On the Use of Force
In physical security and law enforcement, there is a principle of an escalating scale of appropriate force that can be applied when an officer is defending himself, a property, or person. This use of force scale begins with officer presence, and quickly escalates to verbalization, then empty-hand control techniques, then less-lethal tactics, such as pepper spray, or tasers, and finally, in the most extreme circumstances, the use of deadly force. An officer selects the appropriate level of force for the situation, based upon his training, and experience. While each level must be considered, if the situation warrants an immediate increase in the level of force to be applied then the officer may immediately apply the appropriate level of force. For instance, while mere officer presence may be sufficient force to manage an unruly crowd at a high school football game, breaking up a fight may require that the officer immediately resort to less-lethal methods, like pepper-spray, if there is sufficient reason to believe that the officer or others would be harmed by not responding promptly. For excellent descriptions of the traditional security / law enforcement use of force continuum, take a look here:
It is important to note that immediacy of the event plays an important role in the decision to use force. An officer may not use escalating force beyond the level required by the immediate threat, and only then in order to limit the loss of life or property. It is also important to note that the officer may not employ deadly force in the defense of property alone, though if the destruction or loss of the property would significantly jeopardize life, use of deadly force may be necessary (e.g. protecting a nuclear silo). The Department of Justice defines two inappropriate uses of force:
“The unnecessary use of force would be the application of force where there is no justification for its use, while an excessive use of force would be the application of more force than required where use of force is necessary.” – USDOJ – COPS Office
Is there a virtual analogue to the physical use of force continuum?
Current defense-in-depth style network security does not escalate force, it relies solely upon passive preventive controls and technologies to reduce risk at each layer of the network in order to develop a layered mitigation method to reduce the risk. This strategy does not allow for a network defender to protect themselves with any use of force, beyond mere presence. This style of defense is akin to being mugged, and trying to hold on to your wallet while your attacker is cutting your hands. Its dangerous, pointless, and could result in more severe damage than either freely handing over the wallet, or in counter-attacking to cause the mugger to stop. At some point, it may be necessary to prevent the loss of life, or damage to property by vigorously and aggressively defending the network.
In order to define the conversation around this hypothetical end state, Brandon and I proposed a Network Use of Force Continuum at the (ISC)2 Security Congress on 9/11/2012. Both of us believe it to be an important topic and one that is of growing importance, as we are called upon to defend our networks. In short, is there a digital equivalent of a security guard for our company networks, similar to a security guard to defend our properties?
The answer seems to be yes, but it requires that a use of force continuum exist defining response to immediate threats in the network landscape. To this end, our proposed continuum calls for the following five categories of escalating network force:
The Orlando Doctrine Network Use of Force Continuum
The entity defends its networks by using appropriate prevention controls, technologies and techniques designed to render improbable or impossible an attack by a network assailant. The entity uses a layered defense-in-depth approach to assure that risks to its systems are defended, and that the basic tenets of information security are designed into the network’s protections.
The entity employs deceit where necessary to reduce the risk of a network assailant causing further harm in the event of a breach due to a defect in prevention or defense-in-depth efforts. Deceitful tactics, such as honey pots, and honey nets, false directories, seeded accounts, and seeded password hashes help to limit network assailants to areas, or privileges that will minimize their ability to do significant damage. Deceit, properly employed, can limit the need to take more aggressive steps in defending the network, like those in the next defense level.
The use of disruptive techniques are designed to be taken when a network assailant is able to overcome standard defenses, and deceit measures. The purpose of using disruption efforts is to control the assailant after the breach has occurred, and while the breach is ongoing, in order to limit further damage. One method of doing this, is to rapidly notify the ISP of the attack vector of the assault on your network by one of its nodes. Other more active defenses include the use of tarpits, dropping traffic, firewall shunning, or blackholing traffic. In worst case scenarios at this level of defense, the entity may even choose to switch its IP over to a DR range. The most important characteristic of the Disrupt layer of defensive options in the continuum is that they remain internal to the entities networks, and service providers, with the only external effort being notification of an assailant’s ISP.
In the event that efforts in the Defend, Deceit, or Disrupt spectra of the continuum do not limit the scope or impact of the assailant’s continued assault on our networks, it may be necessary, depending on the severity of the event, the purpose of the systems under attack, and the risk tolerance of your company to take a more aggressive approach to eliminating the immediate threat. Disarming the network assailant requires that the entity take aim at the assailant’s point of presence. Due to the immediacy issue, the entity may not be fully cognizant of the assailant’s identity, or the purpose of the system that is attacking the entity’s systems. The use of moderately disruptive practices to assure that the assailant is unable to continue the network assault could include such attack types as:
- Denial of Service attacks
- Bandwidth saturation
- ARP Poisoning
If all else fails, and the entity is defending systems or assets whose loss could result in immediate loss of life, it could be necessary to aggressively counter-attack the assailant in order to eliminate the immediate, continued or sustained threat. The Destroy approach is the equivalent of the use of Lethal or Deadly Force in the traditional use of force continuum. Examples of systems where an attack on the assailant may be defensible might include nuclear systems, Department of Defense systems, critical infrastructure control systems (e.g. water, chemical, electric), hospital life support systems, etc.
So, how would one Destroy on the network? By using the same types of attacks and exploits that the hackers use on the entity. Some examples could be:
- Active Network attacks
The key to the destroy level is not the specific tool, but an understanding that the disruptiveness of the attack that you are using could be in violation of one or more laws. For instance, assuming that you choose to exploit a vulnerability on the attacker’s system that disrupts the system, and takes it offline? Is the act criminal? What if in your destructive act to eliminate the threat you take down the ISP that hosts your attacker? Or a hospital network or a even a nuclear control system?
As many have pointed out, it is likely that the Destroy spectrum is illegal. Moreover, it is probably inadvisable from a self-preservation perspective, unless your own networks are unassailable, an event not unlike the discovery of the mythical unicorn. Launching an assault of any sort outside of your own networks, is generally not a good idea. Doing so while your own networks are compromised, from the compromised network may also be a poor choice.
The legality is questionable, however, back to the physical analogue, the counter-attack may be defensible. Self-defense laws exists in the entire United States, and case law exists to make defensible a criminal act, such as an assault, or even a homicide where the act was committed in self-defense. This will be the subject of another article, but it certainly bears noting that if an assault is tried in a court, and it is determined that the assault was in good faith, and in self-defense, the act was lawful, and therefore, no crime occurred.
In no way am I advocating that anyone should break the law. What I am suggesting is that eventually someone will choose to pursue a full spectrum network use of force. In the meantime, this Network Use of Force Continuum, is designed to frame the discussion around what activities may be reasonable under certain controlled conditions.