Active Defense

Marcus Ranum’s view

vs.
Dmitri Alperovitch’s view

Presented By

Sufiyan Ghori

Written by Sufiyan Ghori

Introduction
Terms like "enemy," "attack" or "defense" are well known in human conflicts but these terms also have a unique
context in a digital world, particularly in Cyberspace. What one should do when an ongoing cyber attack is detected?
Can the enemy be caught red handed? Can a policy enforcer be called to detain the attacker immediately?, These
questions helps significantly in evaluating the security infrastructure in companies.

In order to address these issues, a well-known network security researcher Marcus Ranum and digital security
executive, Dmitri Alperovitch have presented some insights from their experiences, and proposed solutions.

Marcus Ranum and Dmitri Alperovitch are well-respected security researchers and executives. Marcus work is related
to developing Firewalls, Virtual Private Networks (VPNs), and Intrusion Detection Systems (IDS) [1]. He also lent
his consulting services to Fortune 500 companies and federal governments. There have been many occasions when he
was a guest lecturer and instructor at conferences of technology and information security. On the other hand, Dmitri
has become known for his work in cybersecurity research, criminal activities by international operators, and digital
threats of groups of cyber pirates from other nations even from some government sponsored groups [2]. .

Both have discussed the term “active defense” with different focuses. Marcus fancies making the imaginary walls of
his networks stronger by investing in developing new systems from zero, he will not patch possible vulnerabilities
because he thinks that it is a waste of time and he definitely does not believe in trying to attack back the hacker that is
attacking the company. On the other hand, Dmitri proposes a series of new techniques to deceive the attacker. Their
different of opinions makes it an intriguing issue to discuss in information security field.

This document attempts to present and analyze those focuses from the perspective of the expert that experienced the
battles from inside the walls of the security information castle and those proposes that we can attack back the enemy
on their own ground.

Scope

Many private firms who are the victims of cyber crimes perpetrated by hackers do not usually have access to the
services that takes effective steps to enforce the law that protects their companies. Therefore they might want to take
unilateral actions aggressive enough to counter direct threats towards their business on their own.

Despite these valid reasons, it is necessary to discuss the possibilities, the risk taken against the attacker, including the
attacker's right, and the benefits of these actions. This document would try to determine how such unilateral actions
can be carried out in a secure, controlled and justified way.

This document also investigates the perspectives of Marcus and Dmitri as well as presents personal insights into the
"Active Defense" concept. Both experts gained remarkable fame when they raised the discussion in the AusCERT
event of the year 2013. They have been pushing their views and opinions long before the appearance, and also drawing
upon this matter for a long time. In this document, several sources such as interviews, publications, presentations and
comments from Marcus and Dmitri, as well from other professionals on the "active defense" are reviewed and
presented.

What is Active Defense ?

In a broad perspective, "active defense" are the measures taken by the defender against the perpetrator.

This strategic defense approach can be used in the context of digital security where the end goal is to preserve digital
assets, impede any on-going cyber attack and make future data breaches challenging. Active defense in such
circumstances should hinder the progress of a cyber attack by first deceiving the attacker and then counter-attacking
by compromising the system, tools and methods used by them, in order determine their intentions and identity [3].

Written by Sufiyan Ghori

Marcus Ranum’s opposing view

The idea of Active defense is closely associated with the ethical hacking in a sense that ethical hackers use similar
skills to secure digital systems and network as the blackhat use to attack them, and sometimes apply their abilities
against the blackhat hackers themselves.

Marcus Ranum has an antithetic opinion about ethical hackers and security personnels; he has said that “There’s no
such thing as an ‘ethical hacker’ – that’s like saying ‘ethical rapist’ – its a contradiction in terms” [4]. He emphasizes
that the experience and expertise that an information security specialist or an ethical hacker has is not as important as
of a sound system developer’s, because, “At a certain point, you don't need to know the infinite details of possible
attacks; it's simply enough to know the broad categories of attacks. Having someone stand up and say, "here are 400
different variations on a buffer overrun" is not interesting....” [5]

He even stated that it is not a good approach to learn ethical hacking skills, because people who have studied detecting
and exploiting vulnerabilities either by self-teaching or professional learning would only be able to use a specific set
of “tools and techniques” which will eventually be going to fade out once patched.

