Xygh Offense vs Defense
Going on the offensive in response to a cyber-attack
Contents
I. Introduction
II. History
The history of successful counterattacks in the world of cybersecurity is a short one. There are an increasing number of papers and publications which make proposals, but concerns over legal issues as well as technical challenges have kept the list of successes small.
In Sept. 1998, the Pentagon is reported to have counterattacked some activists who were doing a Denial of Service attack of the Department of Defense's websites, responding to their requests with an applet which ran on the attackers' machines and forced them to reboot. [1]
In 1999, a California ISP Conxion wrote a script which caused DoS packets sent to the World Trade Organization's website to be sent back to the attackers. [2] Of course, such an attack would not have worked if the attackers had used what's known as "IP address spoofing", which would have made the packets appear that they came from a different computer from where they did.
In 2001, several defenses were created in response to the Code Red II worm. One, called CRclean, if it received a probe from the worm, would make use of a back door which the worm placed on the infected machine to load a neutralizing agent and halt the spread of the worm. But it would also install itself on that machine. Another, called CodeGreen, would actually scan the internet for computers with the IIS vulnerability that allowed CodeRed, then download the patch and place it on the machine, and clean up the back doors. [3] It is clear that there are serious legal and ethical issues with both of these worms, even the former, which is still a worm even though it only reacts to attacks.
In late 2004, Lycos Europe got fed up with spammers and launched a popular campaign called "Make Love Not Spam" which attracted over 100,000 users. Users could install a screen saver on their desktop which would send requests to websites which were known to advertise via spam. This effort was sucessful in causing some of the sites to change locations. ( http://www.makelovenotspam.com ) Lycos reportedly got around the illegality of DDoS attacks by claiming to only take 95% of the target sites' bandwidth, though, David Dittrich finds this reasoning dubious at best. [4]
Some companies like Symantec (TurnTide AntiSpammer) and Symbiot security are developing counter attack tools and devices, but there lot of skepticism about deployment of devices because of liability concerns.
We found no evidence in our research of any organizations who had even remotely well-developed policies of active retaliation. Even the ISP Conxion claimed to have decided on the use of active counter-tactics on a "case-by-case basis."
[1]Niall McKay, "Pentagon Deflects Web Assault," Wired News (September 10, 1998)
[2]Pia Landergren, "Hacker Vigilantes Strike Back," cnn.com (June 20, 2001).
[3]Majik, "Code Green. Are you Serious?!", http://www.xatrix.org/article.php?s=684 (September 6, 2001)
[4] David Dittrich "How bad an idea was 'Make Love Not Spam?' Let me count the ways."
III. Scenarios
Worm Vs Worm:
An anti-worm is used as counter attack to a strike back against worm-attacking-host either by bringing it down or neutralizing it.
Email Spam or Virus Strike back:
When one receives spam email, she retaliates by either bounced e-mails or a bounced email along with email to Email Server’s administrator for remedial action.
Strike back at Botnet:
A compromised host is monitored for “Home Callback” thus identifying the strike back target. Strike back is done by
1. Taking down the Home machine.
2. Taking control over the command channel and then using it to neutralize other compromised hosts and strike back at the centralized attacker.
Neutralize Botnet:
A compromised host is patched or given a low-impact neutralizing agent via an exploit or backdoor. This can be delivered via an Active Worm (see above) or something more passive.
Mislead Hacker's Investigations
A hacker is scoping out a website to deduce its structure and vulnerability. There are various techniques to mislead the hacker or break or mislead the hacker's automated tools.
Tracking File Transfers
To protect a file, one can surreptitiously enclose a beacon which, upon a copy or install, will announce its presence to the owner of the file. This can help with Digital-Rights Managed files or private files which have been leaked.
Fake Vulnerabilities
A honeypot (say, with bees,) can provide the attacker with a malicious command shell that, unless the hacker is extra careful, will compromise the hacker's machine.
Distributed Denial of Service
A user community can be enlisted to strike at a known malicious website, for example, while running screensavers.
IV. Technical aspects of scenarios
Counter Attack Scenario Breakdown
In order to understand total implication and impact of counter attack it is essential understanding the elements of the counter attack scenario. With consideration for the legality or ethicality of the counter attack it’s important to study counter attack process, which can help, putting forth an infrastructure for counter attack. It is important to note, to make an effective counter attack, the machine or system designed to perform the counter attack has to be more sophisticated than the attacking machine/system. A Counter attack scenario can be broken into following steps
1.Intrusion Detection.
2. Locating the Attacker and type of attack.
3. Defending and Diverting the attack.
4. Engineering/Designing Counter attack and its deployment.
5. Post Counter attack investigation support.
Intrusion Detection
Intrusion detection is basically identifying if there is intrusion in the network or machine connected to network. There are growing numbers of devices that not only monitor network but also actively engage in detection prevention and detection of certain network access by certain programs. These fall into the category of firewalls. There are devices that use advanced techniques for detection of network traffic anomaly. These vary from learning based devices to policy-based devices; many of them are really hybrid.
