jump to navigation

Prioritizing Defense April 16, 2010

Posted by Dean in 1.
add a comment

The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.              -Sun Tzu

On 4/13, I participated on an 1105 Government Information Group panel discussion entitled “Where Cyberwarfare and Cybersecurity Meet” with Jeffrey Carr, cyber strategies consultant and author of Inside Cyber Warfare, and Dr. George Stein, director of the Cyberspace and Information Operations Study Center, Air War College, U.S. Air Force.  We had a provocative discussion on the cyberwarfare threat to industry and government, as well as strategies to consolidate the wider cyber security mission.  It was my privilege to be on the panel with both of these gentlemen. 

My focus was primarily around defensive initiatives that organizations could take to be less vulnerable to cyber attacks. In preparing for the discussion, I was disturbed by the militant hawkish rhetoric surrounding the issue of what is called “Active Defense” – an innocuous term for offensive cyber warfare operations. The justifications for launching these operations is based on the use of United Nations Security Council’s concept of armed conflict. The concepts of jus ad bellum and jus in bello are cited as justification for offensive action, but these doctrines – as commonly accepted–- are insufficiently scoped and nuanced to be applied to cyber attacks. Although there may be relative consensus on treating attacks on critical infrastructure where the loss of life occurs as an armed attack, everything else is pitched on a steep and slippery slope. Armed attack analogies are generally poor analogies.

We currently do not have a workable definition of what constitutes cyber war nor can we accurately distinguish cyber war from cyber crime. Have cyber attacks on US infrastructure achieved the level of damage necessary to be considered warfare? There may be classified evidence of attempts that if successful would have met the definition of warfare, but one would expect any successful attack to be well-known in the public domain. Failure to distinguish between real acts of war and simple malicious behavior increases the risks of war and distracts us from the more immediate threat of cyber crime. We further know that suspected state-sponsored cyber espionage and cyber war efforts have leveraged criminal capabilities and therefore minimization of the criminal element eliminates favorite attack vectors used in aggressive nation-state activities. Therefore, focusing on cyber warfare at the exclusion of cyber crime is counter-productive in this regard.

Until we have an established framework and agreement in the international community for defining when and how to engage in cyber warfare, perhaps defense is as far as we should go. Although the United States and a number of other countries are actively pursuing the capability to wage cyber war as well as defend against it, there hasn’t been a meaningful public discussion about when and how cyber weapons and offensive operations should be used. Reasonable people should be concerned about the raising the specter of cyber warfare, and the potential militarization of the Internet and the retaliation it invites. If cyberspace is considered to be another domain (like Air, Land, or Sea), why should we treat it differently with respect to the rule of law and the conditions upon which agents or agencies of the United States can act?

Too much of the policy debate that has occurred related to cyber war is happening behind closed doors. Although some of the data related to this issue are classified, public policy in a democracy cannot be made in a vacuum. We’ve seen the results of that kind of policy-making and should have learned by now that you can’t have your yellow-cake and eat it too. It’s time to move this conversation out of the classified world. When there are experts arguing for preemptive first strikes or even nuclear deterrence against initiators of a cyber attack, one must acknowledge that we are in very dangerous waters.
Rationale for Active Defense
• Active defense somehow will greatly improve cyber defenses – but the circumstances where that is actually true are severely limited.
• Using active defenses will serve as a deterrent to cyber attacks since attackers will not want to subject themselves to counter-attack – If an attacker were using intermediaries in another country, why would counter-attacks be a deterrent? In fact, might that be the underlying objective. For many nation-states, setting off a full-scale cyber war between the US and China would be a major strategic victory.

Public/Private Partnerships

During the discussion on the 1105 panel, we fielded a question “Should private companies consider striking back at attackers?” Dr. Stein pointed out that it is currently illegal for private organizations to employ active defenses. Setting the law aside, can you imagine the potential political, economic, diplomatic and military consequences if Google decided to attack Chinese assets with counter-offensive operations? If the implications of that approach are not obvious, how about if Fed Ex decided to carpet-bomb North Korea? Non-governmental entities have no right to jeopardize national interests by engaging in private wars or vigilante justice. Private companies have a role, responsibility, and right to provide for their own defense, but that right cannot extend to counter-offensive operations. However, it is in the interest of both the public and private sectors to work together to share threat intelligence and take preventive action against situations and conditions that facilitate cyber exploitation opportunities.

