Caution: Not Executing Offensive Actions Against Our Adversaries is High Risk

I recently read Jody Westby’s blog on Forbes (which is a great article) on the subject of “Caution: Active Response to Cyber Attacks Has High Risk.” https://www.forbes.com/sites/jodywestby/2012/11/29/caution-active-response-to-cyber-attacks-has-high-risk/ There are several areas I agree with in Jody’s blog but there are equally the same number of areas, if not more areas where I disagree.  Certainly, cybersecurity will never get better until we are able to curb cybercrime. However, there is much more we need to do to improve cybersecurity. These centers around truly building security into every function of business and IT planning. If we build security into every function and facet of every bit of software and hardware that we create implement and deploy, then our levels of risk will be reduced significantly. This means regardless the level of attempts at cybercrime our data is protected. If we encapsulate our sensitive data upon inception, much like the creators of Gauss encrypted the payload, then we significantly reduce risk.

The new approach of that is referred to in the article of “hacking back,” “striking back,” or “active defense (an oxymoron to begin with),” is described as alarming. I find it to be refreshing and required.

Having been a CISO and suffered continuous probes, scans, hacking attempts, hacks, cyber intelligence gathering, cyber espionage attempts along with sabotage, I can tell you directly and accurately that most CISO’s agree with my approach. They will not utilize such an approach since they are not authorized to do so, do not have the skills, technology or capabilities to do so but applaud those who don’t just stand in the ring taking body shots and head blows from multiple opponents at the same time.

The legal issues notwithstanding, offensive cyber actions are the only way we are going to get our adversaries to pay attention. Whether they are cyber criminals, foreign intelligence services, cyber proxies, hackers, hacktivists, or some other such adversary, we need to do more than just stand and take a beating.

When the article discusses too few trained cyber cops, I agree. When folks like me and others offer assistance, whether to law enforcement or other federal organizations, we are turned away and labeled vigilantes. While law enforcement is being trained, we are still losing data at record rates. While we discuss what to do legally, we are hemorrhaging information from every IT orifice. For over two years now, I have watched lawyers at the NATO Cyber Conference in Estonia discuss what to do yet the discussion has yet to become actionable. As my information is being stolen, leveraged against me and used to impersonate me (like scores of thousands of other citizens), we continue to sit in rooms and discuss what to do.

When we attack the attackers (and this is not active defense), they cannot attack us. Most cyber criminals have absolutely no defensive posture whatsoever. When hit with an offensive attack, they quickly shift their targets since it is not cost effective and their whole intent is economic in nature.

When Jody discusses Seculert, I agree that companies with sinkholes can warn companies when their IP addresses show up in botnet traffic (of course Unveillance had been doing this for years – now part of Mandiant and ShadwoServer offers it as well (non-profit)).  Many organizations have their own sinkholes and do not have to pay for that service.

Crowdstrike proclaims a great deal of services that they believe are offensive in nature. I remain skeptical and see them as cyber law enforcement (since they hired law enforcement to run their services and law enforcement legal to ensure their activities are legal).  Sounds like cyber law enforcement to me.  Since 2005, through Treadstone 71, I have been providing surveillance, reconnaissance, cyber intelligence, open source intelligence, cyber counterintelligence services in jihadist sites against our Al-Qa’eda adversaries.  Since 2005 and before, the owners of Crowdstrike have been selling defensive technologies (McAfee).

 I am confused by their claim of involve:

“surveillance and reconnaissance, counter-espionage techniques, hostile target dismantling, and denial and deception,” on one hand when Shawn Henry indicates that his company does not advocate hacking into systems.  “We want to help companies do what they can, within their own firewall and within the confines of the law, to make them more resilient and secure,” he said.  “We encourage our clients to be proactive, not reactive, by taking actions that create confusion and doubt for the attacker and cause them to go elsewhere,” he added.  One tactic Crowdstrike uses is to feed an adversary fake data instead of the intellectual property or specific data they are seeking.  “Watching what an adversary is doing, the data they seek, and the tactics they use may be helpful in determining who is conducting the attack,” Henry adds.

Therefore, the messaging coming out of Crowdstrike is confusing to say the least. Are you or are you not offensive? (Best define it first). Are or are you not law enforcement cyber? $26M investment is an awful lot of money to have confusing messaging. In addition, I can get indicators for free through data sharing with companies like Raytheon. Sounds to me that Crowdstrike is trying to operate much like the FBI did with the Coreflood takedown.

The information used by Crowdstrike to provide greater security through proactive actions requires a great deal of intelligence gathering, production, and analysis in order to extract actionable intelligence. That actionable intelligence is really adversary indicators. Indicators that define and describe trends, tendencies, methods, modes, and actions under conditions taken by the adversary. I just attended the CISO Executive Summit in Boston put on by Evanta. At the Summit, Jeff Brown of Raytheon offers these indicators for free. What he offers is up to 2,000 different indicators a day collected by one of the world’s largest companies form the US military industrial complex.  Why pay for indicators when you can share them amongst many companies and apply the indicators that are not only proactive but eventually, predictive?  If companies do this (which they should since they are not sharing data about their environments but indicators on the attackers), then Crowdstrike does not have a sustainable model.  I do not have to pay for the data points and actionable indicator intelligence. I can share it today. Of course the folks at Crowdstrike will take great umbrage with this post.