Marcus compared it to an “arm-race”, since it is tough to stay updated with the skills, tools, and techniques necessary
to detect and fix new vulnerabilities as it changes very often. [6]

According to his vision, the ideal approach should be the development of the highly secure digital system from the
very beginning as compared to the approach of penetration testing a finished product to detect vulnerabilities.

However, in my opinion, anyone with some experience with working in professional settings knows that his
speculation is far from reality. Someone could develop the most secure software today with “up-to-date” tools and
patches, but it is highly likely that the vulnerability will be discovered in one of the 3rd party services implemented
by that individual. What would be decided then? Would it be fancied to write a software from scratch with upgraded
tools?

The curious part of his view is that he does not believe in patching vulnerabilities or security upgrades in his systems,
and that he never do upgrade them like it is not going to crash over. “Somehow, the computer security industry has
become addicted to patching systems - a process that is fundamentally doomed to failure.”

In my opinion, patching and upgrading systems is a part of how technology is evolving rapidly, developers are not
building statuettes, they are creating computer interactions with sensible and meaningful data, software that deals with
real users, financial transactions, and personal information. What today is an incredibly secure system might become
a pool of vulnerabilities tomorrow, who knows?

It is hard to comprehend this point of view when he writes that "patching is an endless losing battle that we're stupid
to engage in” [7].

All his reasoning hit him back when he had to admit that his web page was compromised and set to promote a sale of
a medical product. Who knows for how long it was there before Marcus even noticed ?, but certainly he could not
even discover how the incident had occurred. Apparently, he does not give too much consideration to the website
security given that he acknowledged spending a minuscule amount on it. [8]

Written by Sufiyan Ghori

The Heartbleed vulnerability

Gerald Weinberg, a computer scientist once said, “If builders built buildings the way programmers wrote programs,
the first woodpecker to come along would destroy civilization.” [19], The Heartbleed vulnerability was one such
woodepeckers.

It was a bug which was uncovered at the end of the first quarter of 2014, and possibly affected almost 600 million
websites which were using an OpenSSL library for authentication [9]. The vulnerability led to unauthorized access to
the memory locations in the web server when the user request size is greater than the size of the content requested;
this is excellently portrayed in the following illustration by Randall Munroe of xkcd.com [10],

As soon as it was discovered, there was a chaos in the digital world; all the major companies had to take urgent security
measures to patch it.

Putting in Marcus’s perspective, how choosing not to patch that critical vulnerability would have been justified.?

It is reasonable, and a wise tactic by companies to not follow his recommendation and run bug bounty programs which
reward security researchers for finding vulnerabilities in their system and products while also encouraging and
promoting secure development policies.

Attacking the attacker

Mikko Hypponen a well-known security expert and head of research at F-Secure, stated in an interview with
Bloomberg that all current Fortune 500 companies have experienced security breaches of some magnitude at some
point [11]. This can be verified by looking at the mass volume of headlines that have been published in the recent past
[12]. If we have learned anything from these incidents is that it has apparently not been effective enough, no matter
how secure the company thought their system was.

Must the organizations consider doing something differently? What should be changed in their strategy ?.

Marcus Ranum has an incredulous view about the possibility of identifying an attacker, as he said that “Offense in
cyber war immediately begs the question: 'Who?' The first thing we need to think about is whom to attack, where, and
how” [13]. His view is based on the fact that an attacker can be anywhere, and that it is not possible to determine who
and where the attacker is.

Written by Sufiyan Ghori

In my point of view, the problem is that he is confusing cyber attacks and attack crusades with real wars. He seems
only to admit battles before ammunition, drones and stealth planes existed. Those wars were more about troops,
castles, cavalry where the army wears unusual costumes with feather and leaves; that is so far related to modern
warfare, and it has little to do with the harsh reality of cyber world.

