Yesterday, I published a blog titled “Putting an end to ‘strike back’ / ‘active defense’ debate…”. While the title of the blog was tongue-in-cheek, the content certainly was not. Of course I don’t expect the debate to suddenly end over a single blog, but I did bring up a
good great point about the idea of ‘strike back’. I know it is great because the only blog-response I got, completely ignored it. I assume because he simply couldn’t debate the merit of it.
Now, I don’t think I know this guy who calls himself “David Willson”. But everyone knows I am bad with names and faces and InfoSec plebeians that don’t show any indication they have tenure or a clue. Don’t get me wrong, I love InfoSec newbies that are eager and open minded, willing to learn and evolve; I take the time to answer any question they put to me. They are a different breed than the others that mysteriously appear one year, with a resume boasting many years of experience. No clue if David Willson is such a beast, but reading that blog sure seems like it.
I don’t like ego. I like a person that can not only admit, but fully appreciate when they are wrong. Admitting it shows character and a desire to improve themselves. Don’t take this paragraph as me showing ego, it really isn’t about that. Willson is blogging under Titan Info Security Group (@Titaninfosec), whose motto is “Information is the Key to Your Business“. Information you say? Perhaps it was just a completely shitty writing style David, or perhaps you just haven’t been around the InfoSec block. It doesn’t matter if you like me, dislike me, respect me, or want to fist me. Fact is, I have been here a long, long time. If you and your company’s intelligence doesn’t know who I am, or my relevance in the security world, then your intelligence is suitable for the girl scouts at best. Starting your blog with “a guy calling himself Jericho” is laughable. Not only is my real name all over the place, if you Google for “jericho attrition”, the second hit gives you my real name which has been published in media outlets for years in conjunction with my handle. You couldn’t link to my blog, my web site, my Wikipedia entry, or my Twitter feed? I’m sorry, do you claim you knew all this? Consider it when you write these shitty blogs for your over-billed customers. #protip
Now, on to the meat of the blog and the rebuttal! It’s late, I really want to have fun with this, but the bed is more inviting than you. So, you get the more brief and blunt treatment David.
chastises those who advocate Active Defense.
Read the blog again. I chastise those that use the term incorrectly. I specifically point out that ping, traceroute, and nmap are not “active defense”. I further point out that the entire term “active defense” is contradictory and absurd. Offense != defense. “The best defense is a good offense” is better left to movies.
He equates it to strike back and hack back.
No, I have entirely difference sections of that blog that deal with true strike back versus active defense. Is this the “intelligence” you charge your customers for?
I have to say, I agree with two of his points; many companies are now trying to capitalize on this new term, yes new term…
Oh so close David! You were doing well agreeing with me on that part. New term? No. New to newbs in the industry? Yes. You kind of outed yourself here. You can’t claim this term is new when there is a book on it written it in 2002. #newb
I disagree with is his characterization of Active Defense. I wish people would stop equating it to hack back.
HEY FUCKHEAD. I did not say that. Read the fucking blog again please. I specifically defined active defense as this nebulous area of remote reconnaissance, not strike back. I went out of my way to make it very clear there was a solid distinction between the two. The entire point is that companies are using the nebulous “active defense” (which is stupid to begin with) and then further blurring it into “strike back”, ala Kurtz and his Crowdstrike crap.
Hack back is the last 1% of Active Defense. See my definition here: http://www.titaninfosecuritygroup.com/_m1698/blog/Active-Defense-definition.
Great, you define Active Defense! Oh wait, that explains why you are blindly lashing out at what you don’t understand. From your definition:
“Active Defense” is incident response on steroids. Here is my definition: It is a method for companies who find themselves persistently attacked to collect the intelligence needed to evaluate the attacks, develop courses of action or options, and then enable the leadership to make well-informed decisions to move forward in an effort to protect the company. On a spectrum the options could be anywhere from do nothing or the other extreme of hack back to either find the attackers or disrupt or deny the server(s) being used to launch the attacks.
So a whole bunch of management bullshit, then you clearly say “active defense” includes “strike back”. Uh… you just said you wished people would stop equating it to hack back, and you fucking say exactly that in your definition. Seriously, get the fuck out of our industry. Only ignorant sales weasels can’t track their lies between two paragraphs.
