The Active Response Continuum to Cyber Attacks

1
TheActive Response Continuumto Cyber Attacks
David DittrichThe Information School/Center for
Information Assurance and CybersecurityUniversity
of WashingtonAusCERT 2005
2
Overview

• Why consider Active Responses?
• What is the Active Response Continuum?
• Ethical issues
• Potential solutions

3
Why Consider Active Responses?
4
The James-Younger Gang and the Pinkerton Agency
5
Piracy and Privateering
6
Attacks on supercomputer Centers
7
You are where???
8
Deterrence to Strategic InfoWar

• SIW is attack on critical infrastructure
• Military relies on Civilian Infrastructures
• Private industry controls Civ. Inf.
• Typical deterrent means
• Denial (not likely!)
• Punishment (who is attacking?)
• Answer Encourage industry to improve defenses
  (hardening and response)

Building a Deterrence Policy Against Strategic
Information Warfare,by Geoffrey S. French
9
Impediments to response

• Private Intrusion Response,Stevan D. Mitchell
  and Elizabeth A. Banker (11 Harv. J. Law Tec
  699)
• Issues cited
• Difficulties in detection
• Limited reporting
• Jurisdictional complexity
• Resource constraints on LE

10
Issues (cont.)

• CFAA limits private response
• LE capabilities vs. private sector
• Options few between criminal remedies and doing
  nothing
• You have to know who attacked you to use civil or
  criminal remedies
• Authors call for balanced public/private approach
  (more on this later)

11
Growing public debate
Are you tired of feeling vulnerable to the
latest security vulnerabilities? Are you fed up
with vendors who take too long to release
security patches, while criminals waste no time
in exploiting those very same holes? Do you want
to know who, exactly, is really trying to hack
your network? Do you think EVERYONE should be
responsible for securing their owns systems so
they can't be used to attack yours? Do you think
you have the right to defend yourself, your
network, and ultimately your business against
aggressors and adversaries? If so, Aggressive
Network Self-Defense is the book for you. Learn
how you can take your security into your own
hands to identify, target, and nullify your
adversaries.
12
Foreword
There is a certain satisfaction for me in seeing
this book published. When I presented my
"strike-back" concept to the security community
years ago, I was surprised by the ensuing
criticism from my peers. I thought they would
support our right to defend ourselves, and that
the real challenge would be educating the general
public. It was the other way around, however.
This is why I'm happy to see Aggressive Network
Self-Defense published. It shows that people are
beginning to consider the reality of today's
Internet. Many issues are not black and white,
right or wrong, legal or illegal. Some of the
strike-back approaches in this book I support.
Others, I outright disagree with. But that's
good--it gives us the chance to truly think about
each situation--and thinking is the most
important part of the security business. Now is
the time to analyze the technologies and consider
the stories presented in this book before fiction
becomes reality.Timothy M. Mullen, CIO and
Chief Software Architect for AnchorIS.Com
13
What is theActive Response Continuum?
14
Framework of actions

• Attacks vs. Defenses
• Strategy and Tactics
• Three perspectives on action
• Stages of (Cooperative) Response
• Levels of Force
• Stages of Security Operations
• Viability of Actions

15
Considerations

• Focus or target of the attack(specific,
  individual vs. general, mass)
• Type of attack
• Intent of attack
• Likelihood that attack is using "innocent" third
  parties as conduits
• Consequences of attack
• Length of attack

16
Increasing Attack Sophistication
Attack sophistication vsIntruder Technical
Knowledge
binary encryption
Tools
stealth / advanced scanning techniques
High
denial of service
packet spoofing
distributed attack tools
sniffers
Intruder Knowledge
www attacks
automated probes/scans
GUI
back doors
network mgmt. diagnostics
disabling audits
hijacking sessions
burglaries
Attack Sophistication
exploiting known vulnerabilities
password cracking
Attackers
password guessing
Low
1980
1985
1990
1995
2001
1998
Source CERT/CC
17
Defense Sophistication
Defense sophistication vsDefender Technical
Knowledge
Tools/ Techniques
ReverseEngineering
High
DDoS mitigation
Defender Knowledge
Deception Operations
IDS/IPS
High Quality Forensics/Incident Reporting
Firewalls
Honeynets
Defense Sophistication
Patching
Network Traffic Analysis
Low
18
Stages of Response(Agora Workshop, June 2001)

• 0 - Unconscious
• 1 - Involved
• 2 - Interactive
• 3 - Cooperative Response
• 4 - Non-cooperative (AD) Response

19
Non-cooperative Response

• The firm/system owner/operator takes measures,
  with or without cooperative support from other
  parties, to attribute, mitigate, or eliminate the
  threat by acting against an uncooperative
  perpetrator or against an organization/firm/system
  that could (if cooperative) attribute, mitigate,
  or eliminate the threat.

