Woman: This call is now being recorded.
Brandon Dunlap: Good morning, Mr. Wilcox.
Spencer Wilcox: Hey, how are you, Brandon?
Brandon: I’m just about halfway through my first cup of coffee so forgive me if I’m a little slow with you this morning.
Spencer: That’s all right.
Brandon: Well, do you still have time to chat?
Spencer: I do. I am driving in as we speak.
Brandon: No problem. I think that we decided that we were going to talk about the Disrupt portion of our Network Use of Force Continuum this morning.
Let’s dive right in.
The first step is defining what we mean by “Disrupt.” This is really the first time we leave our network boundary to begin to affect the upstream attack or the attackers.
Spencer: I would classify it more as a border skirmish than leaving the boundary. Within Disrupt, there are a lot of tactics like shunning at a firewall, like disaster recovery IP addresses, things that would extend your perimeter or blockade a perimeter rather than necessarily egress from your network.
There certainly is an element of leaving your network. Things like communicating with an upstream ISP might be an example of how one would leave the perimeter. But it’s not as in your face.
It’s within this particular spectrum. It’s not as if you’re “taking the battle to the enemy.”
I want to make sure, first, that we make that distinction. The real difference between this and the Disarm and Destroy phases of the spectrum is that this one is right on the edge of your own person.
The physical analog to this would be an open-handed tactic where a police officer grabs a suspect or a subject instead of immediately going to a more lethal form of force.
Brandon: Let me ask you this, then. There was the electronic hippies incident whereby the defense actually rerouted attack traffic to the source. They weren’t actually traversing open Internet space in affecting the end attacker in that manner by compromising or debossing them or something like that. Instead what they did was they just put routes in to redirect that traffic back to the offending host.
That one straddled the line perhaps, but it’s important to note that you have not then left your own purview. It’s more like jujitsu in that regard, using your enemy’s weight and momentum against them, which could be construed as Disrupt.
But depending upon the impact, could also be construed as Destroy.
Spencer: I would have said Disarm. It moves directly into that space of a denial of service (DoS) without necessarily being distributed.
So the idea there being, if I am echoing back everything that you just said to me rather than listening to it, I haven’t really done anything wrong. But I am leaving my network at that point.
Again, I want to make sure that that delineation is there between what we’re calling Disrupt and then Disarm or on the lower scale in the Deceive spectrum. So in the Disrupt part of the scale, what we’re really looking at are things like a tar pit.
So you enter my network. Rather than me just monitoring you like I would in Deceive, with a honey that or a honey pot, I’m going to actually slow you down.
I’m going to make it hard to live on every package so small that essentially your traffic has become almost miniscule in its impact. Does that make sense?
Brandon: So using tar pits, firewalls, shunning, just null routing stuff, things of that nature, so that you are doing your best to dodge the attack.
Spencer: That’s right. In personal safety one of the things we used to do, like the crime prevention training years ago, I’d go out to a personal safety lecture.
One of things they’d say is, “Remember, it’s very difficult to hit a moving target if someone’s shooting at you, right? So start moving.
It’s very difficult for somebody who’s got a pistol to hit that moving target. Be a moving target. This Disrupt spectrum really is being that moving target. It’s an attempt to eliminate the immediacy of attack.
Really what we’re trying to do is we’re trying to make the armed assailant miss. We’re trying to cause him to hit a backstop instead of hitting us, or maybe even, redirecting him out to somebody else.
Maybe not a completely ethical means of doing business, but imagine, if I’ve got bad guys that are causing me problems, and I just redirect all of my traffic to, oh, say, some military space website, so the military will get their traffic from this point forward.
Brandon: Well, what we’re essentially talking about is something my old martial arts instructor used to tell me. The easiest way to not get hit in a fight is to not be where the punch is going.
What we’re talking about here with reflecting traffic or redirecting, firewall shunning, switching over to another set of IPs in your disaster recovery facility or whatever that may be, is being someplace other than where the attack is going.
You are Disrupting, not the attacker, necessarily, in this case, but the attack itself.
Spencer: That’s right.
Think of it as Captain America’s shield. Captain America’s shield can certainly be an offensive weapon. He slings it around. He bounces it off walls, but in essence it’s just a shield. Its first job is to Disrupt the attack itself. That’s the purpose of this phase.
Let’s stop the bullet from hitting our superhero.
Let’s stop the attack from getting through.
Let’s protect the network by using innovative tactics to skirt the edge of our own borders or our own perimeter.
