Understanding Offensive Security

Thursday, June 30, 2011

Danny Lieberman


I have written several times in the past here, here and here about the notion of taking cyber security on the offensive

James Anderson, president of Professional Assurance LLC, says that there is no evidence that governments can protect large firms from cyber attacks. “National security authorities may not even acknowledge that their interests align with a company that has suffered a cyber attack; therefore, companies must think about retaliation,” he says.

Should a company take retaliatory steps beyond simply increasing its own defensive perimeter? The answer depends on the seriousness of the attack and the potential threat from future attacks.

Anderson says that simply turning over evidence to law enforcement may not save the company from future cyber attacks. But, if the attack had to do with a government’s critical infrastructure, authorities may take an interest; however, there are no established service levels for government response.

For example, Anderson says some activities that might be considered retaliatory are:

  • legal information gathering to identify attackers,
  • direct blocking of network traffic from specific origins,
  • use of transaction identifiers that label the traffic as suspicious,
  • placement of honeypots,
  • identifying and actively referring botnet details for blacklisting or referral to authorities or industry associations, and
  • certain types of deception gambits against suspected internal malefactors.

This is not the first time that I’ve heard the notion of retaliation using cyber space methods. There are two things wrong with this direction – a) retaliation and using cyber security methods to attack the attackers.

The notion that there are two separate universes, a physical universe and a cyber universe is wrong. There is one continuum of cyber space and physical space. Forget retaliation and go on the offensive.  

That means use counter terror techniques to discover hacker cells, infiltrate and disrupt them in the physical world. The problem of course is the price tag. It’s cheap to mount a cyber attack but if an attacker knew that they would lose their life if they attacked a US government installation with malware, a deterrent would be created.

Retaliation doesn’t create deterrence – at most, retaliation makes people angry. Just look at the reaction of Palestinian terrorists to Israeli retaliation raids.

Retaliation in cyber space is too late, too little. Instead – I call on the US and other governments to actively combat cyber terror with the same resolve that they attack physical world terrorists.

Cross-posted from Israeli Software

Possibly Related Articles:
Information Security
Cyber Security Attacks hackers Law Enforcement Cyber Offense Attribution
Post Rating I Like this!
Tom Coats That is a dangerous road you are going down. In the CISSP code there is something about protecting the infrastructure and it is always a tricky thing. Violence whether virtual or physical only guarantees one result, more violence. "nothing comes of violence, nothing ever could". Just because the US and specifically home land defense and the defense department can't get their head around how to protect information and infrastructure doesn't mean by a long shot that the offensive solution will bring us any better results. It is a stupid wrong-headed approach which brings to mind Einstein's statement "It takes a particular kind of insanity to do the same thing over and over again and expect a different result."
Danny Lieberman Tom,

I don't think so.

Your quote of Einstein that "It takes a particular kind of insanity to do the same thing over and over again and expect a different result." would seem to prove my thesis.

Current strategies of defense-only are clearly not working.

To draw a parallel from WWII - when the Japanese attacked Pearl Harbor did the US President respond by setting up a private-public partnership / commission to improve coastal defenses? Nope.

The US went to war.

I did not advocate violence for violence sake and your intimation that there is a moral parity between terrorists and citizens who are damaged or killed by terrorists is odious.

What I do advocate is understanding that there are not two separate universes - a cyber universe where we install firewalls and anti-virus and a physical universe where we use counter-terror techniques, police forces and military and yes - violence when needed to get the job done. There is one continuum of people who commit crimes and terror (which by the academic definition is any act of violence against citizens).

If the US Federal government is incapable of doing something as simple as reducing their threat surface by reducing the number of Windows machines, I am confident that your notion that the US Federal government is capable of protecting their citizens from cyber terror by just trying harder or throwing money around is no more than a naive suggestion.

Tom Coats Appreciate the banter, and from experience your opinion will win out and you will get your "Ops-Center" a la Tom Clancy. Odious and the WWII comment are pretty strong and out of place here. It is all too easy to be pulled into the revenge, testosterone and adrenaline cycle. It feels good, it feels right, and at the end of the day you won't remember what damage you have done. It is cheneyesque. Once you start treating it like a fight rather than a puzzle with defined goal you can't get back.

Yes think strategically, solve the problem don't become reactionary keep your eye on the prize, and beating the "Enemy" is not goal, it is tactic.

