1 The Active Response Continuum to Cyber Attacks David Dittrich The Information School/Center for Information Assurance and Cybersecurity University of Washington AusCERT 2005
2 Overview Why consider Active Responses? What is the “Active Response Continuum?” Ethical issues Potential solutions
3 Why Consider Active Responses?
4 The James-Younger Gang and the Pinkerton Agency
5 Piracy and Privateering
6 Attacks on supercomputer Centers
7 You are… where???
8 Deterrence to Strategic InfoWar SIW is attack on critical infrastructure Military relies on Civilian Infrastructures Private industry controls Civ. Inf. Typical deterrent means Denial (not likely!) Punishment (who is attacking?) Answer: Encourage industry to improve defenses (hardening and response) Building a Deterrence Policy Against Strategic Information Warfare, by Geoffrey S. French
9 Impediments to response “Private Intrusion Response,” Stevan D. Mitchell and Elizabeth A. Banker (11 Harv. J. Law & Tec 699) Issues cited Difficulties in detection Limited reporting Jurisdictional complexity Resource constraints on LE
10 Issues (cont.) CFAA limits private response LE capabilities vs. private sector Options few between criminal remedies and doing nothing You have to know who attacked you to use civil or criminal remedies Authors call for balanced public/private approach (more on this later…)
11 Growing public debate “Are you tired of feeling vulnerable to the latest security vulnerabilities? Are you fed up with vendors who take too long to release security patches, while criminals waste no time in exploiting those very same holes? Do you want to know who, exactly, is really trying to hack your network? Do you think EVERYONE should be responsible for securing their owns systems so they can't be used to attack yours? Do you think you have the right to defend yourself, your network, and ultimately your business against aggressors and adversaries? If so, Aggressive Network Self-Defense is the book for you. Learn how you can take your security into your own hands to identify, target, and nullify your adversaries.”
12 Foreword There is a certain satisfaction for me in seeing this book published. When I presented my "strike-back" concept to the security community years ago, I was surprised by the ensuing criticism from my peers. I thought they would support our right to defend ourselves, and that the real challenge would be educating the general public. It was the other way around, however. This is why I'm happy to see Aggressive Network Self-Defense published. It shows that people are beginning to consider the reality of today's Internet. Many issues are not black and white, right or wrong, legal or illegal. Some of the strike-back approaches in this book I support. Others, I outright disagree with. But that's good--it gives us the chance to truly think about each situation--and thinking is the most important part of the security business. Now is the time to analyze the technologies and consider the stories presented in this book before fiction becomes reality. Timothy M. Mullen, CIO and Chief Software Architect for AnchorIS.Com
13 What is the “Active Response Continuum?”
14 Framework of actions Attacks vs. Defenses Strategy and Tactics Three perspectives on “action” Stages of (Cooperative) Response Levels of “Force” Stages of Security Operations Viability of Actions
15 Considerations Focus or target of the attack (specific, individual vs. general, mass) Type of attack Intent of attack Likelihood that attack is using "innocent" third parties as conduits Consequences of attack Length of attack
16 High Low password guessing password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Attackers Intruder Knowledge Attack Sophistication “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools binary encryption Source: CERT/CC Attack sophistication vs Intruder Technical Knowledge Increasing Attack Sophistication 199 8
17 High Low Patching Firewalls IDS/IPS Network Traffic Analysis Honeynets Tools/ Techniques Defense Sophistication Reverse Engineering Deception Operations Defense sophistication vs Defender Technical Knowledge Defense Sophistication High Quality Forensics/ Incident Reporting Defender Knowledge DDoS mitigation
18 Stages of Response (Agora Workshop, June 2001) 0 - Unconscious 1 -Involved 2 - Interactive 3 - Cooperative Response 4 - Non-cooperative (AD) Response
19 “Non-cooperative Response” “The firm/system owner/operator takes measures, with or without cooperative support from other parties, to attribute, mitigate, or eliminate the threat by acting against an uncooperative perpetrator or against an organization/firm/system that could (if cooperative) attribute, mitigate, or eliminate the threat.”
20 Active Defense Agora workshop on June 8, 2001 defined “Active Defense” to be activity at Stage 4 Stage 4 has levels, though Less intrusive to more intrusive Less risky to more risky Less disruptive to more disruptive Justification for your actions depends on how well you progress through all 4 stages Response is slowed when differentials occur
21 Levels of Active Response Actions Non-cooperative “intelligence” collection External services (service enumeration, banner grabbing) Internal services (Back doors, login/password, remote exploit, session hijack) Non-cooperative “cease & desist” “Interdiction” ala Berman-Coble (a.k.a. “Hollywood hacking”) Bill Disabling malware Retribution or counter-strike Pre-emptive defense
22 AD Response Path
23 Risk in ideal case
24 Col. John Boyd’s “OODA Loop” Source: “The Swift, Elusive Sword,” Center for Defense Information,
25 Phases of security operations 1. Preparation Training, instrumentation, knowledge acquisition to "prime the OODA Loop pump" 2. Execution Engaging in the OODA Loop 3. After action review Building orientation capacity
26 Levels of “Force” Source: “Handbook of Information Security” article on Active Response, by David Dittrich and Kenneth E. Himma, forthcoming, John Wiley & Sons
27 Viability of actions (IMHO) Fight DDoS with DDoS (No way) Pre-emptive DoS (Highly unlikely) Retribution (Very risky) Back-tracking (Risky) Information gathering (Less risky) Ambiguity/dynamism (Least risky)
28 Some implications Attacking is easy Attack back is easy Advanced attacks Advanced Defenses Trained people are less likely to cause harm # of people with advanced response skills is small Demands placed on special training that is rare today (How to increase?)
