David Willson wants to continue this debate, but wants to keep saying the same crap via Twitter, or try to call me out on the things I called him out for (e.g. not reading the other’s blog). So, my turn…
Background for those just joining:
- I wrote a serious blog with a tongue-in-cheek title on “strike back” and “active defense”: Putting an end to ‘strike back’ / ‘active defense’ debate…
- David Willson replies to my blog by writing his own: Really; Put an end to the strike back active defense debate? Not even close!
- I find serious problems with his brief reply, so I write a tequila-fueled rebuttal with naughty words that he doesn’t like, shooting down many of his points: To the guy calling himself “David Willson”, you don’t get it (was re: Active Defense)
Additionally, let me make a few points very clear:
- Willson has a different definition for “active defense” than most in the industry. I specifically distinguished “hack back” (HB) from “active defense” (AD), citing AD as reconnaissance of the attacking system after being attacked. Willson chose to ignore that and frame my blog in the context of his definition.
- Willson says that he has “offered a solution” with a definition and blog on the process. True that he has defined it in his eyes. Also true that he has further muddied the waters by mixing the more commonly accepted AD definition with HB as well.
- He has claimed I am jumping on some form of bandwagon about HB or AD, despite me linking to material I wrote 13 years ago speaking out against the ideas. Meanwhile, he says he has been championing the activities in his definition (including HB) for two years. He also tried to chide me by saying AD is a “new term”, and emphasizing it with “yes new term”, despite the term being over 11 years old with books written on it.
These are pretty simple statements and factually accurate. Willson implying I am new is laughable and speaks to his tenure in this industry. His claim that AD is new also speaks to his relative maturity as an InfoSec professional. Since he has championed AD and HB, per his definition, for the last two years, let’s examine what he has to say on the topic by going through his numerous blogs. It will become very clear he is one of the advocates that are riding the hype and latest wave of attention AD / HB has garnered. What is not clear is if he understands what he is saying, the complications, and the implications. You be the judge.
We’ll start with his definition of “Active Defense”:
“Active Defense” is incident response on steroids. Here is my definition: It is a method for companies who find themselves persistently attacked to collect the intelligence needed to evaluate the attacks, develop courses of action or options, and then enable the leadership to make well-informed decisions to move forward in an effort to protect the company.
This is not a definition of AD at all. This is a general definition of incident response. Next he continues by elaborating on the definition and begins to qualify it:
On a spectrum the options could be anywhere from do nothing or the other extreme of hack back to either find the attackers or disrupt or deny the server(s) being used to launch the attacks. The intelligence collected will allow company leadership to make decisions at pre-determined checkpoints based on risk, liability and legal issues. The initial decision whether to simply proceed with incident response versus Active Defense is based on determining whether the attack is a one-time incident or persistent, and how much money is being lost since. Active Defense will require the company to bring in a team of experts to accomplish the various tasks: intel collection, malware analysis, tool/technique development, evaluating legal, risk and liability issues, and therefore the cost involved must be weighed against the damage to the company or loss due to the attacks.
Here he clearly defines AD as having the HB component. Once again, let’s remember, hacking someone else is not defending your network. It is going on the offensive against theirs. Most of the rest of his expanded definition still boils down to incident response, sans the “risk and liability issues” in the context of hacking back.
The next area of interest is Willson’s ideas on attribution. He boldly claims that attribution isn’t necessary and that if a computer attacks him, then the owner of that system is just as culpable even if they didn’t launch the attacks. Let’s look at what he says in his 2013-05-10 blog:
Most would admit the greatest challenge with cyber crime is determining who the attacker is, e.g. Attribution. One of the great claims by those who believe “Active Defense” is illegal and immoral is that attribution is extremely difficult and if you can’t determine attribution then you may be, “attacking an innocent victim.”
As a side note to the above comment, I have said in previous blogs, if someone has been compromised and their server is being used to attack my company, that person is NOT innocent.
There are many ways to attack this notion. First, this is a logical fallacy. Follow his logic here: He says that “some companies .. have done all they can” in defending their system. So if one of those companies that have done everything they can get compromised, and their systems are used to attack Willson, now they are “NOT innocent”? Which is it? You say they are not responsible if they did due diligence in security, then a paragraph later say that anyone who gets hacked and used as an attack platform is not innocent.
To further justify his notion of why HB is good, Willson makes the argument that he is doing the victim a favor:
A victim like me, yes, but innocent, no. If I have to disrupt his server to protect my company then so be it. Chances are that server owner does not want the other hundreds or thousands of companies who are victims of his server attacks to know that he is the patsy attacking them due to his crappy security.
Wow, what a noble guy! Once again, even if you knock that compromised host offline, have you defended your network? No. Remember the old game of whack-a-mole? Yeah…
Okay, so why is attribution not that important? Certainly, being able to identify your attacker makes life much easier for you and your company. Even if you can’t identify the attacker, being able to identify who owns the server being used to attack you makes life simpler. You can simply call the owner of the company whose server has been compromised and is attacking your network and work together to block the hacker. If, for some reason, the owner of the compromised server will not work with you then you can proceed as if he is the hacker.