"Strategy without tactics is the slowest way to victory, tactics without strategy is the noise before defeat." I haven't found the citation but this usually attributed to Sun Tzu. With your call I expect to see tactics, but no strategy. That is why I react so vehemently against it. And I think the tactics are counterproductive.
Tom Coats One last point throwing money at it won't solve the problem at all, developing a strategy will, implementing the straight forward rules will, reducing the attack surface will improve the situation. The whole Bradley Manning thing shows that there are too many secrets, the attack surface has been expanded. spend less money on creating a problem and spend more time thinking about where you want to get t.
Danny Lieberman Tom

I appreciate the exchange of opinion. Your comments actually stimulated me to consider whether I was just venting or actually had something of a strategy in mind.

After some thought I came up with a 5 part strategy, far different from the strategy the US currently pursues in the cyber security space. Feedback is appreciated.

Here is my 5 part strategy for reducing the damage of cyber terror:

1) Lose the notion of two separate spaces - a cyber space and physical space. There are only people and communication channels.

2) Use offensive counter terror methods in addition to defensive countermeasures subject to the usual political echelon approval.

3) Spend less money on reactive countermeasures like anti-virus software and reduce the Federal threat surface by reducing the number of Windows machines by 10% a year.

4) Understand that retaliation after an attack is not an effective security countermeasure for the next attack since it only gives the attackers free publicity and increases their motivation.

5) Use a demand-side strategy to reduce the social value of being a hacker.

Although there are offensive alternatives such as mounting systematic DDos attacks on the attackers or developing targeted spyware such as Stuxnet, even more intriguing is the notion of using a demand-side strategy to reduce the social value of being a hacker. Perhaps we can learn from the counter terror success of the Italians in the late 60s with dismantling the Brigatisti. The Italian government infiltrated the Red Brigades – bred mistrust and quickly rolled up the organization.

Attacking the social networks of people who develop and distribute malware would involve infiltrating the hacker underground, arresting hackers for criminal activity and cutting deals in return for actionable intelligence.

Since malware is a form of terrorism – this strategy might be effective since it goes directly to the source and potentially denies a key hacker benefit – the social gratification.
Kevin McAleavey While I find your premise interesting, I don't see how putting a flaming tube down the chimney of ne'er-do-wells as a winning strategy since the majority of them are deep down in the bowels of mom and dad's basement.

And while I'm not fond of Redmond's swiss cheese operating system, one has to note that a very large number of "lulz attacks" were actually carried out on Linux servers. While Windows is a leaky boat on the client side, it appears that on the server side of the equation, Linux isn't faring all that much better.

Most of these attacks would not have been as successful as they have been had the proprietary information not been on those servers in plain sight to begin with. It would have also helped if those servers had been configured properly in the first place.

While I agree with your sentiments regarding the degree of destruction being wrought, I differ on portions of the cause. If you want a secure border, it's useful to have competent soldiers with proper weaponry as an enticement to go bother someone else. :)
Danny Lieberman Kevin,

It's interesting that you equate my suggestion to adopt counter-terror techniques in the service of the battle against cyber terror with flaming tubes. How typically American.

There is much more to counter terror than Seal Team 6 and most of it has to do with detection, intelligence gathering, infiltration and disrupting social fabrics of terrorists among other things.

Regarding Windows and Linux and client vs. server side vulnerabilities, you raise an excellent question which I don't believe has ever been properly examined. What percentage of damage is caused due to Windows client side vulnerabilities vs. server vulnerabilities? I am not sure that there is even empirical data on this topic. We might start by examining damage due to Windows auto-run, virus, malware, trojans vs. damage from SQL injection.

Regarding your border security example - note that you whether intentionally or not, you are also adopting an offensive strategy.

Guards often shoot and kill intruders, unlike firewalls where attackers are simply denied entry on a particular port.

See http://www.software.co.il/wordpress/2011/07/a-strategy-for-combating-cyber-terror/
Kevin McAleavey Forgive my writing style, I am indeed an American but I've found that a little levity with my long-winded diatribes tends to make people a little more willing to read and pay attention. And rest assured that every geek has wished for a big red button next to their desktop rodent that would either put a missile down the stovepipe of ne'er-do-wells or at least that the big red button was connected to a huge Tesla coil that could perform an end-user adjustment to those irritants to the help desk who just won't accept the fact that we don't know their forgotten password and will have to give them a new one that they might not like. That's just me.

I've been playing with computers since the MITS Altair, served my time in glass rooms and have worked in the security business formally since the mid 1990's. I've truly seen it all, and I know where the bones are buried both on the server side of the world and more recently on the client side. Each side has their issues, but we at least expect to find competents on the server side and do the best we can to protect the client side from themselves. Neither of these is working out very well of late. As to the statistics, I don't know the answer to that. I personally consider each and every problem as one to be solved and do my best to prioritize, but the sheer number is overwhelming of late.