20
Active Defense

• Agora workshop on June 8, 2001 defined Active
  Defense to be activity at Stage 4
• Stage 4 has levels, though
• Less intrusive to more intrusive
• Less risky to more risky
• Less disruptive to more disruptive
• Justification for your actions depends on how
  well you progress through all 4 stages
• Response is slowed when differentials occur

21
Levels of Active Response Actions

• 4.1 - Non-cooperative intelligence collection
• External services(service enumeration, banner
  grabbing)
• Internal services(Back doors, login/password,
  remote exploit, session hijack)
• 4.2 - Non-cooperative cease desist
• Interdiction ala Berman-Coble(a.k.a.
  Hollywood hacking) Bill
• Disabling malware
• 4.3 - Retribution or counter-strike
• 4.4 - Pre-emptive defense

22
AD Response Path
23
Risk in ideal case
24
Col. John Boyds OODA Loop
Source The Swift, Elusive Sword, Center for
Defense Information, http//www.cdi.org/
25
Phases of security operations

• Preparation
• Training, instrumentation, knowledge acquisition
  to "prime the OODA Loop pump"
  
• Execution
• Engaging in the OODA Loop
• After action review
• Building orientation capacity

26
Levels of Force
Source Handbook of Information Security
article on Active Response, byDavid Dittrich
and Kenneth E. Himma, forthcoming, John Wiley
Sons
27
Viability of actions (IMHO)

• Fight DDoS with DDoS (No way)
• Pre-emptive DoS (Highly unlikely)
• Retribution (Very risky)
• Back-tracking (Risky)
• Information gathering (Less risky)
• Ambiguity/dynamism (Least risky)

28
Some implications

• Attacking is easy Attack back is easy
• Advanced attacks Advanced Defenses
• Trained people are less likely to cause harm
• of people with advanced response skills is
  small
• Demands placed on special training that is rare
  today (How to increase?)

29
Some implications

• Need a way to effectively engage LE early enough
  to help (but this only works if they have
  capacity to follow through)
• How to increase capacity justify the added
  training for private sector?
• Will clamping down on advanced responders w/o a
  viable alternative encourage attackers?

30
Ethical issues
31
Ethics - The Defense Principle

• Use force to protect self/others
• Proportionality of response
• Necessary to cease harm
• Directed only at those responsible

32
Ethics - The Necessity Principle

• Morally acceptable to infringe a right if and
  only if
• Infringing results in greater moral value
• Good of protecting ltlt Result of infringing
• There is no other option besides infringing

33
Ethics - The Evidentiary Principle

• Morally permissible to take action under
  principle P if you have adequate reason to
  believe all preconditions of applying P are
  satisfied

34
Conclusions (from HoIS article)

• Some legal precedent for Defense and Necessity
  principles (NYS code)
• A clear escalation path should be followed
• Keeping resource differentials low is desirable
  (e.g., ISACs)
• Higher levels require greater resources (need for
  public funding?)

Source Handbook of Information Security
article on Active Response, byDavid Dittrich
and Kenneth E. Himma, forthcoming, John Wiley
Sons
35
Potential Solutions
36
What is needed?

• Rapid data collection/analysis
• Large body of knowledge of attack
  tools/techniques
• Determine how attacker is operating
• Assess available options/outcomes
• Act

37
The Ideal solution

• Optimizes limited LE resources
• Takes advantage of InfoSec experts
• Provides high-quality evidence to LE
• Requires min. standards (skills, tools)
• Ensures accountability of actions
• Oversight by LE/courts
• Supports cross-border responses

38
Balanced Public/Private Approach(Mitchell
Banker)

• Oversight
• Certification
• Licensing

39
MB - Benefits from public/private approach

• Computer Security Industry gets
• Standards
• Defined liability
• Marketing advantage from license
• Spur growth in tools

40
MB - Benefits

• LE gets
• Cadre of trained professionals
• Ready made cases
• Better info about complex computer crime

