We propose strategies for defenders to regain the initiative and push security solutions far beyond the reach of current security tools – yet those strategies start mirroring the actions and technologies of the bad guys, and confront us with important technical, legal and moral dilemmas.
“He who fights with monsters should be careful lest he thereby become a monster” -- Friedrich Nietzsche
I occasionally re-read a paper I wrote with George Danezis in 2008. It is still true and in some sense, the way we fight cyber criminals has moved towards the approach we suggested then. One particular aspect as an "active defence" that was not really actively considered back then. A PDF is available here and here's a couple of sections as a teaser.
We believe that tactics used to combat malicious parties on the Internet are always a step behind and a strategy does not really exist. However, Jomini stated several centuries back that the key to warfare is strategy. Let us start with several notes from history.
- There is an asymmetrical relationship between attack and defense. One should try to reverse the asymmetry whenever possible. Attacks have several decisive advantages of attack: surprise, the benefit of terrain, concentric attack, popular support, and moral factors.
- Divide and conquer, a particular tactic that was further developed e.g. by Matyas Rakosi for Hungarian Communist Party in the late 1940s as a salami tactic uses alliances to increase political power.
- If you use common sense, you are inevitably doing a bad strategy choice.
- The inner line of operations, i.e. operations inside the enemy’s army will allow for fighting separate parts of the enemy’s forces.
- Mobilization of the whole nation forces the enemy to “defend the area” and we can pick the right time and the right place to fight battles.
Yet the most neglected advice when it comes to Internet conflict, is the focus on offensive. Defenders make no attempt to ‘reverse the asymmetry’ and instead believe that security shall come by digging deeper trenches around the few secured hosts. This gives the adversary full strategic advantage to attack when, where and how she wishes.
The Power of Information
Many commanders have quickly realized the power of information and careful planning. Interestingly, there are more rules related to concealment of own actions and strengths.
- Hiding the real purpose of actions is an important element in the strategy.
- Conceal your plans, or plan for several steps ahead.
- One should not engage the enemy in combat or show their strength before learning the enemy’s intentions.
- One should prevent hostile reconnaissance and thereby conceal the second line of their forces.
Internet: There is warfare already taking place and so we can learn a bit about our enemy and study their behavior. We can design new tools and use them in the war but no-one is doing any plans. We are fighting isolated battles and losing the war.
The plans are very easy to read if anyone bothered to do that, as the threat posed by them is very small.
The organization of the enemy consists of a head, support groups (organized for specific crimes), and working units. The working units will cover the following activities: vulnerability discovery, exploit design, spam management, managing DNS records, coding, web site building and managing, managing botnets, sales agents.
The most activities are offline and the enemy goes on-line only to manage the botnets and web sites, and sales agents. It is also possible to detect on-line malicious activities – the actual attacks. We can learn from the way the bot-nets are commanded and organised, but our tools must be equally stealthy so they cannot become easy targets in the wars of bot-nets.