Security is a tradeoff for useability, and the weighting has been towards convenience for far too long. Sadly, the vast majority of security issues with all platforms is the inclusion of unnecessary features in public release versions along with copious amounts of simple laziness. I'm planning to write some serious articles describing the details in the coming weeks. I'm hoping you'll have a look through them as well. But I was just being my flippant self as far as the flaming tubes went. I don't think most operations have adequate insurance coverage for that. :)
Phil Agcaoili Danny,

I like your 5 steps and Anderson's suggestions, and have been honing elements throughout the years.

Different strokes for different folks, but I also want to finally balance the scale. We have been losing defensively for a long time and all it takes is one hole in the wall.


War is dirty. We've been in a cold war since computers were networked, and people are now just waking up to this.

Keep brainstorming. I'm interested to see where it leads to.


Danny Lieberman A longer essay in this topic will be appearing shortly on the Island.

I believe that there is work in the DoD on offensive measures but these are cyber measures not counter terror measures.

I think that the key to balancing the scale is to break down the wall between physical, human and logical security and attack the attackers with the same resolve and methods that we attack people who commit violent crimes and terrorists.
Rob Lewis Good food for thought and interesting discussion.

Not singling anyone in particular out here but it always amazes me that people operate with the notion that some kind of defense can be mounted on with low assurance systems that have more holes than swiss cheese and then are exasperated that our defenses aren't working. They probably never worked, but then again they were never really challenged to the degree the are today.

One problem with some of the retaliatory measures listed is that they take time and defenses are needed yesterday.

Break from the vuln-centric model to one that creates some level of defensive capability and many issues go away.
Phil Agcaoili Not singling anyone in particular out here either, but it always amazes me that vendors think that they can sell a piece of technology and that will solve the problem. It also amazes me how people that have never defended a fort have all of the answers.

People and Process are the answers to solve the human aspect of the problem.

Adding an offensive (quiet and surgical) security element to a security program may provide a deterrent to those that would harm us.
Rob Lewis @Phil,

People can't always be part of the solution when they are part of the problem. However, if technology plugs certain gaps, staff training can zero in where it may offer a better pay-off.

As far as process goes, they are determined by people as well, so a technology that maps directly to human activity in an enterprise would probably prove more intuitive and less prone to error in that regard, fully addressing the disconnect between business rules and IT security policies.
Danny Lieberman I learned a few (well a lot...) things in the course of DLP projects -

1) Staff training has diminishing returns. At some point people will bring their Android tablet to work and jack it into the network anyhow.

2) There is higher ROI when you focus on managers leading from front showing by example how to protect digital assets. When security is part of the annual review, then you're making progress

3) Detection and monitoring, not prevention is key

4) Centering detection and training on business process is much more productive than trying to do digital or system asset protection. This is because a typical business has 1 - 4 orders of magnitude less business processes than they have data classes, end points and servers

5) Fear in the workplace is not a bad thing. This is what gave me the initial impetus to the notion of "offensive" security
John Strand There has been quite a lot done in this area.

Below are some extra links that cover what you talked about with some concrete examples:







BTW, the debate about violence begetting more violence is cute. Wrong. But, cute.

Gaining access to (or even attacking) an attackers system is not the same as physical "violence." Also, it has been done a number of times.

I also love it when people jump to conclusions that it is illegal. Under the right circumstances it is and has been legal.




Finally, I want to leave you with a couple simple questions. At my organization we have warning banners that state that all systems that connect to our VPN will be scanned for the latest AV, patches and "Security Relevant Configurations." If an attacker connects to my VPN and the specified information is collected via my VPN logon script, is that illegal? Can it be used against them?

Love the article. Love the conversation. Keep it coming.

John Strand
PaulDotCom Security Weekly
Danny Lieberman John

The notion of scanning systems that attach to the VPN for latest AV etc is not unfamiliar - it's a product of the Windows monoculture way of thinking that people are stupid (they're not).

If I have a Linux notebook - does that mean that I can't attach to your VPN?

As I wrote, I think retaliation is not effective. Whatever satisfaction it might give a network administrator to redirect packets back to an attacker - it is not an effective security countermeasure.

What is effective is applying offensive tactics in a proactive way at a rate that is commensurate with the level or potential level of damage. That requires a business to work with law enforcement - if they have information regarding a possible cyber terror incident.

Look at it like this: Lots of eyeballs - citizens looking for people with heavy overcoats in the summer are more effective than all the sophisticated bomb sniffing and AI detection technology.

Passengers taking down a terrorist in flight is more effective than technology as we know from 9/11 and Pittsburgh.

A business cannot take the law into it's own hands but since cyber security is a national priority, then it least we should try and get it right on a national policy and strategy level

Danny Lieberman Oh yeah. And this vigilante thing is totally not what I would like to see.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.