Friday, March 23, 2007

Taking the Fight to the Enemy

ShmooCon started today. ShmooCon leader Bruce Potter finished his opening remarks by challenging the audience to find anyone outside of the security community who cares about security. I decided to take his idea seriously and I thought about it on the Metro ride home.

It occurred to me that the digital security community fixates on vulnerabilities because that is the only aspect of the Risk Equation we can influence. Lines of business control assets, so we can't decrease risk by making assets less valuable. (That doesn't even make sense.) We do not have the power or authority to remove threats, so we can't decrease risk by lowering the attacks against our assets. (Threat mitigation is the domain of law enforcement and the military.) We can only address vulnerabilities, but unless we develop the asset ourselves we're stuck with whatever security the vendor provided.

I would like to hear if anyone can imagine another realm of human endeavor where the asset owner or agent is forced to defend his own interests, without help from law enforcement or the military. The example can be historical, fictional, or contemporary. I'm reminded of Wells Fargo stagecoaches being robbed as they crossed the West, forcing WF to hire private guards with guns to defend company assets in transit. As a fictional example, Sherlock Holmes didn't work for Scotland Yard; victims hired the Great Detective to solve crimes that the authorities were too slow or unwilling to handle.

As I've said many times before, we are wasting a lot of time and money trying to "secure" systems when we should be removing threats. I thought of this again last night while watching Chris Hansen work with law enforcement to take more child predators off the streets. Imagine if I didn't have law enforcement deterring and jailing criminals like that. I'd have to wrap my kids in some sort of personal tank when I send them to school, and they'd still probably end up in harm's way. That's the situation we face on the Internet. There's no amount of bars over windows, high fences, or other defenses that will stop determined intruders. Removing or deterring the intruders is history's lesson.

This FCW article has the right idea:

The best defense against cyberattacks on U.S. military, civil and commercial networks is to go on the offensive, said Marine Gen. James Cartwright, commander of the Strategic Command (Stratcom), said March 21 in testimony to the House Armed Services Committee.

“History teaches us that a purely defensive posture poses significant risks,” Cartwright told the committee. He added that if “we apply the principle of warfare to the cyberdomain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests...”

The Stratcom commander told the committee that the United States is under widespread, daily attacks in cyberspace. He added that the country lacks dominance in the cyberdomain and that it could become “increasingly vulnerable if we do not fundamentally change how we view this battle space.”

Put me in, coach. I'm ready to play, today.


jbmoore said...

Law Enforcement will usually catch the "dumb" child predators with entrapments. Reflect on the fact that serial killers aren't caught after they've killed 10 or more women who are usually streetwalkers. The Green River killer killed upwards of 30-40 women before he was finally caught. Likewise, law enforcement loves child porn because all you need to do is pull a photo off of the victim's browser cache and he'll plea bargain. I suppose what I am saying is that law enforcement is lazy or the majority of traditional criminals aren't very bright. This is different with cyberspace where the perp has to have a modicum of technical expertise or he's using highly sophisticated tools and infrastructure crafted by an experienced programmer. The police are usually out of their depth and the perp is usually overseas and out of reach. The fact that innocent systems might be used as proxies and relays makes the attack aspect difficult to execute as well. As an example though, Ebay is sending teams to Romania to track down and catch cyber fraud and criminals. They are having to actively train the police in the techniques and methodologies they need to catch these people. You'll find that example and more here: .
ISPs are partly to blame for this as are software vendors. There's no economic incentive to filter their web proxies for malware on ingress or egress or filter port 69 internally. Ebay knows which ISPs have good practices. I wish they'd make that information publically available. Microsoft doesn't make tftp.exe an optional file during install in spite of the fact that the majority of systems are OEM versions that are imaged on to hard drives. You could blame the OEMs since they roll their own versions of Windows, but MS is the main supplier of their software. The AV vendors are being overwhelmed. I'm running a nepenthes honeypot on and I'm catching worms that the major vendors don't have definitions for until 10 business days later. I sent a list of infected internal IPs to security and got an automated response back. For all I know, it went into electronic oblivion. Verizon would be within their rights to disable a customer's internet connection that is putting malicious software on other customers' systems until that system is cleaned and patched, but they have no economic incentive to do so. That it is the right thing to do in the long run and makes everyone safer is beside the point. Hell, we aren't even doing defense right with the tools and software we have now because there's no economic incentive to do so by the providers. The economic incentive falls on the end users and the people who own the servers, not on the people who own the pipes or provide access to those pipes. Too much of the security we have is pure theater.