Worm vs worm: there has been lot literature and studies on worm detection based on how a worm propagates. One such system is described in [1].
Locating/Identifying the Attacker
This very important step towards counter-attack, basically knowing who your enemy is and where is he located. Attacks can be overt or covert. In case of overt attack the enemy is known but still its location can unknown. In case of a covert attack even the enemy’s identity is under question. In case of computers finding out the specific server or system of severs and location can be critical in determining what the counter attack would be. With today’s network architecture this operation is quite challenging and various attacking techniques it can quite difficult to locate the real attacker. The attacker can hide behind spoofed IP address and zombies.
Defending or diverting the attack
Once the attack has been detected, the defense mechanism can be put in place to stop further damage. Also diversion tactics like Honey-Pots can be used to keep the rest of the network safe. The information from this diversion can be harnessed to engineer a specific counter attack.
Engineering/Designing Counter attack and its deployment
Designing/Engineering a counter attack and its deployment should take into account following considerations:
1.Identifying Type and method of attack.
2. Support (technical and legal) from other parties of the network.
3. Collateral damage.
4. Economics
Post Counter attack investigation support
In order to aid the post counter attack investigation a counter attack should have inbuilt mechanism to log its trail and its operation history
Now let's get into detials of each of the scenarios above
Worm Vs Worm
Identifying Type and method of attack: In this case type of attack is known to be a worm attack (obvious!) and the method of attack typically is that the worm is exploiting a remote accessible vulnerability of the host to gain access.
Once the signature of the worm is detected and its mode of propagation is determined, an anti-worm can be generated, which exploits the same vulnerabilities as the original worm or uses the back doors opened by the by the original worm. The dose in the Antiworm is such that it would either fix the attacking host or brings it down gracefully informing the user the owner. An antiworm adhere to following guidelines in order to have minimal collateral damage
1.Bug-free and does leave other vulnerabilities that could be exploited further.
2.Able to be uninstalled gracefully when owner asks for it.
3.Does minimum changes to host that it operates on.
4.Does not generate DOS kind of traffic on the host/site that has the patch/fix download.
5.If possible tamper-proof (very difficult to realize) antiworm should not be able to be used for propagating malicious content.
In addition, deployment strategy of the antiworm will determine its effectiveness and collateral damage it may cause.
1. Active deployment: The antiworm propagates the network similar to the original worm or may be even faster and does its job along the way. This is the fastest way to remove the original worm from the network but this also causes the most collateral damage by affecting the network traffic a lot.
2. Passive Deployment: The anitworm waits on a host till another host attacks it, and then the antiworm cures only the attacking host. Collateral damage is bare minimum.
3. Controlled Deployment: The antiworm propagation is control via some statistic of number of infected/vulnerable host to number host it cured. This can be very effective and efficient.
4. IDS base deployment: Using the intrusion detection sensors which monitor traffic between some other host and then curing the involve host if required. Collateral damage is considerably less. [2]
Support from other parties: When deploying this kind of counter attack it is important to have support form the owners whose hosts are being cured or from the network organization in general. This is due to liability consideration discussed later. As with any other counter attack, An Anti-worm is modifying third party property and the anti-worm deployer can be held liable as much as the original worm developer due to privacy concerns.
Email Spam or Virus Strike back
Spam is unsolicited email and Virus are active programs that when executed can infect host by installing root kits, key-stroke logger etc. These spread through email and require human interaction to activate them.
Email servers as well as the hosts with the help of spam and virus filter can identify many of these viruses. Once the infected Email is identified one counter attack technique that can be used is automatic flooding of the spammer/virus propagator with bounced email and email to the Email notification to server’s administrator.
The collateral damage in this case is network traffic generated from the bounced emails and unsolicited messages sent to Administrator.
If there is a already a understanding for support between the Email Server Admins, the notification task overhead and liability resulting from the action is greatly reduced
Strike back at Botnet
Categorize and Neutralize Botnet
A botnet can be detected and compromised. The botnet, whether being used for a DDoS attack or to propagate a worm, must send a signal. Often, it sends a signal which is crafted to deduce whether a server is vulnerable. A server can be specially designed to mimic a vulnerable target by sending a response which matches that behavior. The botnet is being goaded into sending more information which will help categorize it; perhaps it is associated with a known worm.
Once the server has enough information, it can send a neutralizing agent to the corrupt machine. The idea here is to make the minimal change possible such that the user's computer is unaffected. The server exploits the same vulnerability that the botnet used, and deploys one of a number of neutralizers. For example, it could patch the vulnerability and remove the botnet. Less invasive changes include blocking the port over which the bot operates, or using a mutex and rebooting the machine to lock the botnet from being able to execute. [3] Also, one would have to remove any backdoors left by the worm.