29 Some implications Need a way to effectively engage LE early enough to help (but this only works if they have capacity to follow through) How to increase capacity & justify the added training for private sector? Will clamping down on advanced responders w/o a viable alternative encourage attackers?
30 Ethical issues
31 Ethics - The Defense Principle Use “force” to protect self/others Proportionality of response Necessary to cease harm Directed only at those responsible
32 Ethics - The Necessity Principle Morally acceptable to infringe a right if and only if: Infringing results in greater moral value Good of protecting << Result of infringing There is no other option besides infringing
33 Ethics - The Evidentiary Principle Morally permissible to take action under principle P if you have adequate reason to believe all preconditions of applying P are satisfied
34 Conclusions (from HoIS article) Some legal precedent for Defense and Necessity principles (NYS code) A clear escalation path should be followed Keeping resource differentials low is desirable (e.g., ISACs) Higher levels require greater resources (need for public funding?) Source: “Handbook of Information Security” article on Active Response, by David Dittrich and Kenneth E. Himma, forthcoming, John Wiley & Sons
35 Potential Solutions
36 What is needed? Rapid data collection/analysis Large body of knowledge of attack tools/techniques Determine how attacker is operating Assess available options/outcomes Act
37 The “Ideal” solution Optimizes limited LE resources Takes advantage of InfoSec experts Provides high-quality evidence to LE Requires min. standards (skills, tools) Ensures accountability of actions Oversight by LE/courts Supports cross-border responses
38 Balanced Public/Private Approach (Mitchell & Banker) Oversight Certification Licensing
39 M&B - Benefits from public/private approach Computer Security Industry gets Standards Defined liability Marketing advantage from license Spur growth in tools
40 M&B - Benefits… LE gets Cadre of trained professionals “Ready made” cases Better info about complex computer crime
41 M&B - Benefits… Public gets Trust in quality of service Confidentiality Less risk of third-party damage
42 M&B - Issues to be resolved Under what authority? (Fed or State?) Who should be covered? Mandatory or permissive? Required changes in the law International implications
43 Private Search & Seizure No 4th Amend. restriction to private search (provided not acting as agent & LE does not exceed private search) U.S. v. Jacobsen, 466 U.S. 109 (1984) If stolen property is easily destructible or concealable, emergency private search may be justifiable People v. Williams, 53 Misc. 2d 1086, 1090, 281 N.Y.S.2d 251, 256 (Syracuse City Ct. 1967)
44 Remotely executed search warrants Remote search described like physical search Electronic copy provided to judge (similar to FAX today) Judge provides verbal approval (followup in writing) Warrant executed remotely
45 All Party Internet Group (UK) Recommend changes to UK’s Computer Misuse Act (CMA) Make impairing access to data a crime Permissive policy for private prosecutions Consider EURIM recommendations Standardized digital evidence collection rules Registers of experts Limited warrant special constables International investigation teams
46 “Special Constables” (UK)
47 “Special Master” (US)
48 New Zealand
49 Singapore (11 Nov 2003)
50 Existing model: 10 CFR Department of Energy Physical Protection of Security Interests Required of all contractor employees at govt. owned facilities, whether or not privately run Defines personnel Defines knowledge, skills, abilities Defines (re)training requirements
51 Cooperative Association IR team members must meet skill requirements & use standard tools All members agree to IR “rules of engagement” Liability limited by contract All actions must be reviewed by an oversight Board LE provides check against abuse
52 How bad an idea was “Make Love Not Spam?” How bad an idea was “Make Love Not Spam?” (Let me count the ways.) David Dittrich The Information School University of Washington
53 Over 100,000 downloads of the screen saver Activates in standby mode Gets XML list of targets (URL blist) Sends mal-formed HTTP GET requests 5?l[?ojMlm(Ngjm?_?vp+*xz4l(C5> Implementation
54 Stated motives - Molte Pollman not a denial-of- service attackthat would be illegal send a strong signal that spam is unacceptable “I have to be very clear that it's not a denial-of- service attack…that would be illegal, but we can send a strong signal that spam is unacceptable.” slow the remaining bandwidth to 5 percent increase the cost of spamming “We slow the remaining bandwidth to 5 percent. It wouldn't be in our interests to [carry out DDoS attacks]. It is to increase the cost of spamming. We have an interest to make this, economically, not more attractive.” attack the flow of money and make it harder to profit “[We decided we] should attack the flow of money and make it harder to profit from [spamming].” Annoy Web site: “Annoy a spammer now!”
55 “Effects of the campaign” Netcraft detects two Chinese sites are completely unavailable
56 Relevant Ethical Principles The Defense Principle The Necessity Principle The Evidentiary Principle Punitive actions not ethical/legal
57 Justification - Defense Is the force proportional? N spam s == X Gb? Is it targeted properly? Customers of spammers, not spammers Innocent third parties?
58 Justification - Necessity Does it achieve a greater moral value? (i.e., costing spammers $$$) Is there any other way to raise spammers’ costs? Is this a greater moral value than unimpeded use of purchased network resources?
59 Justification - Evidence Is there adequate reason to believe all preconditions are satisfied?
60 Conclusion Morally and ethically, Lycos failed to prove MLNS was justifiable They clearly had a punitive motive They may have used excessive “force”
61 Further legal considerations Violation of CFAA (or similar) laws? Informed consent/misrepresentation? Liability for damages to innocent parties? What if miscreants trick MLNS into attacking.mil sites, or innocent.com sites?
62 Thanks and questions Contact: Dave Dittrich Information Assurance Researcher The Information School dittrich(at)u.washington.edu