Keydet89 said...

It occurred to me that the digital security community fixates on vulnerabilities because that is the only aspect of the Risk Equation we can influence.

Very true.

Lines of business control assets, so we can't decrease risk by making assets less valuable. (That doesn't even make sense.) We do not have the power or authority to remove threats, so we can't decrease risk by lowering the attacks against our assets.

There's a lot missing to this discussion. Security professionals have been providing information on how to reduce the attack landscape for years. My study of this started in my initial military training in 1989, and there was practical application throughout my time of service. Moving into the civilian community, I brought the same concepts with me.

What bothers me about Gen. Cartwright's statements is that it appears, when applied to what I'm seeing through my employment as well as through the media everyday, that what's being said is that defending our assets isn't working so let's attack.

Look around. Who does defense properly? How many times has an incident responder gone on-site and asked where the critical business assets are located, only to be presented with blank stares? How many times has an incident responder or someone conducting an assessment located rogue WAPs, seen firewall rulesets that start with "ip any any"?

Saying that we need to take the fight to the enemy is all well and good, but who's going to do that? How long ago was it that an AF general said that the Chinese had downloaded terabytes of data from SIPRNET? Given something like that, who're you going to have "take the fight to the enemy"? Right now, if we take the fight to the enemy, the assets we're trying to protect are still while we're off fighting on one front, we get flanked and have nothing but a smoking crater to return to...

Let's start defending what we've already got, shall we?


Roman said...


I agree that most organizations are not defending themselves they way they ought to be, and that the security of our systems would go a long way if people did it the right way, now and all the time.

That being said (and quoting a certain blogger), "prevention always fails". Even with the best security possible, the only way to truly deal with a threat.. is to deal with the threat. Defensive wars do not win; they can only be stalling actions until the offense gets in the game.

In this case, there isn't much offense going on, so the threats multiply instead of being reduced over time.

Of course, I'd like to go on the offense as well. I just don't see a legal arena for me to do so any time soon.

Keydet89 said...


"prevention always fails"

I agree with this statement, but only in the sense that it isn't usually done right. In the early '80s, the Marine barracks in Lebanon was bombed and 241 Marines lost their lives...but the proper prevent/defense mechanisms weren't in place.

I know that this is going to sound like a "when all you have is a hammer, everything is a nail" discussion, but from the perspective of IR, it doesn't look like folks are really taking any steps to do prevention. I can't tell you how many times I see firewalls with rulesets that turn the firewall into an expensive piece of copper wire, or anomolous activity that isn't investigated because no one knows how to do so efficiently and in a timely manner.

In the late '90s, the idea of "Strike Back" was on the table, and I think it struck a cord with the geek culture...since it's all about me, how dare you attack my systems, albeit the fact that they're poorly defended.

Today, in 2007, our corporate culture is such that security isn't even on the table, let alone an after thought. So now, we have threats running rampant.

Let's turn that picture a little bit and look at it from a different angle...what are the threats today? External attackers? Exposures of sensitive data? How about apathy about security? After some of the things I've responded to, I'd suggest that some threats include a lack of a corporate culture that says they should protect the data they have. Another threat is a lack of visibility into systems...alerts aren't monitored, let alone responded to. I've responded to systems where the owner thought that they'd been compromised last month, only to find out that they were in fact compromised 15 months ago, and the most recent miscreant to p0wn the box was sloppier or more greedy than the other 4 or 5 intruders.

Prevention does work...but it's only part of the equation. We can't simply throw up our arms and say that it doesn't work because we haven't been doing it properly. Need a best practice? Look to those who do this either the digital or analog realms.

Anonymous said...

