Premature Counter Offensive Actions Could Yield Painful Results

Categories: Advanced Security,FirstWatch

Who’s Advocating Counter Offensive and Why?

Recently there has been a flurry of activity and discussion related to the concept of counter offensive measures being launched by private sector organizations in response to some form of targeted attack (criminal, industrial espionage-driven, state sponsored etc.).   Counter Offensive (CO) operations are not new; however, in the context that they have been discussed lately, one may ask oneself if there isn’t a blurring of lines occurring within the private sector in particular that is new.

Here’s one approach: One start-up organization recommends that corporations — upon detecting that they have been compromised by an adversarial third party, work to monitor and ultimately “waste” the aggressor’s time and resources through a number of tactics such as internal honey clienting (feigning the appearance of access to sensitive material and data that proves difficult at best, to exfiltrate) rather than immediately seeking to expel them.  The goal is to learn the tactics and gather intelligence on the aggressor.

Some within the security industry advocate that companies create bogus files or ‘beacons’ (again not new) that can be used to monitor and harvest intelligence scraped from the offender’s machines.  This also, is not new or unique in terms of vision and / or counsel in events where an organization has become aware that they’ve been breached.  The question becomes whether or not the endorsement of active defense in the private sector could set the stage for unforeseen consequences and results on the part of those who initiate aspects (such as those mentioned above) of varying degrees of aggression.

In the private sector, all of these methods are used more today against advanced cyber threats then they were just 2-3 years ago, but there’s still some questions about how effective these types of approaches can be.

Challenges Associated with Counter Offensive Response

There are many problems and pitfalls associated with taking these particular approaches in counter cyber adversaries.

First, there is the question of attribution (which is daunting at best).    Who is actually behind the compromise?  Can we prove with certainty (and what is the metric used in assuring certainty) the origin and identify of the adversary?  Who owns the machine(s) that are being used by the adversary to launch the attack?  Attribution, as mentioned earlier, is not trivial.  There are academic models and treatises that wax ecstatically on how an organization might be able to clean and calm the malicious behavior associated with a given machine or incursion ranging from the more traditional to the more non-traditional and arguably speaking aggressive.  However, one must ask as to whether or not it is advisable for a commercial entity to endeavor into potentially hazardous activity that in extreme cases advocates counter offensive strikes or ‘hack backs’.  We live in an era where technology and death of distance have circumnavigated and lapped conventional legislation related to Internet and computer crimes.  We are squarely in the midst of an evolutionary period that cannot be ignored. Organizations cannot afford to gamble with their livelihoods and brands therefore it is imperative that they understand whether or not the actions they are taking are legal and their evidentiary chain pure.  For example, what might the outcome be if an organization that had been compromised and in their determination to root out and address said compromise, looked toward more aggressive solutions throwing caution to the wind resulting in an escalation of force by their adversaries?

What is the Best Way To Approach Conversations Related to CO Approaches In the Event It is Being Considered and Advocated By Third Parties

So what is the right approach to take when an organization has discovered they have been compromised?  I personally believe that the best approach is the one that does not throw caution to the wind.  Exhaustive data collection and analysis of lateral movement within the organization in question attributed to the unauthorized aggressor is key.  Comprehensive data collection and analysis culminating in an intelligence brief that can be delivered to executive stakeholders will lay the foundation for further discussions related to what an organization needs to do right now to amend the conditions that have allowed them to be compromised (e.g., attack surface minimization including human beings), how they would be best served through means at their disposal today or through the engagement of third party resources and solutions, why they need to take such actions and when they should begin.

Until there is a legitimate legal precedent that offers a position of defense from behind which a private sector organization can shield itself, it is too risky to advocate and pursue any form of kinetic response tied to CO means.

Will Gragido
Author:

Mr. Gragido possesses over 18 years of information security experience. A former United States Marine, Mr. Gragido began his career in the data communications information security and intelligence communities. After USMC, Mr. Gragido worked within several information security consultancy roles performing and leading red teaming, penetration testing, incident response, security assessments, ethical hacking, malware analysis and risk management program development. Mr.Gragido has worked with a variety of industry leading research organizations including International Network Services, Internet Security Systems / IBM Internet Security Systems X-Force, Damballa, Cassandra Security, HP DVLabs, and now RSA NetWitness. Will has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and strong desire to see the industry mature and enterprises & individuals become more secure. Will is a long-standing member of the ISC2, ISACA, and ISSA. Mr.Gragido holds the CISSP and CISA certifications, as well as accreditations in the National Security Agency's Information Security Assessment Methodology (IAM) and Information Security Evaluation Methodology (IEM). Additionally, Mr.Gragido is a Faculty Member of the IANS Institute where he specializes in advanced threat, botnet, and malware analysis. Mr.Gragido is a graduate of DePaul University and is currently preparing for graduate school. He is the co-author of Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats and is currently hard at work on a new book due out in the summer of 2012.