What we don’t want, necessarily, is to go too far afield from our network, that is to say, we’re not suggesting that people go out and use a High Orbit or Low Orbit Ion Cannon at someone at a point in their defense.
What we’re suggesting is that they use more traditional tactics that are clearly not possible violations of the Computer Fraud and Abuse Act, right?
The other thing that we want to look at here is the use of legal means at this level. This would be the level where we would send an abuse letter to an ISP, if an immediate cessation is not absolutely necessary.
In other words, the punches aren’t hitting so close to home that we can’t absorb the shock. Then what we might consider is taking a little more time out of our day, going all the way to identification of the actual attacker, maybe, and using legal means to try and stop the attack.
This is very similar to what Microsoft has done in some of its efforts to stop command and control botnets. They’re saying, we’re going to go ahead initiate civil litigation in whatever country this thing is being run from, in order to help stop the damage.
The trouble with that is, it may take a year or two, and the question is, can we tolerate that? I guess the answer is, it depends really on your patience, on what’s at stake.
But at this level of attack I think of it as, this is the constant, pernicious attacks. This is the guy who’s getting in, he’s getting through, he’s getting to you, he’s doing everything that he can to start Disrupting your services.
It may be an ADT. It might be some kind of attack by assignment, or it might mean you have a malicious insider. The idea is here, this is not fast‑spreading lethal force against your network type of attack.
Brandon: You’ve gone up a few things in that last little bit, but let’s drill into where this fits. One of the things that you brought up is, if it is not an attack that has the immediacy and potential of a quote‑unquote “lethal means,” that’s not a massive DDoS or something against your web services, let’s say, then this may be where you stop. This may be where you say, I’m just going to go here, while I continue my investigation, reach out to law enforcement, and take a breather, shall we say, in the escalation.
It’s a good pause point, I think, because sometimes these things are combinatorial attacks. We’ve heard this in the financial industry, where a denial‑of‑service attack is actually coupled with a fraud attack, perhaps bogus ACH transfers.
What they’re doing is they’re getting the defense all riled up around a bogus attack. Well, it’s a legitimate attack, but it’s really just a smokescreen for something else.
This is small enough that it doesn’t spin up all of your resources to respond. Then maybe it buys you a significant amount of time. Again, it comes back to proportionality. If not in a state of immediate and real danger, then maybe this is where we disarm or where we stop, because we’re on the right side of the law, still.
Spencer: That’s exactly right. There’s not a lot of risk associated with this particular level of the defense spectrum, or at least personal risk. If I’m a company, my question is, how much risk am I incurring by taking this action? Am I potentially creating a situation where I have to litigate? Am I potentially creating a situation where I have the federales knocking at my door, so to speak?
The answer here is no, there’s no real step outside your perimeter. There’s no risk associated with taking this tactic other than the internal risks associated with the potential for damage to your own networks.
What I want to make sure that we address, though, or reiterate here, is the real issue here, at this layer, is an opportunity to Disrupt the attack itself.
You have an opportunity, if you’re able to go to this level of effort, you have the opportunity to either Disrupt it technically, and there are a number of really interesting products that can help at this layer.
You have an opportunity to Disrupt legally. You also have potentially an opportunity to Disrupt through alternate means, like through administrative means, like reaching out to an ISP, or even an administrator on a network.
Let’s say that you find that somebody is sending you hundreds and thousands of spam messages, and they’re all coming from a single domain. You can reach out to that administrator and say, “Hey, look ‑ you’re spamming me. I want to make you aware. If you don’t do something about it, we’re going to take additional steps, like asking that your domain be blacklisted.”
So it really is the friendly approach, if you will. It’s the open‑handed control technique. It’s the grabbing the guy by the wrist and saying, “All right, come on, buddy. Come on with me, as opposed to, you know, resorting to further tactics that might be more damaging.
Brandon: So as we look at this phase, where previously with Defend, we’re kind of in a maintenance mode. Even with Deceive, we are largely in a maintenance mode and monitoring. Disrupt seems to be taking an active stance, would you agree?
Spencer: It is. I would almost call it a traditional, a more traditional incident response mode, you know? There’s some active defense here, there’s damage control and mitigation at this point in the spectrum. When you start looking at the previous two spectra, Defend and Deceive, within Defend, really, you’ve already stood up your walls and you’re letting people come and attack the walls, right?
Your walls being things like firewalls and like bastion hosts and vulnerability management patching practices, and so forth.
You’re monitoring what they’re doing, what the bad guy’s doing when he’s attacking you, so that you can begin to gather intelligence, begin to get a true understanding of what the attacker is capable of and what their capabilities are.
