- About us
- Code of Conduct
- Google SoC
- Recent posts
- Security Workshops
On July 31, 2013, Jason Geffner of CrowdStrike discussed a new tool called "Tortilla" that allows incident responders and computer security researchers to hide behind the Tor network as they poke and prod malicious software infrastructure. Were I there, I would have asked Jason this question: What things should I not do while using Tortilla, and why shouldn't I do them? I know Jason and respect his technical skills, but if he and CrowdStrike don't have a good answer, that will say a lot about our field's collective ability to reason about actions along the Active Response Continuum. [D. Dittrich and K. E. Himma. Active Response to Computer Intrusions. Chapter 182 in Vol. III, Handbook of Information Security, 2005. http://ssrn.com/abstract=790585.]
[This post expresses the personal opinion of the author and is not an official statement representing the Honeynet Project.]
At the AusCERT 2013 conference, Dmitri Alperovich called for debate about, "the kinds of actions that infosec professionals are allowed to take against attackers." I agree with Dmitri, and in fact I made the same call, at the same conference on May 23, 2005! (AusCERT invited me to speak on an emerging topic and I chose to speak for the first time publicly at AusCERT 2005 about the Active Response Continuum research I had been doing with funding from Cisco.) As one of the world's foremost experts on this topic, with over two decades of security operations experience, I welcome Dmitri to the debate. :)
What follows is adapted from the forthcoming book, "The Active Response Continuum: Ethical and Legal Issues
of Aggressive Computer Network Defense," by David Dittrich. I welcome any comments, suggested modifications and/or additions.
There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems. This has been called active defense, aggressive [network] self-defense, counter-attack, and even hacking back. Regardless of the reasons why someone would want to take such actions, it is necessary to discuss the options, acknowledge the risk and benefit tradeoffs, and identify how aggressive actions can be taken in a manner that is safe, controlled, and justifiable (as best this can be accomplished). This cannot be accomplished, however, if everyone comes at the subject with their own individual frame of reference and language. (This was pointed out by more than one person at this year's Suits & Spooks DC 2013 conference.)
This is a response to a CSO Online blog post by Jeff Bardin ("Caution: Not Executing Offensive Actions Against Our Adversaries is High Risk," November 2012.), which is a rebuttal to a blog post by Jody Westby on Forbes online (“Caution: Active Response to Cyber Attacks Has High Risk.”) Mr. Bardin is obviously playing on words in the title and I seriously doubt he believes that it is higher risk to not take aggressive actions than is to do so. His post does not contain a reasoned proposal for how to change or work within existing legal and ethical norms to allow aggressive actions directed at computer network attackers. It is instead a strident endorsement of a vaguely defined "new approach" of counter-attack using simplistic arguments based on emotion and a desire for retribution (an unethical position to take), lacking sufficient discussion of appropriate "rules of engagement," principle-based ethical justifications of any type beyond basic "right of self-defense" arguments, and including no oversight mechanisms to minimize the potential for abuse or collateral damage. This response is quite long, including not only Mr. Bardin's own words for context but also many references to materials apropos to the topic that Mr. Bardin does not provide in his post.
Mr. Bardin's blog post illustrates some of the problems with discussion of this topic that I have seen over and over since the first workshops I attended or lead on this topic in Seattle's Agora security group from 2001 to 2004. I have been studying and discussing these issues for over a decade and have seen the same simplistic arguments repeated in nearly every discussion. Useful analogies in this realm are really hard to find and almost always fail. Part of the problem stems from non-technical people trying to discuss extremely technical and complex issues of computer network attack and defense, combined with rushing to simple "self defense" analogies and appeals to emotion, suggesting we have to do something, anything, to get satisfaction. Frequently left out is any meaningful discussion of ethics, "rules of engagement," responsibility, or accountability.
If my response here comes across as vehement opposition, it is not intended that way. If anything, it shares Mr. Bardin's frustration that we have gotten to the point where intrusions are so widespread and pervasive, but we differ in explaining why and in proposing a viable path forward.