Remember playing that game, and no matter how much you tried to stop that damned mole, he always came back? Those moles have something in common with the dreaded APTs. I’ll give you a hint David; what does the “P” stand for?
In the blog quoted above, you also speak to another problem. While taking that course of action of contacting the other company to get them to respond, that is an expensive prospect (time-wise). You will also run into companies that may want to leave the system online to study the attacker themselves, systems that have no real admin, end-user systems on broadband, open access points (e.g. coffee shops), libraries, and more. Oh, that’s right, you will just hack back and shut down the server at the library too. Are you sure you are doing more good than them by providing that access in the first place? I’d argue against that.
The rest of that blog spirals downhill even faster:
Consider the 2006 movie “Firewall” with Harrison Ford. His wife and daughter were kidnapped and the kidnappers, using this leverage, forced him to hack into a bank he was hired to protect and steal millions of dollars for them. Now, granted, I like Harrison Ford, but, if he is stealing my money he’s not an innocent bystander. He is a victim, but, if it is me or him, choices must be made.
And using your completely absurd analogy against you, “if it is my wife and daughter or Willson’s server, choices must be made” and he did the same thing you would have. #derp
Defense Is Not Offense
I really can’t emphasize this enough, and mention how critical it is in this debate given the commonly accepted term “Active Defense” is a contradiction unto itself. In the security world, there is a pretty fine line between defense (blue hat) and offense (white/black hat). Defending your network means patching, firewalls, IDS, IPS, hardening, and many other technologies. Offense is all about breaking into the target, either under contract or as criminal activity. You don’t “defend” your network by hacking someone else. Don’t believe me? Try it and see if all of the attacks they stop. Spoiler alert: they won’t. From Willson’s 2013-01-24 blog:
For instance, if the attack is a one-time attack and is over, then you DO NOT have a right to retaliate. Similar to when someone robs your house. If they are gone you have no right to pursue the burglar on your own. On the other hand, if you have been attacked repeatedly and are sure it continues or will happen again you have a right to defend yourself.
And without attribution, which you don’t think is necessary, how do you determine that? You cannot. Or, you are lumping all attacks into this logic settings yourself up for the obvious justification in response to a loaded statement. Either way, not good.
Next: “Persistent attacks may be bleeding hundreds of thousands of dollars from companies, and in that situation, they should be within their rights to respond, says Willson.” Yes, they should. If your company is losing 50 to 100 thousand dollars a week and you have done everything else you believe possible, to include called or considered calling law enforcement, to no avail, self-defense should be an option.
Yet your previous real-world analogy of someone breaking into your house doesn’t hold up here. You are now equating “self defense” with chasing the burglar, which you outright condemn three paragraphs earlier.
Also many articles lately have claimed that “attribution” is impossible. Stop it. If it was impossible no one would ever be arrested and prosecuted for hacking. It is difficult, but not impossible.
You are correct here, attribution is not impossible. However, the point I keep making with many people that it doesn’t scale. The number of people attacking any given network at a point in time, make attribution impossible if you attempt it for every attacker. Further, your point about some being arrested and prosecuted should be expanded on. As a lawyer, you know as well as anyone the amount of time and resources that go into a single case that leads to arrest and prosecution. You are talking about multiple law enforcement officers, sometimes working for months at a time to find that one person. They have resources that most companies do not that assists them in attribution. Don’t suggest to your readers that since attribution is possible, via citing law enforcement’s ability to catch a bad guy every once in a while, that attribution scales and is doable by every company out there. Simply not the case.
He Said What?
Next, we’ll look at a concrete example that Willson either doesn’t understand how anything works, or doesn’t take the time to consider his wording (while calling out others for their fear-mongering). From his 2013-05-01 blog:
One of the first decisions is whether, based on the information available and/or gathered, the attack is a one-time occurrence or an ongoing intrusion/breach. If it is determined to be a one-time occurrence the decision is easy, initiate an incident response plan, clean up, patch holes, and provide notifications required by law. If the attack appears to be ongoing some of the follow-up on decisions may include: what end-state the company is seeking (find the hacker and prosecute, block the attack, get data back, etc.)
Did you catch that bit? Willson really believes that you can “get data back”. An attacker breaks into your network, copies the information from your servers, and puts it on another server. First, you still have a copy of the data. Second, you don’t know how many copies are out there. Third, you don’t know where all the copies are. How exactly do you “get the data back”? You don’t. I really hope you aren’t using this as a selling point for Titan Info Security Group’s services.
He Said What? (Part 2)
In a 2012-12-14 blog, Willson states:
Active defense will actually improve security for those who consider it.
Seriously? You are actually saying that “active defense” (which by your definition is a mix of standard incident response, with a dose of hack back in some cases) will improve security? You reminded me today that the HB component is only 1% of active defense. By your definition and statement, the other 99% that we’ve been doing all along will improve security. Are you really trying to leverage “keep doing what we’ve been doing” as justification for the other 1%? Remember, in this same blog you start out by saying:
Lately I’ve seen many articles about “active defense” and “hack back.” This is good because current defenses aren’t working and being in a constant state of defensive mode is not a lot of fun. Something needs to be done.