41
MB - Benefits

• Public gets
• Trust in quality of service
• Confidentiality
• Less risk of third-party damage

42
MB - Issues to be resolved

• Under what authority? (Fed or State?)
• Who should be covered?
• Mandatory or permissive?
• Required changes in the law
• International implications

43
Private Search Seizure

• No 4th Amend. restriction to private search
  (provided not acting as agent LE does not
  exceed private search)U.S. v. Jacobsen, 466 U.S.
  109 (1984)
• If stolen property is easily destructible or
  concealable, emergency private search may be
  justifiablePeople v. Williams, 53 Misc. 2d 1086,
  1090, 281 N.Y.S.2d 251, 256 (Syracuse City Ct.
  1967)

44
Remotely executed search warrants

• Remote search described like physical search
• Electronic copy provided to judge (similar to FAX
  today)
• Judge provides verbal approval (followup in
  writing)
• Warrant executed remotely

45
All Party Internet Group (UK)

• Recommend changes to UKs Computer Misuse Act
  (CMA)
• Make impairing access to data a crime
• Permissive policy for private prosecutions
• Consider EURIM recommendations
• Standardized digital evidence collection rules
• Registers of experts
• Limited warrant special constables
• International investigation teams

46
Special Constables (UK)
47
Special Master (US)
48
New Zealand
49
Singapore(11 Nov 2003)
50
Existing model 10 CFR 1046.1

• Department of Energy Physical Protection of
  Security Interests
• Required of all contractor employees at govt.
  owned facilities, whether or not privately run
• Defines personnel
• Defines knowledge, skills, abilities
• Defines (re)training requirements

51
Cooperative Association

• IR team members must meet skill requirements
  use standard tools
• All members agree to IR rules of engagement
• Liability limited by contract
• All actions must be reviewed by an oversight
  Board
• LE provides check against abuse

52
How bad an idea wasMake Love Not Spam?
(Let me
count the
ways.)

• David DittrichThe Information SchoolUniversity
  of Washington

53
Implementation

• Over 100,000 downloads ofthe screen saver
• Activates in standby mode
• Gets XML list of targets (URL blist)lttarget
  id"TVRnMA" domain"www.artofsense.com"
  hits"2251" bytes"6436860" percentage"96.5"
  responsetime01"410.0 responsetime02"410.0"
  location"US" url"http//www.artofsense.com/eng
  lish/" /gt
• Sends mal-formed HTTP GET requests
• ltmakeLOVEnotSPAMgt
• 5?l?ojMlm(Ngjm?_?vpxz4l(C5gt
• lt/makeLOVEnotSPAMgt

54
Stated motives - Molte Pollman

• I have to be very clear that it's not a
  denial-of-service attackthat would be illegal,
  but we can send a strong signal that spam is
  unacceptable.
• We slow the remaining bandwidth to 5 percent. It
  wouldn't be in our interests to carry out DDoS
  attacks. It is to increase the cost of spamming.
  We have an interest to make this, economically,
  not more attractive.
• We decided we should attack the flow of money
  and make it harder to profit from spamming.
• Web site Annoy a spammer now!

55
Effects of the campaign

• Netcraft detects two Chinese sitesare completely
  unavailable

56
Relevant Ethical Principles

• The Defense Principle
• The Necessity Principle
• The Evidentiary Principle
• Punitive actions not ethical/legal

57
Justification - Defense

• Is the force proportional?
• N spam emails X Gb?
• Is it targeted properly?
• Customers of spammers, not spammers
• Innocent third parties?

58
Justification - Necessity

• Does it achieve a greater moral value?(i.e.,
  costing spammers )
• Is there any other way to raise spammers costs?
• Is this a greater moral value than unimpeded use
  of purchased network resources?

59
Justification - Evidence

• Is there adequate reason to believe all
  preconditions are satisfied?

60
Conclusion

• Morally and ethically, Lycos failed to prove MLNS
  was justifiable
• They clearly had a punitive motive
• They may have used excessive force

61
Further legal considerations

• Violation of CFAA (or similar) laws?
• Informed consent/misrepresentation?
• Liability for damages to innocent parties?
• What if miscreants trick MLNS into attacking .mil
  sites, or innocent .com sites?

62
Thanks and questions

• Contact Dave DittrichInformation Assurance
  ResearcherThe Information Schooldittrich(at)u.w
  ashington.eduhttp//staff.washington.edu/dittrich
  /