Proposed Prerequisites for Engagement

It is commonly accepted that the following four criteria are used to assign attribution of an attack prior to responding with offensive operations. While this rationale appears sound prima facie, the devil is in the details:

  • Source of the Attack: We must establish the source of the attack. The problem is that the geo-location of a computer or network launching an attack is circumstantial, at best. In the real world, there is almost never a ‘smoking gun’ and therefore the expectation of finding direct evidence is unrealistic. However, circumstantial evidence usually accumulates into a collection, with each piece corroborating the other pieces and together they support more strongly the inference that the assertion is true.
  • Sophistication: Are the tools being used beyond the level typically used indiscriminately by hackers and criminals? This seems like a reasonable criterion. Unfortunately, whenever an organization is penetrated, their point people often characterize the attack as highly sophisticated as if they couldn’t have been penetrated by a simpler exploit, but more often than not, we find out that the attackers simply exploit a known vulnerability. Operation Aurora is instructive:
    • On 1/14/2010, it was reported that over 100 major targets were hit and McAfee Labs reported the attack” involved a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios.”
    • On 3/31/2010, McAfee acknowledged that some pieces of malware included in their initial analysis had nothing to do with Aurora attacks after all. “At the time, we were in the fog of war investigating this operation …but after the fact, when we had more time to do the research, we realized this malware was part of a completely different attack.
    • “Aurora Lite” is now attributed to the targeted compromise of approximately two-dozen companies, with a total footprint of four or five dozen compromised hosts. It consisted of a rapid, in-and-out attack rather than a long running or persistent campaign – which sounds more like a standard criminal hack.
    • According to Gunter Ollman, VP at Damballa Research, the Aurora operators relied on a botnet that relied on Dynamic DNS – a method that has been out of vogue for at least 5 years because of law enforcement’s ability to track it. “This is the sort of thing you see used by amateurs
    • I’m not pointing my finger at McAfee but this situation is highly instructive because many other research organizations relied on McAfee’s assessment without question. Further many of the labs conducting forensics analyses are commercial enterprises with a significant financial interest in breaking the news. Claims of sophistication are often overstated.
  • Duration: Is the attack being sustained over a period of time with real destructive capability? We need to define the boundaries of destruction and relative time periods. A three-day stealthy network probe is one thing. A three-day DDoS attack on critical infrastructure is entirely different. Without defining objective criteria, who determines the significance of duration?
  • Motivation: Is the attack it being carried out for financial gain, espionage, political, or strategic advantage? Motives count in determining a response to an incident before assessing attribution. How do we define this? In Intelligence operations, determining motive generally relies upon human intelligence (HUMINT) and without “boots on the ground” motivation is difficult to reliably assign. Further, experience indicates a propensity for officials to shoot first and ascertain the facts afterward. Given this history of misdiagnosis, the bar for assigning attribution needs to be raised, not lowered:
    o Prelude to Titan Rain (1998) – a series of coordinated attacks on American government computer systems and hackers successfully gained access to many U.S. computer networks. In early December 2005 the director of the SANS Institute claimed the attacks were “most likely the result of Chinese military hackers attempting to gather information on U.S. systems.” It was later noted that the source of the attacks was from amateur hackers in Cupertino, California.
    o The Korean DDoS Attacks –(July 2009) A series of DDoS attacks on US and South Korean assets. Rep. Pete Hoekstra (R-MI) former Chair of the House Intelligence Committee called for the US military to attack North Korea. Eventually, it was determined that the C&C master server was in Miami, Fl.

