Dec 13 2012
If there were an “Offensive Security for Dummies” book, it’d be very short. Chapter 1 would simply be the word “Don’t“. Chapter 2 would be slightly more expansive and would say “No, really, we mean it: don’t practice offensive security. You’re not worthy”. Then it would go on to enumerate ways to incorporate offensive security measures into the enterprise, because IT and Security people are well known for skipping the first few chapters of any book and going straight for the meat of the matter. And then ignoring a lot of that as well.
Seriously though, every couple of years the idea of ‘attack back’ technologies or retaliatory techniques comes up in the security sphere. The basic thought pattern goes somewhere along the lines of “I’m getting attacked, I can’t do anything about it other than take the beating, the government isn’t doing anything and I’m tired of feeling like a punching bag. Since the authorities can’t do anything, maybe I should take matters into my own hands.” The idea of vigilante justice, even in the digital sphere, is appealing. The visceral thrill of getting a little justice of your own is understandable, and even a little desirable in the person protecting your network. But it’s morally and legally indefensible.
The biggest problem with retaliation is attribution in my mind; even with some of the best minds in the business working on the problem it’s impossible to really say who’s behind many of the attacks presently. Sure, we can say ‘this is the origin IP of the attack’ and follow the command and control structure up a level or two, but it’s nearly impossible to tell which of those systems is owned and operated by the attacker and which are compromised systems used as throw away stepping stones. Given the amount of time it takes to get even that level of information, I can’t see most administrators taking the time to really find the source of the attack. I can see them simply attacking the end node of the attack and crowing when they bring down Grandma’s Win98 machine in Wisconsin though.
And to me, one of the biggest problems with retaliation is time and resources. Seriously, how many security professionals do you know that have the time to properly secure their own enterprises properly? If you don’t have time to review firewall configurations, get developers to stop including SQLi vulnerabilities in the web site and generally being a pain in the ass about corporate policies, what makes you think you have the time to do proper attribution before you attack? Quite frankly, after having been a QSA for four years and reviewing a couple of hundred firewall configurations, I don’t trust 75% of companies to properly lock down their own networks, let alone start targeting other people’s networks with retribution tools. Would you trust your own senior security architect to run invasive scans against your own site, let alone someone elses?
I’m betting this whole conversation will reach a peak somewhere in March of 2013, then go back in it’s cave to hibernate for another couple of years. It’s a bad idea that sounds good until it’s put in practice. There might be 1% (probably less) of organizations that have the technical skills and understanding to make retaliation feasible and effective. But feasible doesn’t mean right, either in the eyes of the law or morally. If you’re seriously considering retaliatory security, do us all a favor and go review your firewall configuration and logs instead. I can guarantee you’ll find flaws in the configuration your time would be better spent fixing.