Dec 13 2012

Offensive security for dummies

Published by at 6:34 am under Government,Hacking,Risk

If there were an “Offensive Security for Dummies” book, it’d be very short.  Chapter 1 would simply be the word “Don’t“.  Chapter 2 would be slightly more expansive and would say “No, really, we mean it: don’t practice offensive security.  You’re not worthy”.  Then it would go on to enumerate ways to incorporate offensive security measures into the enterprise, because IT and Security people are well known for skipping the first few chapters of any book and going straight for the meat of the matter.  And then ignoring a lot of that as well.

Seriously though, every couple of years the idea of ‘attack back’ technologies or retaliatory techniques comes up in the security sphere.  The basic thought pattern goes somewhere along the lines of “I’m getting attacked, I can’t do anything about it other than take the beating, the government isn’t doing anything and I’m tired of feeling like a punching bag.  Since the authorities can’t do anything, maybe I should take matters into my own hands.”  The idea of vigilante justice, even in the digital sphere, is appealing.  The visceral thrill of getting a little justice of your own is understandable, and even a little desirable in the person protecting your network.  But it’s morally and legally indefensible.

The biggest problem with retaliation is attribution in my mind; even with some of the best minds in the business working on the problem it’s impossible to really say who’s behind many of the attacks presently.  Sure, we can say ‘this is the origin IP of the attack’ and follow the command and control structure up a level or two, but it’s nearly impossible to tell which of those systems is owned and operated by the attacker and which are compromised systems used as throw away stepping stones.  Given the amount of time it takes to get even that level of information, I can’t see most administrators taking the time to really find the source of the attack.  I can see them simply attacking the end node of the attack and crowing when they bring down Grandma’s Win98 machine in Wisconsin though.

And to me, one of the biggest problems with retaliation is time and resources.  Seriously, how many security professionals do you know that have the time to properly secure their own enterprises properly?  If you don’t have time to review firewall configurations, get developers to stop including SQLi vulnerabilities in the web site and generally being a pain in the ass about corporate policies, what makes you think you have the time to do proper attribution before you attack?  Quite frankly, after having been a QSA for four years and reviewing a couple of hundred firewall configurations, I don’t trust 75% of companies to properly lock down their own networks, let alone start targeting other people’s networks with retribution tools.  Would you trust your own senior security architect to run invasive scans against your own site, let alone someone elses? 

I’m betting this whole conversation will reach a peak somewhere in March of 2013, then go back in it’s cave to hibernate for another couple of years.  It’s a bad idea that sounds good until it’s put in practice.  There might be 1% (probably less) of organizations that have the technical skills and understanding to make retaliation feasible and effective.  But feasible doesn’t mean right, either in the eyes of the law or morally.  If you’re seriously considering retaliatory security, do us all a favor and go review your firewall configuration and logs instead.  I can guarantee you’ll find flaws in the configuration your time would be better spent fixing.

4 responses so far

4 Responses to “Offensive security for dummies”

  1. John Strandon 13 Dec 2012 at 3:48 pm

    Your right.

    And you are wrong.

    If the question is taking direct action against an attacker, you are completely correct.

    If you are saying any level of active defense is dumb, you are equally wrong.

    We need to stop talking about extremes. It is in the areas of Annoyance, Attribution and Attack there are wondrous new security possibilities in Active Defense.

    Lets stop taking extreme positions and start exploring the possibilities that exist between continuing to fail with existing technologies and tactics and actively attacking the attackers. Both these polar extremes are wrong. Lets find something cool the in middle.

    John Strand

    p.s. Love the podcast, love the blog. Keep kicking ass.

  2. Martinon 13 Dec 2012 at 4:09 pm

    I know I was being simplistic with this post, but I wanted to get a little something on ‘paper’ that had been banging around in my head for a while. Truth be told, there’s as much nuance to the ‘active defense’ as there is in the whole disclosure debate we’ve been having for years. And just like the disclosure debate, we’ll keep coming around in circles as we slowly, slowly hammer out something like a consensus.

    Martin

    PS. Thanks

  3. John Strandon 29 Dec 2012 at 6:38 am

    We will be releasing the Active Defense Harbinger Distribution in about a month or two. Hopefully it will serve as a good platform for non-stupid active defense.

    John

  4. Cornel du Preezon 29 Dec 2012 at 6:55 pm

    This post is spot on. As appealing as retaliation may be and as satisfying as it may feel in the rare occasions that it’s successful, it’s something that takes way more time and experience than many security professionals have. Not to saying it’s still not fun to take a whack at…

Trackback URI | Comments RSS

Leave a Reply