Mislead Hacker's Investigations
One opportunity that could be easily overlooked is that hackers who are targeting a certain target rely heavily on their initial investigations of that target. They do reconnaissance and footprinting to get a map of the IP addresses at a site and to try to understand the functions and vulnerabilities of the servers at those addresses. They map DNS names to IP addresses and vice versa to get the information they need. [4]
There are various ways to strike back at the tools hackers use:
(1) Vulnerability scanners make use of service banners. Banners can be falsified or even embedded with malicious strings that contain commands. For example, if the hacker is putting results into a database, a SQL injection exploit could be used. (2) Vulnerability scanners also search for vulnerabilities by querying servers and looking for certain responses. Messing with responses can break hacking tools or mislead a hacker. (3) A spider can be trapped in a "tar pit" by creating bogus links which never lead anywhere.
To target these techniques effectively, we must be able to tell that someone sending requests is an attacker. We can
(1) Check to see if a request matches a known bad signature
(2) Send malicious code that will only affect certain malicious tools.
(3) Send affirmative messages regarding locations that don't exist. Normal users will not be
looking for such places.
(4) Garden path links on web pages can be hidden from normal users, but spiders will find them.
Tracking File Transfers
Fake Vulnerabilities
Distributed Denial of Service
[1] Stuart E. Schechter and et al, "Fast Detection of Scanning Worm Infections" http://eecs.harvard.edu/~stuart/papers/scanworm.pdf.
[2] Frank Castaneda and et al, "WORM vs. WORM: Preliminary Study of an Active CounterAttack Mechanism" http://www.icir.org/vern/worm04/castaneda.pdf
[3] Timothy M. Mullen, "Defending Your Right to Defend."
[4] H. Meer, R. Temmingh, and C. van der Walt, "When the Tables Turn:Passive Strike-Back."
V. Feasibility
Worm Vs Worm
Email Spam or Virus Strike back
Strike back at Botnet
Categorize and Neutralize Botnet
This attack depends on being able to categorize the Botnet on the offending machine. Certainly a server could stop the spread of a known worm in this way. It could also try a series of attempts against a bot whose behavior is less well-known.
Note that a botnet can defend against this by sending spoofed IP packets. This attack thus works well when ISPs are using egress filtering, wherein they drop packets from within that have invalid IP addresses. Currently many ISPs do not do egress filtering.
An ISP would be a good candidate to provide this type of service. It is in an ISP's best interest to restrict malicious activity from within. It could neutralize botnets among its own clients, and potentially even inform the client that his machine was corrupted and subsequently neutralized, and provide steps to fix the vulnerability. However, setting up such a server is difficult and expensive and requires frequent update. For this type of technique to gain widespread feasibility, software would need to be sold to many ISPs.
Mislead Hacker's Investigations
A fundamental feature of this interaction of a hacker querying a server is that a server can control what information the attacker receives; that information need not be truthful or even harmless. Another feature is that hackers largely use a set of known tools to automate this investigation; such known tools can be manipulated. Thus, it can be quite easy to frustrate a hacker.
Tracking File Transfers
Fake Vulnerabilities
Distributed Denial of Service
VI. Legal issues
Cyber counter-attacks occupy a legal gray area. A business that launches a counter-attack may violate the same criminal laws as the attacker, and may bear liability for damages resulting from the counter-attack. On the other hand, a counter-attack may be justified as “self-defense” or “self-help,” if the method used is proportional to the initial attack, and there were no reasonable alternatives. The situation is complicated by the fact that cyber-attacks are novel crimes, without any analogue in the real (non-computer) world. Any doctrine of self-defense in cyberspace must take these new circumstances into account.
Background: Computer Crimes
We briefly summarize some sections of criminal law that apply to attacks and counter-attacks.
There is a loose distinction between computer-related crimes (ordinary crimes committed with the aid of computers) and true computer crimes (crimes that are only possible using computers). The kinds of cyber-attacks we are considering tend to be true computer crimes, in that they exploit the unique properties of the Internet, such as anonymity and global connectivity. Traditional common law concepts break down when we apply them to these cases. “Property” and “theft” are not clearly defined in this setting; there is only information, which can be copied or altered. “Trespass” also loses its meaning; any host can communicate with any other host on the Internet, and it is the type of communication (an e-mail versus a denial-of-service attack) that matters [1].