The Dimitri’s approach

Dimitri Alperovich, who has much more exposure to companies that are constantly the victims of cyber attacks
campaigns, explains that the “traditional passive defense security model” is not sufficient against tenacious hackers.
They are not the script kiddies attempting to exploit a vulnerability in an unpatched system to trade it on a dark web,
but the attackers who are financially backed, with highly sophisticated tools and resources. They have time, expertise,
skills, and with extremely well funding sources, they have got almost all the advantage.

The traditional model of Firewall, IPS/IDS, or Unified Threat Management (UTM) endpoint solutions are not enough
against such hackers who are performing state-sponsored cyber attacks. If companies only want to defend their
services and networks they must be ready to constantly spend resources on additional “passive defensive measures”
but that will only help to delay an expected breach. This is because these hackers also race against up-to-date
countermeasure tools and techniques. [14]

So far the worst that can happen to an attacker in the short-term is that the attack might end unsuccessfully, or he
might not be able to breach the system yet, but he/she still have all the liberty to keep analyzing the system and
continue attempting various approaches for as long as desired. These hackers nowadays are traversing the line with
every effort of their attacks, but they are still motivated and driven to keep doing it considering there is no immediate
counter action.

It is like those times when the caller id was not invented and people used to receive calls from pranksters over the
phone anonymously.

The companies face the dilemma in such situations and their conventional approach to handle such attackers is to
block the their IPs over and over again. They can filter their phishing campaigns from the mail server, or add new
rules in the IPtables, but if the attacker has the resources to circumvent these security layers there is little or nothing
that the company can additionally do.

That is, the tools of defense known only seeks to halt attacks, however, there is no impact to the attacker unless the
company concerned, decides to initiate legal proceedings against the attacker; this is only feasible if the organization
has the disposal of the competent authorities and also meets all the conditions needed to carry out an inquiry into the
conflict, and against the perpetrator. This task, unfortunately, is considerably complex and takes too long to reach a
satisfactory result, all while the attacker has already his loot.

Written by Sufiyan Ghori

Dimitri’s proposed solution

The Dimitri's approach is that the corporations should have the capability and permission required to make the hacker
feel worn out when performing these attacks. There must be something that can assist them to recognize the attacker,
identify what he/she was especially after, and gather all plausible evidence that prosecutors might need to maintain a
reasonable case against the attacker.

Some may speculate that companies are endeavoring to revenge, retaliation, or take justice into their hands; in that
case, Dmitri Alperovitch has outlined four key elements to focus when dealing with active defense [14],

1. “Real-time detection” of data breach attempts into our systems and networks with a focus on discovering
explicit aspects that can identify the purpose of the attacks and fingerprints of the technologies involved.
Contrary to other simplistic metrics that won't help in investigating the attack [14].

Today, companies have a wide variety of options to select their detection methods. We are witnessing an
increase in the market of real-time discovery; that is producing an impressive blend of mechanisms that
enhances endpoint detection, fully integrated log and event management, and big data analytics.

As a result of the monitoring and advances in the analysis, detection rates are reduced to minutes fending
rates of false positives. Furthermore, security solutions are making a comprehensive effort correlating events
from anywhere across the organization, allowing, for instance, identify phishing campaigns, campaigns
attacks by botnets, among others.

2. “Attribution of threat actors” as an important step in security intel, that information can help us orient about
the purpose of the attack, what are they looking for, not only as we identify the direct attackers but also those
who set the order or backup the attack economically [14].

For some years we have focused on different Data Loss Prevention (DLP) solutions that protect companies
sensible data from attackers who may attempt to disclose the data, endanger the integrity of the data, destroy
data or transfer sensitive data from managed systems .