From what i see now, everyone or every organization is trying to prevent and defending attacks. No one is actually trying to visualize the attack in before configuring servers or firewalls. Thats bad. I think detection is more important than prevention. What you guys think?

hogfly said...

I can see how the idea of increasing our capabilities for a digital offensive would be beneficial, but I think something has been lost by many organizations today- The ubiquitous 6P principle. Wars are all about preparation. Preparing your troops, preparing the equipment, preparing the contingencies, preparing your escape routes, preparing to win or lose, and on and on. No one practices proper preparation for anything. I get told by some that "we can't staff for major incidents". Yeah fine, but you can prepare the right staff members for responding to that incident should it occur, but it often doesn't get done.

One other thing to remember is that history has also taught us that pure offensive maneuvers are risky and should only be used in dire situations. In addition, the criminal justice system teaches us that deterrence doesn't work (at least in the US). As far as threat removal goes, who is going to police the interweb?

What we need is a more clever method of defense. Do people even understand what threats they actually face? If war is truly based on deception then we're definitely losing this one.

I run a honeynet for many reasons, but one of the main ones is to understand what it is I am actually facing. Sure there are outliers but by deploying malware collectors and high interaction honeypots I can detect and respond to these devices before a real system gets rolled. This way I can actually prioritize my efforts based on actual data rather than what doing what somebody in a different environment does.

As far as asset owners being forced to defend his or her own interests, it's mainly criminals that do this or the very wealthy that can hire bodyguards to protect them, afterall human life is our most important asset.

Richard, I'm curious, how do you propose we remove the threats?

jbmoore said...

I think that thinking of this as a "war" is the wrong way to go. In it's essence, war is essentially a fight for survival and the loser was until recently exterminated. The war on drugs will fail because we don't remove the economic underpinnings of the drug trade. Prohibition resulted in the enrichment of the Italian Mafia. Prohibition of drugs has led to the enrichment of the drug lords and cartels. If the government supplied the drugs, the addicts would not have the incentive to steal, they'd have better health, and they might even be able to keep jobs instead of being locked away to rot in prison for years. Prisons are really there to keep the people we can't salvage locked away. If the governments destroyed the economic underpinnings of the drug trade, the crime problem would go away. You'd still have addicts, but you'll have addicts anyway. Look at the tobacco trade and smokers for comparison.

Banks make it difficult and expensive for the ordinary bank robber. The risks generally aren't worth it to walk in and steal directly. There's little economic incentive to directly rob a bank. It's easier now to steal from the weakest link, the compromised end user's online account. There is little risk and the banks don't disclose their losses. When the losses exceed an arbitrary threshold, the banks will have a greater incentive to armor the customer's system or isolate the transaction such that it can't be sniffed even on a compromised system. You may scoff and say that that's not possible, but given human ingenuity, someone may invent such a client side application. Of course, it will only buy the banks time since someone will figure a way to thwart it and you'll have a race condition. But you'll always have a race condition until the risks outweigh the benefits. Eventually, nations will sign extradition treaties and pass laws making it harder for thieves to hide in countries with lax cybercrime laws. The solutions will be cultural, educational, technical, diplomatic and legal.

cutaway said...

[quote]Put me in, coach. I'm ready to play, today.[/quote]

Yes, but me in as well.

Although there is something to be said about a actually implementing a good defense there will always be weaknesses. There will be weaknesses in the perimeter, sentries, leadership, weapons, etc. I think the point of offensive actions is to keep the enemy off balance so that they are unable to deploy their assets in a manner that culminates their strengths. One of the missions of a Marine Sniper is to engage the enemy and force them into this situation. One example we received during training was that by initiating contact with the enemy before they reached their line of departure they were forced to begin their attack before they could pause and consolidate their forces and thereby focus their efforts.

Removing enemy assets, force the enemy to reallocate assets to provide defenses, keeping the enemy leadership busy defending instead of continually attacking. That is how you win wars. And that is why we are spending billions of dollars on defenses, while still loosing money and assets to the enemy.

This sniper is ready for a mission. :)

Go forth and do good things,