Instead we must rely on specialized computer crime statutes. At the federal level, the statute most relevant to cyber-attacks is the Computer Fraud and Abuse Act (CFAA) [2]. Broadly speaking, the CFAA makes it a crime to “intentionally access a computer without authorization” in order to pursue certain kinds of criminal conduct. Though originally intended to combat fraud, the CFAA has since been amended to deal with viruses, worms and other “malicious code.” It punishes anyone who “knowingly causes the transmission of a program, information, code, or command,” and as a result, “intentionally causes damage without authorization” (a)(5). Note that two elements are required: unauthorized access, and intent to cause damage [1]. So a counter-attack would not automatically violate this statute. Consider a procedure that disables a piece of malware running on an innocent third party’s computer, but does not touch anything else. This might constitute an unauthorized access, but it is not a violation because there is no intent to cause damage.
In addition, many states have passed computer crime laws, which are usually more aggressive and up-to-date than the federal CFAA. California law, for instance, punishes anyone who “knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs” (c)(4) [3]. This statute does not consider whether the intent is to cause damage, or whether the data being altered is itself legitimate (as opposed to malware); both attacks and counter-attacks are illegal. However, there is an exemption for “acts which are committed by a person within the scope of his or her lawful employment” (h)(1).
Self Defense
Self defense ordinarily applies when a person is threatened with serious bodily harm. It requires two elements: “a counterstrike ... which is proportional” to the threat, and “a good faith, objectively reasonable belief that the counterstrike was necessary, in the sense that there were no adequate alternatives” [4].
Claiming self-defense in the case of a cyber-attack raises a number of issues. First, the attack and counter-attack may involve an innocent third party. If the attacker controls a large number of machines that belong to an innocent third party (as in a botnet), the counter-attack may affect the third party more severely than the attacker. This is troubling; one’s intuitive notion of self defense suggests that the counter-attack should be aimed primarily at the attacker, and should not result in excessive amounts of collateral damage. This goes beyond the usual requirement of proportionality.
Also, in the case of a cyber-attack, it may be difficult to show that there were no reasonable alternatives to the counter-attack. The choice of which action to take is complex, and a network administrator may have a very different perspective from a judge or jury [4]. Also, whether a particular alternative is “reasonable” may be a matter of opinion. For instance, if it turns out that defensive counter-measures are expensive but technically feasible, does this constitute a reasonable alternative? The only way this question can have a sure answer is if the computer industry agrees on what the trade-off should be.
[1] Rasch, Mark D. “Criminal Law and the Internet.” Book chapter in The Internet and Business: A Lawyer’s Guide to the Emerging Legal Issues, Joseph F. Ruh Jr. (ed.), 1996.
[2] Title 18, U.S. Code, Sec. 1030.
[3] California Penal Code, Sec. 502.
[4] Karnow, Curtis E.A. “Strike and Counterstrike: The Law on Automated Intrusions and Striking Back.” BlackHat Windows Security 2003, Seattle, WA, Feb. 27, 2003.
Worm Vs Worm:
Email Spam or Virus Strike back:
Strike back at Botnet:
Neutralize Botnet:
Mislead Hacker's Investigations
Tracking File Transfers
Fake Vulnerabilities
Distributed Denial of Service
VII. Summarize futures
Attribution for crime deterrence and effective counter attack:
Correct and fast attribution of the crime and proper punishment is the key to stopping cyber attack and making counter attack successful and just.
As with many crimes, it’s essential to put the liability of the loss due to attack on parties that can impose restrictions such that such crime gets automatically discouraged. For example an ISP can he held liable for a loss relative to the loss its network caused in the prorogation of a worm or if his network was used for letting a virus out. This in turn can trigger following changes
1.The ISP starts a process of authenticating its subscribers and putting the infrastructure to locate crime originators. This may encourage ISP to run egress filters to avoid sending illegal packets on the network.
2. A cyber-citizen-credit-score rating system may emerge that will allow good cyber-citizens to subscribe to the net cheaper than bad citizen. Good Cyber-citizens are people who keep their machines up to date and pay the ISP for keeping it up-to-date.
3. Put together a centralized infrastructure for Counter attack as described below
4. Since attribution of the attack is possible, counter attack can be targeted at the right machines.
5. Next generation network will be developed with security as a main design consideration
Infrastructure for centralized Counter attack:
Considering all the liability, ethical and economic impact of it feels like no one user involved in the attack or counter attack can justify his or her position 100% effectively without spending a fortune on the attack and collection of the logs/material for investigation later. How about a non profit or government organization that acts as police on the network. When a machine or a system detects that it’s under attack it (with or without consent of the user) informs the Cyber police. The Cyber police machine equipped with all the necessary tools does the authentication of the complaint, then either neutralize the attacking party or if required deploys a counter attack on the attacking party. While the attack is carried out it collects all required logs for future investigations. This just means of centralizing the counter attack strategy to reduce cost and provide neutral intervention. Cyber Police has to be neutral party, equipped with the best of the equipment and strategy. Cyber police and the procedure it will follows have to be open. But this also means that it’s vulnerable to for attack.
