Sunday, June 20, 2010

Full Disclosure for Attacker Tools

The idea of finding vulnerabilities in tools used by attackers is not new. It's part of the larger question of aggressive network self defense that I first discussed here in 2005 when reviewing a book of that title. (The topic stretches back to 2002 and before, before this blog was born.) If you follow my blog's offense label you'll see other posts, such as More Aggressive Network Self Defense that links to an article describing Joel Eriksson's vulnerability research into Bifrost and other remote access trojans.

What's a little more interesting now is seeing Laurent Oudot releasing 13 security advisories for attacker tools. Laurent writes:

For example, we gave (some of) our 0days against known tools like Sniper Backdoor, Eleonore Exploit Pack, Liberty Exploit Pack, Lucky Exploit Pack, Neon Exploit Pack, Yes Exploit Pack...

If you're not familiar with these sorts of tools, see an example described by Brian Krebs at A Peek Inside the ‘Eleonore’ Browser Exploit Kit.

Why release these advisories?

It's time to have strike-back capabilities for real, and to have alternative and innovative solutions against those security issues.

I agree with the concept, but not necessarily with releasing "advisories" for attacker tools. Laurent claims these are "0days". This would imply the developers of these attacker tools did not know about the vulnerabilities. By publishing advisories, attackers now know to fix them. Assuming "customers" heed the advisories and update their software, this process has now denied security researchers and others who conduct counter-intruder operations access to attacker sites. This is tactically counterproductive from a white hat point of view.

On the other hand, developers of these attacker tools might already know about the vulnerabilities, and might have already patched them. In this case, publishing advisories is more about creating some publicity for Laurent's new company and for his talk last week. (Did anyone see it?)

I like the idea of taking the fight to the enemy. Security researchers are already penetrating attacker systems to infiltrate botnet command and control servers and do other counter-intruder operations. These activities increase the black hat cost to conduct intrusions, and the more resources the attackers have to divert to defending their own infrastructure, the fewer resources they can direct at compromising victims.

However, disclosing details of vulnerabilities in attacker tools is likely to not work in the white hat's favor. White hats are bound by restrictions like laws and rules that black hats routinely break. Announcement of a vulnerability in the Eleonore exploit kit is not going to unleash a wave of activity against black hats like announcement of a vulnerability in Internet Explorer. It's likely that the few researchers and others wearing white hats will not learn much from a public announcement due to their independent research, while mass-targeting attackers (who historically are not great developers themselves) will disproportionately benefit from the disclosure.

What do you think? Should white hat researchers publish security advisories for black hat tools?


Matthew X. Economou said...

Perhaps I watched too much G.I. Joe as a kid, plus it's late and I'm tired, but I vote for disclosure for the following reasons:

(1) By knowing about vulnerabilities in the attackers tools, I might be able to better organize my defenses. It might be cheaper for me to induce failures in attackers' tools than to workaround or correct vulnerabilities in my own systems/services.

(2) I might be able to use those vulnerabilities to carry out limited (legal) offensives against attackers. In this instance, I'm thinking specifically about personally disrupting botnet command-and-control structures found within networks under my administrative authority. Well-intentioned third parties might also carry out extralegal attacks against attackers themselves (think Batman). This increases the attackers' cost of doing business, insofar that they will have to start spending money or time on additional information assurance activities.

(3) The vendors who supply attackers with malicious software will have to implement expensive, difficult software quality control models in order to continue generating business for their now obviously buggy and poorly-crafted malware. This further drives up the cost of doing business, for both black hat software vendors and for attackers. To re-iterate: turnabout is fair play.

I'm only partially joking.

YM Chen said...

Offense is the best defense. But I don't think that applies to this approach.

I agree there is value to learn/understand your enemy, the defined "black hat tools", which includes discovering vulnerabilities. But the ultimate goal is to secure your organization. Publishing these tools' vulnerabilities does't help to secure organizations as much as attacking the botnet controller. It might push the whole thing into a hamster wheel of vulnerabilities (vuln of browser led to attack tools and botnet, attack tools' vulns led to strike-back tools and then more and more vulns ... :) and then a distraction to the underlying problem (e.g.: insecure browser). So I don't think it falls into one of the best defense strategies.

However, there might be pure research/discussion benefits to circulate such information non-publicly if they haven't been. I just don't see the value for the general public.

I thought of an example that might be related to this topic: your network/system admin wants your external/internal PT/VA to fail, so he goes on and finds vulnerabilities in most common port/vuln scanners and implemented them on the network(instead of doing what he should normally do: secure his network!!). So your PT/VA results may show that the network is secure. But that just doesn't deal with the real problem.

The Ubiquitous Mr. Lovegroove said...

I second Matthew's (2) as a reason for good idea. Sometimes, retaltion is possible without breaking law.

Furthermore, this could help botnet owners to fight each other for turf and diverting resources from harvesting users.

PatsComputerServices said...

While I like the idea that it may cause infighting amongst the different botnet/black hats, I don't think publicly exposing the vulnerabilities was the best idea.

I would have sent the information to the various researchers and antivirus/security providers, so they could take steps to counter the tools. Especially if the tools inject the vulnerabilities into their "products".

The only "good" thing that comes from this is just being able to say that even the "black hats" aren't perfect coders. Aside from that, there's nothing good that comes from this.

Have a great day:)

Anonymous said...

I agree with what Matthew said. The idea of "offensive" security is dangerous...I hope we mostly mean "being aggressive in your defense".

"Do not hesitate to contact TEHTRI-Security if you need technical
assistance (pentests, incident handling, source code analysis, etc) with
experts who know how work cyber conflicts for real, which is totally
different from people who have clean certifications or who just
masterize security research in labs..."

and the motive becomes clear. It's usually about money, or pissing further/fame...or both. Vigilante security researchers actively attacking systems and/or releasing 0day...and we're left with grep'ing intent from the network packets.

Anonymous said...

Richard, this is a delightful dilemma!

I think there would be enough value in the shared learning in the community to disclose these vulnerabilities.

I would hesitate on any plan to non-publicly share this information, as my assumption would be we'd only be deluding ourselves to think the attackers wouldn't themselves see it in our own channels.

I think I'd fall barely on the side of disclosing these publicly.


Taloquan said...

Although I am for the "hack back" strategy, I am torn by the double standard posed by the "full disclosure vs. responsible disclosure" debate. The community will crucify a developer for not allowing sufficient time to produce a patch, but also thrives on the security improvements that stem from vendor competition. The simple answer is if you have 'exploit pack 0-day', keep quiet, exploit-exploit, then do a talk about it. The moment you vocalize it, you lose tactical suprise and expose your organization to criticism. Strangely enough, I don't feel that is moral answer and maybe what we are left here is just an ethical dilemma.

Jackson said...

To those researchers who want to release 0 days pack on blackhat tools should know that exploit authors are those who're daily watching for latest exploits.
Right now, Laurent have taught them how to write a secure exploit pack. They've already patched their holes. New versions have been sent out to their customers.