.washington.edu/dittrich/activerespon… to get some perspective on this idea — which is nothing new.
    What is new is the this militarization of the discourse of computer/network security, which is ultimately more about capturing the imagination of decision makers and politician. To get funding? Information Security became "Compliance" (although they are obviously different) and now everybody is talking about CyberWar (which sounds more alluring than Information Warfare, which has been around since the 90s.)
    "Critical Infrastructure Protection" wasn't a compelling enough idea so now we have to get into "CyberSecurity" but as long as folks aren't doing their job nothing is going to change no matter what we call it.

  6. March 6th, 2009 at 03:37 | #6

    I saw a really interesting Honeypot product that had responsive fuzzing built into it. Thought it was a great idea, save for the legal aspects.
    If you'll forgive the "wild west" analogy, what you've got now is a little prairie town where the bad guys run amok (think the beginning of Seven Samurai). Let everyone start defending indiscriminately, and it'll be a bloodier version of the end of Blazing Saddles.
    Nope, vigilantism isn't the answer. But who wants to give the US gov't (or worse yet, State/Local Law Enforcement) control of the IP space?

  7. March 6th, 2009 at 13:06 | #7

    To me the analogy of home security is better suited than a conventional war, but that might simply be a matter of scope. Corp security, to me, is far different than something of a 'cyberwar' scope. Then of course, we have to discuss whether we're "at war" with something or not. Am I at war with the carjackers that may be in my area?
    Some other thoughts on "offensive security" along with "active countermeasures."
    1. Legal – One way to "attack" back is to pursue legal avenues. This should be desirable, but I think is often dismissed due to cost, effort, and an inability to properly track criminals down without some major assistance (or luck). This might go hand-in-hand with the pursuing of physical burglars. To many, I suppose this ends up feeling the same as lying down and taking it.
    2. Porcupine – Let's say someone gains access to my network. Can I take active measures to DoS his system or break into it to either find out who this rogue is or stop whatever it is he is doing? Sort of like grabbing a porcupine and getting a quill or two stuck in your hand for the process. But where does the line cross into…
    3. Attacking the attacker – This is where I see collateral damage being discussed, when a defender actually attacks the attacker possibly using similar methods. Scorched cyber earth? Some might even take this as pre-emptively attacking threatening persons. Let's say some kiddie gets is up his ass to trash talk you. You feel some lame attack is imminent. You attack first and root him and trash him. Or confiscate his botnet and explode it. Are there people who can attack known bad entities, like starting a war with the next criminal Russian group or the next botnet being formed up? To me, that seems a dubious endeavor, but then again we do raid meth labs when suspected, right?
    4. Emulation – Another aspect, for me, is the practice of thinking and behaving offensively. Pre-emptively test your environment and attack in ways an attacker may. Build systems securely. You would think this should be obvious, but I don't feel we have this mindset in most IT infrastructures. Why wait for an attacker to test defenses and trigger alarms? I still consider this active rather than passively waiting for that tickling on the underside…

  8. March 9th, 2009 at 00:56 | #8

    I think this is a terrible idea. If we "win" then we would have wiped out cyber-crime totally and then we would have no jobs. No, I think job protection is better.
    Actually, that's a bit tongue-in-cheek.
    The real issue is that we are the cyber equivalent of private security guards. We are paid to protect a certain piece of cyber-space from attackers. Real security guards are not allowed to take pro-active measures against crime short of reporting issues to the police.
    In South Africa it is widely known that our police are battling to fight crime effectively. This leads to vigilantism. Vigilantes do not have the checks+balances that the police have. The whole "justice" thing.
    Our only viable Offensive route to deal with cyber-crime is the police. Unfortunately, the police worldwide seem to not be very able at cleaning up cyber-crime. I guess instead of spending time and money building up Offensive Computing we should rather use this to educate the police.
    I read a good article about how vigilantes can get over-excited or bored. The article is here – http://www.thetimes.co.za/Columnists/Article.aspx… . The cyber-equivalent, I would imagine, would be Information Security guys DoSing any machine that is not fully patched and then any box that is running IE, shutting down Google because of their privacy policies, etc. It gets messy and the grey areas are really grey.

  9. Nate
    March 9th, 2009 at 05:07 | #9

    I'm on the fence on this one. I think that the various analogies pointed out here help give a better scope to what action/response model should be chosen. The points about educating the police, defending your network as your home, etc are great. But perhaps the law should permit a place for active response?
    Just allow this thought to float through your mind…
    If someone invades ones home, we are encouraged to call the police. But everyone knows, that the response time is not as fast as we would want it to be. Perhaps the law should be changed to allow one to use "deadly force" if they deem it necessary? The limiter here would be that the issuer of said force would have to stand trial to justify their actions. I can only imagine the burden on the various justice systems around the world, but at least a security team would have a recourse and a plan of action in a major incident.
    In today's economy, a DoS can mean huge losses and could eventually lead to a companies demise. The people who are employed at these companies may not feel so bad if active security measures were taken to defend their livelihood.
    I'm not saying the idea isn't full of it's own issues, but we are the protectors of jobs, identities, infrastructures, and economies. Shouldn't we be given the tools to do our jobs well and within the confines of law?

  10. March 9th, 2009 at 11:14 | #10

    The home invasion analogy may lead us astray. If an attacker is "in" my computer, I don't need to use "deadly force"; I can just unplug the Ethernet cable. Computer security and physical security are different enough that I think it's worth starting from scratch when thinking about appropriate defenses and offenses. So what should a DoS victim be permitted to do? Remotely patch zombies? Shut them down? Wipe them?

  11. chort
    February 12th, 2012 at 01:13 | #11

    I think we need to stop thinking solely of protecting our assets and focus more on what will actually drive up the attackers’ cost. Clearly running AV isn’t driving up intentional attacker cost much, because anyone can run their binary through an encoder and it sails right through.

    What drive up attack cost? Honeypots, honeytokens, spider-traps, etc? I don’t think the infosec community has consensus around those right now, but we need to start figuring it out because what we’re doing now isn’t working.

    As for hacking back, I won’t pretend to have a legal opinion, but if a bad guy is exfiltrating our data and we see where it’s going, I think it’s worth entertaining going after that C&C box and taking back what’s ours.

  1. No trackbacks yet.