Is cyber warfare real and necessary? It certainly appears to be but until such time as we have a formal cyber warfare framework that spells out the conditions necessary for legally conducting these operation under the direction of our elected government officials, consistent with our constitution and national diplomatic interests, and we possess the capability to consistently and forensically provide more light than heat on attacks on American resources, I submit that we should focus our efforts on defensive activities rather than offensive ones. Believe me, we have plenty to do.


Identity is the True Cornerstone of Security December 29, 2009

Posted by Dean in Information Security.
add a comment


When William Cheswick and Steven Bellovin wrote their seminal book “Firewalls and Internet Security – Repelling the Wily Hacker” in 1994, attack vectors and countermeasures were considerably less sophisticated than those commonly seen today.  The primary security model was based on a castle, with a strong perimeter and focus on keeping potential intruders outside of the corporate network.  As organizations, spurred on by the opportunities of the Internet, began to offer services – first informational web sites, later e-commerce channels, and today true Web 2.0 interactive services, the limitations of the castle model became apparent. 

By 2000, forward-looking security professionals mentally replaced the castle model with an airport model.  The objective evolved from keeping outsiders out, to inviting outsiders in, but distrusting everyone equally.  Airports have fences around them, but they’re only designed to keep people off the secure areas like the runways.  The front door is open to the general public.  Instead of a “crunchy exterior with a soft and chewy interior,” airports have various security zones.  Travelers are separated from the general public by passing through ever-increasing security screening.  Once inside the secure zone, travelers have free reign in the gate areas, but are not allowed to board aircraft without proper identity-validated tickets.  Once travelers board their plane, they are not allowed to enter the cockpit, but must stay in their designated areas.  Unconvinced?  Try sitting in First with a coach ticket.  Hell, try using the restroom in First while seated in coach.  While we’re on the subject, can someone please explain the vague security concerns hinted at by the Flight Attendants should a passenger from steerage dare to use that rarefied facility?

The castle of the Nineties now has a shopping mall in the middle of it and the Lords of the castle routinely travel around the globe.  Trying to protect it (and them) using a perimeter defense is like trying to stop terrorism by putting minefields and machine-gun nests on the perimeter of the airport.  Yet, a week doesn’t go by that I don’t interface with security professionals who are deeply ingrained in a perimeter mentality, and who think all attack vectors can be mitigated with a good firewall and by wielding a cross at the mention of peer-to-peer (P2P).   Sure, firewalls have their place in security, but their value has steadily decreased for the past decade.  The emergence of portable devices -first laptops and now smart phones and other portable computing platforms, and soon the reality of IPv6 mobile computing – require a radically different approach moving in two directions simultaneously. 

First, security must be centrally managed but enforced in a distributed manner.  Endpoint enforcement allows users to conduct business freely outside of the network perimeter and still protect both the device and the networks it calls home.   Tangentially, I find it interesting that so many security professionals seem to think the greatest threat comes from the users of the organizations they’re supposed to protect.  It seems a bit like the old retail joke that the job would be great if it weren’t for the damn customers, don’t you think?  Perhaps the problem isn’t that users are stupid, or reckless, but rather that the model these security folks are trying to follow doesn’t match reality.  Managing security isn’t about keeping “bad guys” out.  It’s about protecting the organization’s assets, wherever they’ve been, they are, or they’re going so that those users can do their jobs.  To do that effectively requires a fine scalpel rather than a blunt instrument.  Security policies must be “right-sized” to give users access to what they need to do their jobs, no more and no less. 

Second, security is moving from simple stateful packet inspection (SPI) to context and identity-aware deep packet inspection.  Data Leakage Prevention (DLP) technologies are at the forefront of this trend.  Finding credit card numbers in a data transmission is one thing but to realize true value, the system must be able to understand the context of the transmission as well as the originating and destination parties.  500 credit card numbers from an e-commerce server to Alan in Accounts Receivable may be perfectly fine but those same numbers to Sam in Shipping or to a drop-box in Estonia may be another matter altogether. 

Bottom line:  At the center of it all, security relies on knowing who the user is and what he or she should have access to at all times.  Identity management is neither a mirage nor a Holy Grail but rather a critical foundation upon which information security ultimately rests. 

More about this in my next blog…