Thursday, January 14, 2010

Is active response a valid approach to dealing with APT?

I recently picked up a copy of Jeffrey Carr's Inside Cyber Warfare: Mapping the Cyber Underworld (review pending, stay tuned!).  One of the chapters struck a particular chord with me, and I thought I'd share my views.

Chapter 4, Responding to International Cyber Attacks as Acts of War (written by guest author Lt. Cmdr. Matthew J. Sklerov) is a fascinating legal analysis of the basis of the legal use of armed force between nation-states.  In it, Sklerov proposes that not only do states have the legal right to respond to network intrusions with "active response" (AKA "hack backs"), but that this is a far more effective response than traditional passive defense. 

Of course, people have been talking about "active response" for almost as long as I've been in the security field.  However, most of that talk was oriented towards garden-variety attacks, not the high end attackers referred to in this analysis.  Yes, this chapter (in fact, much of the book) is talking about what we refer to as the Advanced Persistent Threat (APT). 

This chapter talks a lot about whether a cyber attack could be construed as the use of armed force (answer: yes) and if it would be legal for one state to launch a cyber attack on another in order to defend or deter them from such attacks (answer: yes).  I think everyone can agree that attacks that are clearly government sponsored would warrant some sort of action by the victim state.

The really interesting argument, though, is whether the attacks have to be clearly attributed to a state, or whether it is sufficient that they merely be imputed.  In other words, do you have to prove that the state performed the attack directly, or is it sufficient to know that the attack was carried out by non-state actors either under the direction of or with the tacit complicity of the attacking state?

This is a very important question, because states that are known to be actively engaged in cyber conflicts rarely do their own dirty work.  Russia and China, for example, are both widely believed to work through their own extensive networks of civilian hacker groups, which somehow seem to escape prosecution as long as their targets are the enemies of their respective states.  If the governments approve of what the hacker groups are doing, they allow them to operate and offer them a large degree of immunity from international investigation.  The whole time, the government gets plausible deniability

According to Sklerov's argument (which I'm brutally mangling by boiling it down into simplistic terms), states that perform cyber attacks, or through inaction allow cyberattacks to be performed from within their borders, have sacrificed their right to remain unmolested and opened themselves up to hack backs by their victims. 

However, Sklerov's entire thesis is colored by his military background.  His argument is based on the premise that the victim is a nation-state, not a corporation, or even a group or individual.  It's very easy to talk about how a nation-state has the ability to use armed force to protect it's interests, but the international law that he marshals to support his argument does not apply at all unless you are a government. 

Sure, APT is out there targeting governments, but they're also inside companies as we learned this week with Google's announcement that it was being hacked by China.  My biggest question, then, is "Where does this leave the rest of us?"  I very much doubt that any non-governmental organization or individual is prepared to open a cyberwar with a nation-state.  If they did, their actions would by definition be illegal and would probably result in criminal charges in their own country.  In fact, it would be that country's positive duty to fully investigate the hack back and enforce the law, or they'd open themselves up to hack backs by the aggressor nation due to their inaction.

Sklerov also spends some time discussing technological aspects of active attack: specifically, how to accurately determine the source of the attack in order to target your foes.  I admit that I'm a little confused by this:

Automated or administrator-operated trace programs can trace attacks back to their point of origin.  These programs can help system administrators classify cyber attacks as armed attacks [...] and evaluate whether attacks originate from a state previously declared a sanctuary state.

A few pages later, he also writes:

Cyber attacks are frequently conducted through intermediate computer systems to disguise the true identity of the attacker.  Although trace programs are capable of penetrating intermediate disguises back to their electronic source, their success rate is not perfect. 

Honestly, I have absolutely no idea what he's talking about here.  "Trace programs?"  I see those on TV and in the movies, but never in real life.  The technology just does not exist.  He's right that APT attacks never come from the attackers' own computers; they compromise other systems and then use those as disposable launch points from which to attack their real targets.  When a launch point is "burned", they discard it and start again somewhere else.  You can easily identify these intermediaries, but there's no way to trace back any farther without contacting the system owners (or hacking back) and performing a manual, time-consuming analysis.  This idea of an automated trace just isn't based in reality.

In my view, these are the two points that really undermine the value of active response as an APT fighting tool:  Unless you're a government it's still illegal, and it's not technically feasible to trace the source back to an appropriate target anyway (even if you are a government). 

Having said that, I still think this is a fascinating and compelling legal argument.  Governments have the duty to protect the interests of their citizens (and by extension, companies and other organizations based in their country), so perhaps this could serve as a legal basis for allowing the government to take a more active role in helping to defend private networks.  In that case, the active response could be performed with the assistance of or under the direction of an authorized federal agency, which might eliminate some of the legal barriers and do some real good in the field.

1 comment:

markus said...

nice work, I needed to see something like this today.