Now there must be other possibilities to counter attack if the cyber criminals manage to breach the defenses,
for example, decoy files can be stationed which would appear compelling enough for the cyberpirate to grab
it and open it. Now this decoy file will have bogus data but also a malware that will geolocalize the attacker,
identify the route of connections that the attacker is using, and enable a backdoor communication with the
incident response team from the victim's company. It would be possible to capture from this malware webcam
pictures of the attacker and also detect the possible data stolen from the company to recover it.

3. “Flexibility of response actions” as it is critical to deploy all defensive focus at hand, that incorporates
conventional passive model defense systems but also enhance it with deception security tools, where it tries
to provide misleading or obscure results to the attacker's tools, or engage them with the fake services that
will only provide the company more time to collect data about the technology in hands of the invader [14].

This element has to do with the use of different kinds of honeypots and IDS, but also some deception tools
where the company's network presents the attacker with more elements of corrupt information that seem
genuine than real services and servers in order to subtly deceiving them to the point where the hacker is
caught between knowing what is real and what is fabricated.

This strategy of using a honeypots and deception resources provides two important advantages. First, every
time the monitoring tools detects a traffic, it is a safe bet that there is some malicious activity in progress, and
since there is no reason for a genuine user or application to reach these lures, there is a very low chance of a
false positives.

Written by Sufiyan Ghori

 4. Intelligence dissemination” It is not only about the campaign of attacks against one company, but to also
be able to exchange intelligence with other organizations or governments that could be potential victims. The
idea is to assist with the processes preventing the law against the interests of the attackers and toward those
who finance them [14].

There are international laws associated with the global internet which prevents access to information from a
particular machine without the authorization of the owner. On the other hand, it is believed that companies
have the right to defend persons or property. Therefore the organization through its business management
"not the IT department" can make the decision to carry out some action against her attacker taking
responsibility.

From this point of view, the Active Defense seeks the authorization of the State for the private sector to
initiate a defense in the cyber world as it is done in the physical world. Policy enforcer protects government
property, but they do not have the resources to protect its equivalent in the cyber world.

Perform hack-back actions on servers where it is believed that the attack is originated. That is why the active
defense seeks to apply aggressive tactics which imply, legally obtain data that were stolen and exposed the
identity of the attackers and their motivations.

However, companies are not alone; there are plenty of institutions around the world that can help locate
attackers, such as Computer Emergency Response Teams (CERT), and the Computer Security Incident
Response Team (CSIRTS), which are public and private institutions in many regions around the world. These
teams are responsible for handling security incidents. If an attack is detected from certain IP address which
comes under specific CERT/CSIRT, then that CERT is contacted directly or trough the closest CERT/CSIRT.
The evidence of the attack is provided and explained, and then rules are followed to address that incident
[15].

The Georgia Case:

This is one of the most appropriate practical examples of active defense . The CERT of the government of the Republic
of Georgia issued a report where they had described an incident they examined in March of 2011, that they believed
was a cyber espionage.

Incident description:

The CERT team discovered news websites from Georgia that were infected with malware that was not recognized by
any antivirus at that time. That 0-day malware enabled remote control access to the infected machine and started
looking for documents that included specific words like “USA”, “NATO”, “Russia”, “EU”, “CIA”, “Intel”, “KGB”,
“weapon”, “service”, “secret”, “army”, among others [16]. It also permitted the attacker to capture the video and audio
from camera and microphone of each computer affected.

The affected websites had the script hiding in particular news articles related to Caucasus Energy and Infrastructure,
Agreements between the NATO and the Republic of Georgia, among others.

It led to thinking that the attack was directed towards people interested in these topics and most probably government
institutions. The CERT-Georgia report explains that “despite Security Defensive measure’s and Software used on
targets Computer and Network Systems. Threat was highly encrypted and used contemporary stealthy techniques so
that none of security tools could identify it.” [17]

The report also explained that it was not a single attack, but a campaign that lasted more than a year with at least 9
Command and Control servers were being used in different locations from 5 different countries. The 70% of the 390

Written by Sufiyan Ghori

computers infected were located in Georgia as they were able to reckon from accessing the C&C servers, but also
there were infected computers in United States, Ukraine, France, China, Germany and Russia.

