Fine, let’s continue this “debate”. (was re: Active Defense)

David Willson wants to continue this debate, but wants to keep saying the same crap via Twitter, or try to call me out on the things I called him out for (e.g. not reading the other’s blog). So, my turn…

Background for those just joining:

1. I wrote a serious blog with a tongue-in-cheek title on “strike back” and “active defense”: Putting an end to ‘strike back’ / ‘active defense’ debate…
2. David Willson replies to my blog by writing his own: Really; Put an end to the strike back active defense debate? Not even close!
3. I find serious problems with his brief reply, so I write a tequila-fueled rebuttal with naughty words that he doesn’t like, shooting down many of his points: To the guy calling himself “David Willson”, you don’t get it (was re: Active Defense)

Additionally, let me make a few points very clear:

• Willson has a different definition for “active defense” than most in the industry. I specifically distinguished “hack back” (HB) from “active defense” (AD), citing AD as reconnaissance of the attacking system after being attacked. Willson chose to ignore that and frame my blog in the context of his definition.
• Willson says that he has “offered a solution” with a definition and blog on the process. True that he has defined it in his eyes. Also true that he has further muddied the waters by mixing the more commonly accepted AD definition with HB as well.
• He has claimed I am jumping on some form of bandwagon about HB or AD, despite me linking to material I wrote 13 years ago speaking out against the ideas. Meanwhile, he says he has been championing the activities in his definition (including HB) for two years. He also tried to chide me by saying AD is a “new term”, and emphasizing it with “yes new term”, despite the term being over 11 years old with books written on it.

These are pretty simple statements and factually accurate. Willson implying I am new is laughable and speaks to his tenure in this industry. His claim that AD is new also speaks to his relative maturity as an InfoSec professional. Since he has championed AD and HB, per his definition, for the last two years, let’s examine what he has to say on the topic by going through his numerous blogs. It will become very clear he is one of the advocates that are riding the hype and latest wave of attention AD / HB has garnered. What is not clear is if he understands what he is saying, the complications, and the implications. You be the judge.

---

Definitions

We’ll start with his definition of “Active Defense”:

“Active Defense” is incident response on steroids. Here is my definition: It is a method for companies who find themselves persistently attacked to collect the intelligence needed to evaluate the attacks, develop courses of action or options, and then enable the leadership to make well-informed decisions to move forward in an effort to protect the company.

This is not a definition of AD at all. This is a general definition of incident response. Next he continues by elaborating on the definition and begins to qualify it:

On a spectrum the options could be anywhere from do nothing or the other extreme of hack back to either find the attackers or disrupt or deny the server(s) being used to launch the attacks. The intelligence collected will allow company leadership to make decisions at pre-determined checkpoints based on risk, liability and legal issues. The initial decision whether to simply proceed with incident response versus Active Defense is based on determining whether the attack is a one-time incident or persistent, and how much money is being lost since. Active Defense will require the company to bring in a team of experts to accomplish the various tasks: intel collection, malware analysis, tool/technique development, evaluating legal, risk and liability issues, and therefore the cost involved must be weighed against the damage to the company or loss due to the attacks.

Here he clearly defines AD as having the HB component. Once again, let’s remember, hacking someone else is not defending your network. It is going on the offensive against theirs. Most of the rest of his expanded definition still boils down to incident response, sans the “risk and liability issues” in the context of hacking back.

Attribution

The next area of interest is Willson’s ideas on attribution. He boldly claims that attribution isn’t necessary and that if a computer attacks him, then the owner of that system is just as culpable even if they didn’t launch the attacks. Let’s look at what he says in his 2013-05-10 blog:

Most would admit the greatest challenge with cyber crime is determining who the attacker is, e.g. Attribution. One of the great claims by those who believe “Active Defense” is illegal and immoral is that attribution is extremely difficult and if you can’t determine attribution then you may be, “attacking an innocent victim.”