In the Disrupt spectrum, you’re taking advantage of the information that you gained doing the monitoring in the Deceit spectrum. You’re really looking more at the what did we learn about this guy, what can I throw up in front of him to slow him down, OK?
And, you know, it’s really, this layer that we’re talking about taking advantage of what we know and what reconnaissance we’ve been able to get on the attacker himself.
Now, that begs the question. Does that mean that at this layer we have to be able to attribute the attack? The answer is no, that’s not at all what it means. What it means is I have to be able to say that that’s the IP address that’s attacking me.
Now, at this layer I might also determine that, you know what? It just stops. If I can wait it out and there’s a cessation of attack, I can still remain at this layer because at no point is there a retaliation associated with this.
That’s the neat part about this spectrum and the spectrum to the left of it. In the Deceit spectrum, in the Defense spectrum, and also in the Disrupt spectrum the immediacy of the attack is not the primary consideration because taking that action is not retaliatory.
Brandon: Right, but the caveat that goes with moving to an active stance like this is twofold, as I see it. One is the drain on internal resources. This is the first time that you begin committing internal resources to your defense in an active fashion.
To cut over to a DR facility, for example, for your web server is non‑trivial. It takes effort. You’re going to have to coordinate that, et cetera.
Similarly, if you start black holing or shunning traffic only to find out it’s from a legitimate business partner or customer, you could rankle the business side of this, as well.
I think that there’s some caution that needs to go with moving to this active stance, both in terms of resource utilization and potentially causing damage yourself, cutting off your proverbial nose to spite your face.
And so, I think that as you escalate through this continuum, pause here because this is where a lot of risk based decisions need to be made.
Whereas previously, what we’re talking about are really very limited risk based decisions. You’re putting up a firewall. That’s a good, sound, solid, common practice.
You’re limiting ports. You’re doing egress filtering, all of those good, happy things. We’re assuming that you’re doing things right as we go through this.
Now at this point, though, you’re actually running the risk of Disrupting your own business, not just the attack, through resource utilization and potentially blocking or closing or shunning legitimate network traffic.
Spencer: That’s right. I would think of it in terms of incident response. One of the interesting things about incident response programs is, there’s a cost associated with spinning out these resources. You’re taking away from your normal daily activities.
Essentially what you’ve done at this point, and you’ve identified that there is an issue that is significant enough that you can take these folks away from their daily duties.
It’s going to be more than just your security team, generally, involved in this. You’re going to have folks from your network operations, from your infrastructure organization who are involved, maybe from your applications, maybe from, at this point, your corporate communications and legal department.
At this point, you start spending resources beyond just tools and technologies that you’ve laid out, and normal daily monitoring processes, as you’ve alluded to it there.
What I think is ultimately the key component of this, though, is if there’s really a need at this level to ask yourself, “Do I need to go any further?” also as you alluded to.
But along the way, please realize, this is the level to which people traditionally go anyway in incident response.
Brandon: No, you’re absolutely right.
Spencer: But I would say, this is the extent of it. This is the limit of traditional incident response. After this point, well, here there be dragons. To lay out the signpost, “Abandon all hope, ye who enter here.” Because after we discuss this spectrum, everything else becomes a little more theoretical, a little bit more in your face, and a lot more communication with the outside world, if you will, and bringing the fight to the enemy.
Brandon: Right. This is nothing different than what we’ve been doing to date. In our next session, when we talk about moving into that next phase, that’s when we’re going to get into the area where there may be civil or criminal ramifications. The rubber’s really going to meet the road because this is where we get into actually reaching out and touching someone.
Spencer: That’s exactly right. Anywhere in the Disarm and Destroy spectrum, there will be a real need to make sure that you’ve got an understanding of what your legal liability is. The need to understand what your capabilities are. And there’s really going to be a need to understand what’s going to happen if you fail in your attack.
You mentioned martial arts. One of the things that’s important in martial arts is thinking that one step ahead. If I do this, what’s he going to do to me? What’s going to happen if he’s able to block the strike that I’m planning to land on him?
I think giving consideration to that, don’t exceed the Disrupt spectrum because, quite frankly, you’re probably going to put yourself into some more jeopardy by launching a [inaudible 26:45] attack than you would by simply making sure that you…Or just shutting down your own network and waiting out the fire.
Brandon: Right. I think you’re right there, that this takes thought at this point and beyond. We’ll save, obviously, those items for the next time when we speak. Hopefully later this evening.
Spencer: Absolutely. Looking forward to it.
Brandon: All right.