On July 31, 2013, Jason Geffner of CrowdStrike discussed a new tool called "Tortilla" that allows incident responders and computer security researchers to hide behind the Tor network as they poke and prod malicious software infrastructure. Were I there, I would have asked Jason this question: What things should I not do while using Tortilla, and why shouldn't I do them? I know Jason and respect his technical skills, but if he and CrowdStrike don't have a good answer, that will say a lot about our field's collective ability to reason about actions along the Active Response Continuum. [D. Dittrich and K. E. Himma. Active Response to Computer Intrusions. Chapter 182 in Vol. III, Handbook of Information Security, 2005. http://ssrn.com/abstract=790585.]
On March 4, 2013, a contest was held at the Nullcon conference in Goa, India, to see who could take over a botnet. The Times of India reported that the prize money was provided by an Indian government official and was awarded to the Garage4Hackers team. The co-founder of the Nullcon conference, Antriksh Shah, said "At Nullcon Goa 2013, for the first time in the world the government has come forward and announced a bounty prize of Rs 35,000 to whoever provides critical information on the command and control servers of a malware recently found in one of the government installations in India," and then tweeted, "Dawn of new infosec era. Govt of India announced (and actually paid) first ever bounty (Rs. 35 k) at nullcon to take down a c&c." When asked whether this was a live botnet, or a simulated botnet held within a safe and isolated virtual network where no harm could result, Nullcon tweeted, "it was a live campaign up since a couple of yrs and the malware was found in a gov. Infra."
For the last few years, I have been participating in a Department of Homeland Security sponsored effort to develop principles and applications for the evaluation of information and communication technology (ICT) research. If you are not familiar with the Menlo Report, you can find a description in Michael Bailey, David Dittrich, Erin Kenneally, and Douglas Maughan. The Menlo Report. Security & Privacy, IEEE, 10(2):71–75, March/April 2012.
I and two of my Menlo colleagues -- Wendy Vischer and Erin Kenneally -- recently taught a didactic course at the PRIM&R Advancing Ethical Research conference in San Diego. (PRIM&R is the conference for Institutional Review Board, or IRB, professionals, with the annual AER conference having thousands of attendees). Our course primarily described the Menlo Report process to date, but we concluded with a mock IRB committee review of a fictional proposed research project in which researchers develop countermeasures to malicious botnets in social network platforms like Facebook using a combination of deception to build a social network of over 1 million users and to then use "good bots" that infiltrate the "bad bots".
This is a response to a CSO Online blog post by Jeff Bardin ("Caution: Not Executing Offensive Actions Against Our Adversaries is High Risk," November 2012.), which is a rebuttal to a blog post by Jody Westby on Forbes online (“Caution: Active Response to Cyber Attacks Has High Risk.”) Mr. Bardin is obviously playing on words in the title and I seriously doubt he believes that it is higher risk to not take aggressive actions than is to do so. His post does not contain a reasoned proposal for how to change or work within existing legal and ethical norms to allow aggressive actions directed at computer network attackers. It is instead a strident endorsement of a vaguely defined "new approach" of counter-attack using simplistic arguments based on emotion and a desire for retribution (an unethical position to take), lacking sufficient discussion of appropriate "rules of engagement," principle-based ethical justifications of any type beyond basic "right of self-defense" arguments, and including no oversight mechanisms to minimize the potential for abuse or collateral damage. This response is quite long, including not only Mr. Bardin's own words for context but also many references to materials apropos to the topic that Mr. Bardin does not provide in his post.
Mr. Bardin's blog post illustrates some of the problems with discussion of this topic that I have seen over and over since the first workshops I attended or lead on this topic in Seattle's Agora security group from 2001 to 2004. I have been studying and discussing these issues for over a decade and have seen the same simplistic arguments repeated in nearly every discussion. Useful analogies in this realm are really hard to find and almost always fail. Part of the problem stems from non-technical people trying to discuss extremely technical and complex issues of computer network attack and defense, combined with rushing to simple "self defense" analogies and appeals to emotion, suggesting we have to do something, anything, to get satisfaction. Frequently left out is any meaningful discussion of ethics, "rules of engagement," responsibility, or accountability.
If my response here comes across as vehement opposition, it is not intended that way. If anything, it shares Mr. Bardin's frustration that we have gotten to the point where intrusions are so widespread and pervasive, but we differ in explaining why and in proposing a viable path forward.
On March 31, 2012, the Honeynet Project published a draft Code of Conduct and a statement about Ethics in Computer Security Research: Kelihos.B/Hlux.B botnet takedown.
The initial draft of the Code of Conduct was drawn from concepts described in the The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research that was published in the United States Federal Register on December 28, 2011 for public comment. The Code of Conduct was refined through discussion within the Legal and Ethics Committee and volunteer Honeynet Project members to help make it workable within the structure of the Honeynet Project membership for evaluating the ethics of future research activities.
The following FAQ reflects how the Menlo Report principles and proposed Honeynet Project Code of Conduct can be used to analyze and explain an action like the Kelihos/Hlux sinkholing operation.
Earlier, we posted about our operation on the Kelihos.B/Hlux.B botnet takedown that was conducted with by security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project. On initial view, the operation seems very clear cut: the bad guys are running a botnet that is doing havoc on the Internet; on the other side, are the good guys that have found a way to disable the botnet.
The situation is much more nuanced. The Honeynet Project has been conducting security research for over a decade now and since our early days, we made it a priority to balance benefit and risks in our research. You can trace this back to when the Honeynet Project first defined "data control" as one of the requirements for honeynet/honeypot deployments. The purpose of data control was to minimize potential harm to others resulting from honeypots, which by their nature are vulnerable systems we expect to be compromised and used by malicious actors.
We do what we do because people with malicious and criminal intent are compromising and abusing millions of computers around the globe. These people do not act in ways that are moral, ethical, or legal. But in trying to counter them, we cannot allow ourselves to similarly disregard our moral, ethical, or legal obligations. If we do, we become no different than them.
We believe that pushing the boundaries in the computer security field and engaging in cutting edge research brings with it a responsibility to act in an ethical manner. Risks may emerge from botnet takedowns and the Kelihos botnet takedown operation is no different. What are the benefits? What are the risks? How do they balance each other? Do our actions jeopardize legal investigations? These are all questions that need to be considered and the outcome will determine how to proceed. In the situation of the Kelihos botnet, the determination was to proceed with the botnet takedown (see below for a detailed assessment.) In other situations, the determination and plan of action may be different. In the instance of Zeus, for instance, legal action may be necessary.
The Honeynet Project is committed to conducting research in a model, ethical, and legal way. Weighing risk/benefits – an important aspect to conduct research in such a way - is what every researcher implicitly does. However, the risk of not considering all aspects of the research exists. As a result, the Honeynet Project, under the leadership of our Chief Ethics and Legal Officer Dave Dittrich, has developed a code of conduct that guides researchers through the process in a systematic manner.
Today, we are publishing a draft of this code of conduct. We hope you find the code of conduct useful and are looking forward to your thoughts and comments.
On Sunday, March 25, Microsoft announced that for the fourth time, they had gone to a federal court and successfully obtained an ex parte temporary restraining order (TRO) to seize domain names from botnet operators. For the second time, the court has also ordered U.S. Marshals to accompany Microsoft and others to serve search warrants and seize evidence that can be used in future civil or criminal actions.