As a side note to the above comment, I have said in previous blogs, if someone has been compromised and their server is being used to attack my company, that person is NOT innocent.

There are many ways to attack this notion. First, this is a logical fallacy. Follow his logic here: He says that “some companies .. have done all they can” in defending their system. So if one of those companies that have done everything they can get compromised, and their systems are used to attack Willson, now they are “NOT innocent”? Which is it? You say they are not responsible if they did due diligence in security, then a paragraph later say that anyone who gets hacked and used as an attack platform is not innocent.

To further justify his notion of why HB is good, Willson makes the argument that he is doing the victim a favor:

A victim like me, yes, but innocent, no. If I have to disrupt his server to protect my company then so be it. Chances are that server owner does not want the other hundreds or thousands of companies who are victims of his server attacks to know that he is the patsy attacking them due to his crappy security.

Wow, what a noble guy! Once again, even if you knock that compromised host offline, have you defended your network? No. Remember the old game of whack-a-mole? Yeah…

Okay, so why is attribution not that important? Certainly, being able to identify your attacker makes life much easier for you and your company. Even if you can’t identify the attacker, being able to identify who owns the server being used to attack you makes life simpler. You can simply call the owner of the company whose server has been compromised and is attacking your network and work together to block the hacker. If, for some reason, the owner of the compromised server will not work with you then you can proceed as if he is the hacker.

Remember playing that game, and no matter how much you tried to stop that damned mole, he always came back? Those moles have something in common with the dreaded APTs. I’ll give you a hint David; what does the “P” stand for?

In the blog quoted above, you also speak to another problem. While taking that course of action of contacting the other company to get them to respond, that is an expensive prospect (time-wise). You will also run into companies that may want to leave the system online to study the attacker themselves, systems that have no real admin, end-user systems on broadband, open access points (e.g. coffee shops), libraries, and more. Oh, that’s right, you will just hack back and shut down the server at the library too. Are you sure you are doing more good than them by providing that access in the first place? I’d argue against that.

The rest of that blog spirals downhill even faster:

Consider the 2006 movie “Firewall” with Harrison Ford. His wife and daughter were kidnapped and the kidnappers, using this leverage, forced him to hack into a bank he was hired to protect and steal millions of dollars for them. Now, granted, I like Harrison Ford, but, if he is stealing my money he’s not an innocent bystander. He is a victim, but, if it is me or him, choices must be made.

And using your completely absurd analogy against you, “if it is my wife and daughter or Willson’s server, choices must be made” and he did the same thing you would have. #derp

Defense Is Not Offense

I really can’t emphasize this enough, and mention how critical it is in this debate given the commonly accepted term “Active Defense” is a contradiction unto itself. In the security world, there is a pretty fine line between defense (blue hat) and offense (white/black hat). Defending your network means patching, firewalls, IDS, IPS, hardening, and many other technologies. Offense is all about breaking into the target, either under contract or as criminal activity. You don’t “defend” your network by hacking someone else. Don’t believe me? Try it and see if all of the attacks they stop. Spoiler alert: they won’t. From Willson’s 2013-01-24 blog:

For instance, if the attack is a one-time attack and is over, then you DO NOT have a right to retaliate. Similar to when someone robs your house. If they are gone you have no right to pursue the burglar on your own. On the other hand, if you have been attacked repeatedly and are sure it continues or will happen again you have a right to defend yourself.

And without attribution, which you don’t think is necessary, how do you determine that? You cannot. Or, you are lumping all attacks into this logic settings yourself up for the obvious justification in response to a loaded statement. Either way, not good.

Next: “Persistent attacks may be bleeding hundreds of thousands of dollars from companies, and in that situation, they should be within their rights to respond, says Willson.” Yes, they should. If your company is losing 50 to 100 thousand dollars a week and you have done everything else you believe possible, to include called or considered calling law enforcement, to no avail, self-defense should be an option.

