Building a Lean Forward Approach to Offense as a Defense
Last weekend information security professionals from around the globe gathered in a conference forum for the 2013 Suits and Spooks Conference in Washington, DC. The focus was on offense as a defensive tactic, often referred to as “active defense”. I was both an attendee and a speaker / panel moderator at the conference. The event was awesome. It featured collaboration and intellectually driven discourse on matters of extreme importance to our industry. Heated discussions seemed to be taking place everywhere –hallways, foyers and of course in the session rooms.
The first panel that I was on dealt with a particularly challenging topic: bringing the fight to the adversary. For most people in our space, when they hear or read statements that espouse bringing the fight to the adversary their thoughts immediately drift towards offensively driven “hack back” scenarios. My experiences on this panel however couldn’t have been more to the contrary. We discussed castle building (explain or include link to a definition) and the failures of current and traditional operational security models. This discussion also touched on how our inability to effectively see traditional operational security models through to fruition could be indicators of what the performance of the unskilled enterprise might look like should they engage in a truly offensive capacity. In the end, all of us agreed that the current United States code was clear on what is and what is not deemed legal (never mind the ethical arguments). We came to the conclusion that unless forcefully compelled by the courts, offensive measures were likely troublesome at best and disastrous at worst. This panel forced me to rethink the topic of offensive measures and in some ways reposition my own beliefs.
I believe that offensive security measures (when thoughtful and measured) can be effective. I believe advanced active defensive strategies, when applied in a lean forward manner, can provide organizations a great deal of insight into who their adversaries truly are, what they want and how they are attempting to go about gaining access to the target assets in question. Surprisingly, while most strongly agreed that attribution was critically important when defending an attack there was notable dissent on the subject. I believe that active defense begins with the basics and though I am skeptical of the way in which many organizations operate in respect to the basics of information security, I advocate a hard-lined approach to the basics in order to prepare for advanced threats.
So what does this all mean? How does an organization that has its act together with respect to the basics get to the point to where they can effectively lean forward into an advanced active defense? For starters they can try to understand what they expect from themselves and their adversaries. Red Teaming is a tried and true test of one’s readiness. If an organization fails a Red Team engagement than they need to revisit those areas found susceptible, remediate and re-engage. If the organization in question has conducted Red Team engagements and passed with flying colors than they should begin looking at technology and methodology that will allow them to meet their aggressors head on.
Understanding who your adversaries are (and are not) will make this process smoother. Understanding what it is about you that makes you a likely target for an adversary also aids in the process of preparedness and when conducted in an intellectually honest manner can save vital resources necessary for other purposes. Technology such as honeynets & honeypots (regardless of the ethical questions they pose) can be invaluable tools for attack definition and attribution. One cannot gain an insight into who is banging on their door threatening to break in if one does not have a vantage point that allows them to characterize their adversary. The application of false flag data or advanced network segmentation can also thwart and confuse potential adversaries. In the end a lean forward approach sees an organization taking pre-emptive measures against a threat actor prior to his arrival (when possible).
Does your organization utilize an active defense (offensive as a defense) strategy? Is there any justification for “hacking back”? How critical is attribution when defending attacks?
Very good post! I would have liked to be there.
I strongly believe that “responsible active defense” is necessary. I describe responsible active defense by these two simple steps:
1- Defend. Responsible active defense is not an excuse to stop all efforts to defend your assets. If you cannot contain, mitigate, stop or avoid an attack against you, offensive reactions are not options. In other words, I do not believe that “offense as the *only* defense” is reasonable.
2- Gather intelligence. Once your organization is mature enough to either contain, mitigate, stop or avoid an attack, I believe that replying back by using techniques and tools to gather intelligence about who you *think* is the attacker is reasonable. Always bear in mind that the real attacker might not be who you think it is. This is one of the reasons why the offensive reaction should never be too strongly offensive or destructive in my opinion. This reaction’s goal is twofold:
a) To attribute the attack, when possible, or sometimes only to rule out attacker candidates.
b) When you could attribute the attack with very strong evidence, to get more information about the attack and the attacker to 1) improve your defense and 2) eventually sue the attacker or collaborate with law enforcement authorities.
Finally, I do not believe attribution is critical when *defending* attacks. Why would you need attribution while defending? It appears that it would be used to dynamically adapt your protection against who is believed to be the attacker. I first do not think that attribution can be done fast enough in most cases. Second, that dynamic adaptation would be very valuable to the attacker, who could use it against you. Third and last, it does not make much sense in my opinion. What do you do? You lower your protection when you think the adversary is weak and raise it otherwise? No, you set the best protection possible at all times and you use attribution and intelligence gathering techniques and tools to improve it.