Today jerichoattrition wrote a provocative blog post called “Putting an end to ‘strike back’ / ‘active defense’ debate…” The magic phrase offered is this:
Ending the Debate In One Easy Line
If a company can’t do defense correctly, why do you think they can do offense right?
That simple, that logical.
Security experts are fond of saying security is a process not a destination. Continuous improvement is the aim, like balancing a bicycle, rather than aiming for a specific event and calling it done.
It is similar to keeping healthy or fit. As soon as you achieve a goal you set another and continue with your measurements and training.
But what if we could find a secret formula to settle our debates about security once and for all? What if we could utter one magical phrase to make everyone see things the way we see them — our vision of security as the final destination. Would anyone want that?
Sounds like a Twilight Zone episode to me. Someone wishes everyone would stop debating and just agree. Then, as soon as this dream comes true, the protagonist realizes a giant mistake has been made.
The camera pulls back and we see a man running frantically through the street, begging someone, anyone to debate or disagree. Instead, surrounded by smiling faces all he hears is “I agree!”
I agree! I agree!
Do we really want that? What is simple or logical about saying good offense depends on good defense? This debate is far from over and that’s a good thing…
Jericho’s post does not explain away the fact that the two can be, and often are, mutually exclusive. The very foundation of a deterrence policy, for example, is an offense so effective that defensive capability becomes less relevant.
I’m tempted to point out the many sports teams with good offense and bad defense.
Instead, sticking with IT, a large enterprise that struggles to upgrade defenses still can have an effective offensive team. An offensive team in fact may be built faster/better/stronger to focus back on the enterprise itself to help pinpoint and improve slower/worse/weaker defenses.
Defense often is saddled with dependencies, depreciation issues, complexity, politics, etc.. Meanwhile an offensive team can quickly come directly into modern and advanced capabilities. In other words, building a highly effective offensive team is sometimes a strategic investment that can push an ineffective defensive team ahead.
A mismatch, with a better offensive team, means flaws can be found with visibility into risk posture, blasting through obstacles that held back better defense investments. This imbalance should be no stretch of imagination. It’s common and has been happening for many years. Think of it as a football team that pits its lagging defense against its own top-ranked offensive line to pinpoint holes and improve defensive capabilities. Companies are hiring top red-team talent even when their blue-teams aren’t top tier.
Back to the point of active defense, a highly-effective offensive team that is better than a defensive team simply could switch focus towards targets outside. That is why it is easy to see how a company that can’t do defense right can do offense right.
The blog post also tries to warn us of a lack of solid definition for “active defense.”
…note that recon is not ‘defense’. By port scanning, pinging, or tracerouting the remote system that attacked you, it does not help you defend your network. It is the first stage of an active response. Strictly based on the terminology of “active defenseâ€, activity such as changing a configuration or creating real-time decoys to increase the cost of attack. Even today’s news, covering an entire talk on the legal risks of “active defenseâ€, does not even define the term.
Recon is a part of defense, “it is the first stage”, but it is not alone a defense. Agreed. But why are we worried that the definition isn’t easy? That seems normal to me. Or why worry that a definition isn’t found in one talk?
After reading the post I see more room for debate, more uncertainty and fear without solid explanation or supporting argument. Here are just four examples from where debate can easily continue:
If you can easily and positively attribute, they shouldn’t have breached your defenses. You have no business attacking them when you were negligent on defense 101.
Containment is more complicated than this view. Attribution may come later, as part of a decision process for limiting damage. Whether easy and positive attribution could be found within 1 minute or 1 day they would be post breach. Not every breach can be anticipated, which is why a common phrase responders use is “always prepared, never ready”.
If you think you can positively attribute, you cannot, you are out of your element.
Again, overly simplistic view. Attribution is hard for some, easier for others. Hiding is effective for some, impossible for others. Most important is that practice makes attribution more accurate and there are many public cases of positive/successful attribution.
Even if you can miraculously attribute the human at the keyboard, regardless of how many hops back, you cannot positively attribute who hired them to hack you.
This is a decision-point rather than a dis-incentive. Responders can positively attribute deeper than just front line attacks. Anti-mob and anti-terror efforts reach source all the time. We can be just as effective.
If you attribute the person, and not the motive, by hacking back, you violated the law just as they did.
I have to point out here that legal advice from a non-lawyer is specious. Meet with a lawyer if you want to know when and how you will violate the law. As David Willson has written on this blog and presented many times, active defense is not a crime.