Yet your previous real-world analogy of someone breaking into your house doesn’t hold up here. You are now equating “self defense” with chasing the burglar, which you outright condemn three paragraphs earlier.

Also many articles lately have claimed that “attribution” is impossible. Stop it. If it was impossible no one would ever be arrested and prosecuted for hacking. It is difficult, but not impossible.

You are correct here, attribution is not impossible. However, the point I keep making with many people that it doesn’t scale. The number of people attacking any given network at a point in time, make attribution impossible if you attempt it for every attacker. Further, your point about some being arrested and prosecuted should be expanded on. As a lawyer, you know as well as anyone the amount of time and resources that go into a single case that leads to arrest and prosecution. You are talking about multiple law enforcement officers, sometimes working for months at a time to find that one person. They have resources that most companies do not that assists them in attribution. Don’t suggest to your readers that since attribution is possible, via citing law enforcement’s ability to catch a bad guy every once in a while, that attribution scales and is doable by every company out there. Simply not the case.

He Said What?

Next, we’ll look at a concrete example that Willson either doesn’t understand how anything works, or doesn’t take the time to consider his wording (while calling out others for their fear-mongering). From his 2013-05-01 blog:

One of the first decisions is whether, based on the information available and/or gathered, the attack is a one-time occurrence or an ongoing intrusion/breach. If it is determined to be a one-time occurrence the decision is easy, initiate an incident response plan, clean up, patch holes, and provide notifications required by law. If the attack appears to be ongoing some of the follow-up on decisions may include: what end-state the company is seeking (find the hacker and prosecute, block the attack, get data back, etc.)

Did you catch that bit? Willson really believes that you can “get data back”. An attacker breaks into your network, copies the information from your servers, and puts it on another server. First, you still have a copy of the data. Second, you don’t know how many copies are out there. Third, you don’t know where all the copies are. How exactly do you “get the data back”? You don’t. I really hope you aren’t using this as a selling point for Titan Info Security Group’s services.

He Said What? (Part 2)

In a 2012-12-14 blog, Willson states:

Active defense will actually improve security for those who consider it.

Seriously? You are actually saying that “active defense” (which by your definition is a mix of standard incident response, with a dose of hack back in some cases) will improve security? You reminded me today that the HB component is only 1% of active defense. By your definition and statement, the other 99% that we’ve been doing all along will improve security. Are you really trying to leverage “keep doing what we’ve been doing” as justification for the other 1%? Remember, in this same blog you start out by saying:

Lately I’ve seen many articles about “active defense” and “hack back.” This is good because current defenses aren’t working and being in a constant state of defensive mode is not a lot of fun. Something needs to be done.

By that opening, then you are saying that the additional 1%, the HB component will ‘improve security’. That is patently absurd. Breaking into other systems does not improve security sir.

Conclusion

It is clear you are trying to sell something. Your blogs on the topic of active defense do not advance the debate. You actually hinder it as you use a different definition of “active defense” than many do. You do not distinguish between active defense in the sense of reconnaissance and active defense in the sense of hack back for most of your conversation, instead using the one term which can mean either or both. You have not put forth a plan as you say, instead giving this vague notion that hack back is justified and legal. You never spell out exactly how it is legal, instead relying on emotional response to justify it. Big difference in a court of law, which you certainly know.

This blog consists of reviewing half a dozen of your blog posts on the topic. In those, I point out a wide variety of contradictions, as well as point out how you clearly do not back your claims about the legality of it. I also point our your flawed notions about attribution and the concept of digital data. I know you said “you tried” and that you are done with me. That’s fine. Ignore me because I use naughty words and “don’t look professional”. I am not selling anything, so I don’t need to maintain any appearance other than a voice of reason in a murky FUD-filled topic primarily led by people seeking to profit from it. You keep blogging, and I will keep pointing out how you are not qualified to provide consulting services in my opinion. Ultimately, I think your customers will figure that out. I just hope none find out the hard way, with you providing legal defense services instead of security services.