Also, the fact that many people who write in opposition to Active Defense made broad statements about how it is illegal without defining Active Defense and detailing what they believe to be illegal or why.
I clearly stated what I see active defense is. Read my blog again, again. I said strike back is illegal; the activity of “hacking the person hacking you”. News flash: it is illegal in most countries. It is illegal in the United States, where I reside, and most of the countries the U.S. still has some form of ties to, economic or otherwise. As an ex-military weenie, you should really grok this.
First of all, if you’re not an attorney stop saying it is illegal because the legality of Active Defense is not black and white.
Tell that to anyone convicted under 18 USC § 1030 please. It is black and white enough to routinely convict people, even ones operating in areas many consider gray. While I am not a lawyer, I am fairly well read on the law. More so than most in our industry, and enough to be invited to be an honorary professor for a cybercrime seminar for a semester, to challenge their students on the notion of law. Yes, a respected university thought me suitable to challenge their students and staff on the law they teach, meaning I am the first to find the wiggle room and gray areas. What, you didn’t know this? was re: intelligence offering.
Jericho’s assertions strike me as hypocritical by jumping on the bandwagon of the Active Defense flurry, making broad assertions and offering NO solutions.
First, I am not hypocritical just because you didn’t actually read my blog. Second, I am not part of the flurry as I argued against this shit back in ~ 2000. Third, what the fuck solutions do you offer? By your definition, a vague HALULULUGGUHGUGHUGHGUH ESCALATE until you get to the strike back phase, which still doesn’t address the simple fact that it STILL WON’T STOP YOU FROM GETTING ATTACKED. Jesus fuck, get out of my industry already. Off my lawn and all that. If you don’t understand WHY I am so vehement about this, then you doubly need to get the fuck out of here. In a light-hearted rant against morons who blindly quote Sun Tzu, Steve Tornio (@steve_tornio) and I point out that trying to know your attacker is futile. Worse, even if you figure out who one is and stop them, then you are dealing with the other eleventy-billion. Are you really under some demented and perverse notion that a single attacker is a threat to you or your customers? That big-bad-APT you are fighting tooth-and-nail against, may just be the decoy while the real attacker is skullfucking your network blind. Sorry to be the bearer of that bad news, and judging by your blog, I certainly am.
If defense is so easy then provide the solution, a solution that hasn’t been tried and one that will work and not subverted by hackers within a few months.
Really? Again with the whole “not reading what I wrote” bit. I didn’t say it was easy. I was arguing for a minimum threshold on defense; that companies who do not focus on defense and put resources there, have no business trying to hack back. In fact, my entire ONE LINE ARGUMENT against all this boils down to that. If you failed Defense 101, then you have no business dabbling in Offense 101. Intelligence business huh?
You need a team of experts who know what they are doing, to include one or more attorneys who know what he/she is doing, but more than just an attorney you believe you can explain the technology to.
And this is where it gets good. You see, I am bad with names and faces, like I mentioned above (since you likely didn’t read it). But in all honesty, I do remember you. I respect(ed) the hell out of you for your presentation at BSides Denver 2010. And you should remember me, “that guy who calls himself Jericho”, as I was leading the mob against your naive but fun presentation titled “When Does Electronic Espionage Become an ‘Act of War’ and What Options Do Nations Have to Defend Their Networks?” Further, I was on the CFP review team for BSides Denver 2013 where I was adamant about having you back, because of your 2010 presentation despite the cute notions that simply weren’t real world. Why? Because you stood up to the heat, you debated it, and you did a good job of doing so from your losing side. The entire CFP review team was looking forward to your talk specifically, hoping it would re-create the passion and energy from years before.
So, what happened during BSides Denver 2013? Two things changed. First, you moved from the military to Titan Info Security Group. Second, you made people walk out of your talk, and it ended in zero debate. What’s the matter David, Titan got your balls all of a sudden? You went from a damn fined individual and debater that I respected, to … this. Part of me says this is cute. The other part of me says this is pathetic. I went to bat for you, saying you would be an outstanding speaker based on your last presentation. I was wrong. I failed BSides Denver attendees as a CFP reviewer, and I still kick myself over that. I don’t blame you, I really don’t. I blame myself for not seeing what you truly are.