By that opening, then you are saying that the additional 1%, the HB component will ‘improve security’. That is patently absurd. Breaking into other systems does not improve security sir.
It is clear you are trying to sell something. Your blogs on the topic of active defense do not advance the debate. You actually hinder it as you use a different definition of “active defense” than many do. You do not distinguish between active defense in the sense of reconnaissance and active defense in the sense of hack back for most of your conversation, instead using the one term which can mean either or both. You have not put forth a plan as you say, instead giving this vague notion that hack back is justified and legal. You never spell out exactly how it is legal, instead relying on emotional response to justify it. Big difference in a court of law, which you certainly know.
This blog consists of reviewing half a dozen of your blog posts on the topic. In those, I point out a wide variety of contradictions, as well as point out how you clearly do not back your claims about the legality of it. I also point our your flawed notions about attribution and the concept of digital data. I know you said “you tried” and that you are done with me. That’s fine. Ignore me because I use naughty words and “don’t look professional”. I am not selling anything, so I don’t need to maintain any appearance other than a voice of reason in a murky FUD-filled topic primarily led by people seeking to profit from it. You keep blogging, and I will keep pointing out how you are not qualified to provide consulting services in my opinion. Ultimately, I think your customers will figure that out. I just hope none find out the hard way, with you providing legal defense services instead of security services.
2 responses to “Fine, let’s continue this “debate”. (was re: Active Defense)”
“For instance, if the attack is a one-time attack and is over, then you DO NOT have a right to retaliate. Similar to when someone robs your house. If they are gone you have no right to pursue the burglar on your own. On the other hand, if you have been attacked repeatedly and are sure it continues or will happen again you have a right to defend yourself.”
Dearest Willson, I believe you continue to make a complete fool out of yourself. Not only to those in your industry, but also to every bystander that might happen to pass by this blog or the blog of your company, and see you writhing around like a toddler in time-out. Something that has clearly not taken place: a respect and understanding of whom and what you are speaking about.
Jericho is simply stating that you NEVER have ANY RIGHT to “retaliate” against a cyber attack. Why? Because that’s what the law is for, Willson. You are not FBI – you are not a lawyer – you are not a police officer – you are not a judge – you are not a jury. It is NOT YOUR PLACE to take the LAW into your own hands.
If I, personally, caught a burglar robbing my house, I would not pursue him anyway. I would hide, preferably in a room with a lock on the door, and contact the authorities. Why? Because that’s what the authorities are for, Willson. I don’t know if the burglar has a weapon, be it something he brought with him or something he found in my house to do the trick – I don’t want to put my life on the line over a couple hundred dollars of my own worthless crap – I am not trained in the art of incapacitating another human being – police officers have guns, forensic equipment, and God-willing the correct judgement for the APPROPRIATE course of action I should take.
If I find out that I’m being robbed every weekend I go to my auntie’s house, you’re right – I’m going to defend myself. By installing an alarm system. I’m not going to Tom & Jerry some elaborate, hair-brained scheme to HUNT DOWN the person who is attempting to, at this point, ruin my livelihood. Security cameras – better locks – a sign in the lawn that says, “Yo, I’ve got an alarm now. Back off.” – and MULTIPLE incident reports with the aforementioned authorities. Just like George Zimmerman, YOU need to let the people who KNOW THE LAW do the investigating on your behalf; YOU are only going to fuck it up.
The title of Jericho’s first blog: “Putting an end to ‘strike back’ / ‘active defense’ debate…” was NOT synonymous with: “Putting an end to the debate over ‘strike back’ verses ‘active defense’” you illiterate gibbon. Jericho meant, “Putting an end to ‘strike back’” SLASH = and/or “[an] ‘active defense’ debate”. The focus of the article was the desire to end ‘strike back’, a.k.a. breaking the law in order to feel more secure about your shoddy computer security systems instead of improving the systems and leaving the rest to the authorities. ‘Active defense’ means ACTIVELY DEFENDING, a.k.a. putting up a goddamn Wall of China around your servers. Because you’re wrong – you can NEVER know FOR SURE when you are going to have your systems attacked again, even if the alleged ‘hacker’ tries to tell you otherwise. Just like China had no idea when or where they were going to be attacked – hence, they erected A BETTER FIREWALL.
Oh, and by the way, Willson? You were offended by Jericho’s “language” because you were supposed to be. Profanity is inflamitory, and you rose to the bait just like we figured you would. Why? Because you’re the one who’s insecure, Willson. And I wouldn’t trust a man who’s as insecure and reactionary as you are to secure my computer and network systems.
Childish dick-munchers like you deserve Jericho’s ire. You have no respect for him. Why should we have respect for you?
(Actually, Willson is a lawyer. That is one reason I am speaking out against his blogs, as his material may be considered ‘legal advice’ by someone that doesn’t know better.)