Let us call active defense what it really is. It is a counter attack. By definition of counter attack, it is truly offensive in nature (if it is truly a counter attack).  Is it really illegal to execute a counter attack? Based upon who’s law where?  As my information continues to flow at record levels and pace, should I stand idly by and wait for law enforcement to catch up?  I think not.  Could there be collateral damage? Certainly.  Could laws be broken? Certainly. However, what laws are those and who is going to prove them?  If I take action against my adversaries, and it is on their virtual soil, am I really concerned? We may not have MLATs with these countries. And even if we do, it does not mean that the adversaries are not wired into the foreign intelligence services of that country.

When counter attacking or openly attacking an adversary, it is going to be just as difficult for the adversary to identify me (a collective me) as it is for me to identify them if not more difficult. For years we have been watching their methods, identifying and tracking their tools and tendencies to the point where we (in our efforts to counter attack) look and smell just like our enemies. They do not even know we are virtually standing right next to them. They believe it is their brother in arms. The usage of sock puppets, anonymity, methods of misinformation, disinformation, cyber psyops, cyber sabotage and espionage greatly diminishes their capabilities and forces the adversary to invest defensive measures.  It forces them to defend their environments.  When doing this, they are certainly not attacking us. In fact, I teach these methods at Utica College in their Masters Program on Cybersecurity: Intelligence and Forensics as well as through Treadstone 71 and Secure Ninja.

We must look at our current cyber legal and military environment as it relates to defending our virtual homeland. It is highly immature with limited vision and strategic foresight for creating a cyber National Guard and cyber police force. In the meantime, we hemorrhage data. We are living in a world much like the times of the French and Indian War (Seven Years War) where there are protected locations such as Albany, Fort Edward, and Fort William Henry, all secured by military means while the rest of the territory is left to fend for itself. We are much like the frontiersmen and women depicted in the movie “Last of the Mohicans,” where we have carved out a virtual living for ourselves in potentially hostile area. We live amongst the enemy and understand their methods and indicators. We know the enemy as we know ourselves and in doing so, we are able to fight them on the same level, with the same tactics that they use. We do so to protect ourselves until the proper authorities become organized and move to defend us.

The legal doctrine of self-defense is fine in the physical world but it does not apply in the virtual world. At least not yet. We are still on that proverbial frontier. I am sure that I will not stand idly by as my virtual cabin and settlement burns to the ground.  There is positive outcome when attacking your cyber adversaries. It disrupts their command and control. If forces them off their mission. If forces the adversary to invest in measures they have never invested in. It forces a ripple in their activities that can then be tracked through primary, secondary and tertiary actions. Standard methods in the intelligence community.

When it is mentioned that companies may suffer reputational issues, stock price drops or financial loses I can only state that this is exactly what has been happening for years as companies lose data and suffer all the above.  I would be more inclined to invest in a company that protects my data through any means as opposed to one that continues to lose it.

I ask the question: Is it more risky to continue the same methods of cyber defense (stand in the ring with multiple opponents just bobbing and weaving never throwing a punch) or more risky to start fighting back with jabs, combinations, head and body blows?

Are the current administrations cyber actions really reckless? The US has been getting hit with cyber attacks and malware for years targeting our financial systems, military secrets and consumer information. Isn’t it time we used our capabilities to attack our adversaries in a virtual mode? Doesn’t it save more American lives if we virtually sabotage Iranian centrifuges and disrupt their desires at nuclear weaponry as opposed to bombing and or invading? Isn’t it much cheaper to execute such activities as opposed to bankrupting the country through another war? Weren’t the physical wars in Iraq and Afghanistan enough to show that if we have the virtual means to extend negotiations to drive an outcome, we should use them?

Do we really think that establishing a convention on cyber crime is going to stop our adversaries? They do not recognize our virtual borders or virtual sovereignty as it is. Why would they recognize a convention on cybe rcrime? All this does is force offensive cyber forces to establish an unwieldy ‘rules of engagement’ that ties the hands of those who can execute offensive cyber actions. If you believe otherwise I recommend a read of “Unrestricted Warfare.” http://www.c4i.org/unrestricted.pdf   The rodeo started years ago (Titan Rain, Moonlight Maze and Operation Aurora to name a few).  The problem is that we are in the ring with several bulls at one time. As a former CISO and current cyber security and intelligence consultant, I can tell you that we need to become bulls ourselves and flood the ring with our own.

The courses of action that Jody recommends are admirable and should be followed but these will take years. In the meantime, my data flows. There needs to be parallel offensive action to protect our assets while we wait for those courses of action to take effect. We can ill afford to stand idly by while our intellectual property, our most sensitive information and our wealth is pilfered on a daily basis.

NOTE: Jody Westby and I are friends and actually work together. It just shows that people with differences of opinion and/or doctrine can actually work together for the greater good of improving our information security capabilities. 

JSB

www.treadstone71.com