You really don’t remember me? You really don’t remember talking to me during the 2010 conference, and again a couple months ago? That’s fine, I don’t blame you for not remembering me. I am not that interesting offline usually. I’m not in the general intelligence business, just the vulnerability intelligence business. I can get away with that. What’s your excuse?
This takes years of experience to understand the technology, apply the law and foresee the results or consequences.
OK expert, please tell us exactly when pure “strike back” is legal, in what contexts. You have this shit figured out obviously, so write a blog that summarizes it please. If you don’t, then you are full of shit and I am calling you on it. I want you to blog about it because one of three things will happen. One, you will write an incredibly insightful blog that clears up all this “legal confusion” over the concept of strike back, and I will apologize to you and learn a lot from it. Two, you will write an incredibly fun blog that clears up nothing, that many people will mock and deride at best. Three, you will not blog, and in doing so quietly admit that I am right. So, put up or shut up pretend-lawyer. Oh, and cite the fucking law, not your mystical snow globe.
Ask your lawyer if he/she would be willing to put their law license on the line and provide advice in cyber security, hack back, the CFAA, ECPA, trace back, open-source collection, etc.
Great, thanks! Let’s have you read this Wikipedia entry before we continue. Please re-read your definition of “active defense” which is arguably criminally negligent. You really want to put your license on the line after that crap? Not only do you completely miss the irony of your definition of “active DEFENSE“, you completely fail to see the legal implications of what you put forth, 1% or not.
I’m not going to quote the last paragraph of your blog, i’ll let my readers re-read it before they continue. You and your company appear to be the same scum I called out, attempting to mix “active defense” with “strike back”, for what appears to be your profit margin. The irony of you arguing this with me has multiple juicy layers of depth.
I mean come on, look at your fucking company’s logo. Ones and zeroes coming out of the planet, with that pathetic slogan? Nothing about your blog post screams “intelligence”. Nothing about it reminds me of the guy who calls himself David in 2010. It does remind me of the sell-out David who appeared in 2013 and bored a room of ~ 120. If you want to attack me and my points, feel free. I love a good debate, and I love challenging the industry to think beyond the current norms. Unfortunately, you failed to do that in a big way. You clearly didn’t read my blog, didn’t consider it before you fired off your own rebuttal, and didn’t consider that rebuttals are a FUCKING HOBBY OF MINE. At least play to my weak standards, or do better than my previous offerings. If not, you aren’t even advancing casual insults or banter, and for that, you should eat a bowl of dicks.
So, to throw the proverbial gauntlet down:
Based on David Willson’s reply to my blog, I personally think that Titan Info Security Group is not qualified to provide any security or legal consulting to anyone. Well, maybe to Paw’s Fishing Shack that just got that new-fangled Wi-Fi thing. I bet Paw wants some of that fancy threat intelligence, and he can trade you for it in fresh worms or stale candy. About all you are worth in my opinion. #getoffmylawn
– Some guy who calls himself “Jericho”
p.s. You tag your blog with “computer”, really? I guess I should follow suit.
2 responses to “To the guy calling himself “David Willson”, you don’t get it (was re: Active Defense)”
I just love when Marketing people come up with new terms to describe old concepts, but if I had to define “Active Defense” it would be: “Identifying and monitoring attack vectors to your IT infrastructure and fortifying weak spots.” Doesn’t sound as sexy though. I shudder to think of the collateral damage that would occur if we had the infosec equivalent of “Stand Your Ground” laws.
I don’t like the term. Without context it can seem to refer to attack back.
Hitting up the payload delivery mechanism and needling the actual exploit out of it so you have something to reverse and target is important. If you don’t know what the new stuff is doing you can’t analyze your defense intelligently.
I honestly thought of crafted service responses to deliver XSS to report mechanisms or exploit poor reconnaissance tools by your adversaries. That drew me down the rabbit trail to good old code green and around the bend to the rpc worms and fix rpc worms.
Its a short road when everything is related back to hack back. I just don’t see how anyone would think that’s what was advocated reading the content even if it contained the industry [wait for it] … buzzword.