In that period the malware was updated a few times to become stealthier and difficult to decipher, just as it transformed
the attack vectors and scanning capabilities. The malware was so precise with its targets that before installing itself, it
identified the timezone set on the computer to match the Georgian timezone. The report states that “Most Georgian
Infected computers were from our Governmental Agencies and Critical Information Infrastructures.”

Incident handling

Following international standards applied to incident handling,

The CERT-Georgia first ordered to block all IPs assigned to the C&C servers to the Country's three main Internet
service providers. As an immediate response. They proceeded to distinguish all the computers infected with the
malware and started to provide mitigation strategies and cleaning tools to infected Agencies and Institutions that the
CERT-Georgia is responsible for.

Then they shared all the information they had about the malware and the C&C software with Antivirus companies,
IDS and IPS solutions providers. They also distributed this data to various Blacklist and Blocklist public services for
further analysis and the creation of signatures to detect the malware as well as Heuristic tests to catch the malware
actions.

They started to cooperate with the FBI, then Department of Homeland Security, the US Secret Service, the US-CERT,
the CERT-BUND from Germany, the CERT-UA from Ukraine, the CERT-Polska and the Microsoft Cybersecurity
Division.

Then they proceed to shut down attacking servers from Hosting Providers by contacting their respective Abuse Teams.

Finally, they contacted Law enforcement agencies to obtain log files and system images for Forensic Analysis.

Results:

CERT-Georgia discovered that hackers from Russia where attacking their systems, the IPs and DNS deployed
belonged to the “Russian Business Network” that was then shared with the “Russian Ministry of Defense Research
Institute” called “Center for Research of Military Strength of Foreign Countries”.

They also managed to associate the attacks with the Russian Ministry of Internal Affairs, Department of Logistics that
is located right next to the Federal Security Service of the Russian Federation (FSB) in Moscow. They manage to
locate physically the places where those institutions are located in Russia [16][17][18].

Dimitri’s approach in action:

Following is an exceptional example of an active defense counter attack. The CERT team decided to infect a
controlled computer from CERT-Georgia labs with the attacker's malware, with their own piece of code attached
with it which was designed to attack the attacker himself.

Written by Sufiyan Ghori

 Hacker's picture from his own webcam by malware [17]

The hacker falls for it; he downloaded the zip file with the malware that the CERT created, and when he unzipped the
file he unknowingly executed the malware made by the CERT that was attached with other bogus files as a distraction.
This malware opened a backdoor on the personal computer of the attacker and gave the CERT's team access to his
system. They managed to record the video, and captured him creating new malicious modules; they also obtained a
Russian document from an email where he was providing someone instructions on using the malicious software and
how to infect targets [17][18].

The CERT was able to gather some important information about him, including his location, ISP, email address,
among other details.

It is crucial to highlight the work carried out in collaboration with public and private institutions around the world.
Many institutions can be included according to the activities they perform, for instance, the management of incidents
by the different CERTs, the work of intelligence and ethical hacking by agencies such as the FBI, Department of
Homeland Security, US Secret Service and Microsoft Cybersecurity Division, Digital Forensics from Law
Enforcement Agencies.

Had Marcus's approach followed for the defense, the government would not have been able to disable the command
and control servers; they would not have found the computer affected neither they would have identified the attacker.

The Government of Georgia would have sustained much more damage since the malware used by the attackers was a
0-day at the moment, and there was no public information about how to detect it or eliminate it. Marcus would probably
ask to start developing a brand new security system from the scratch to all government institutions that would have
taken several months to create, test, distribute, and train to use that could have cost several million dollars.

Written by Sufiyan Ghori

References:

[1] Ranum M. Marcus Ranum | SecurityWeek.Com [Internet]. Securityweek.com. 2016 [cited 10 October 2016].
Available from: http://www.securityweek.com/authors/marcus-ranum

[2] Alperovitch D. [Internet]. Crunchbase. 2016 [cited 10 October 2016]. Available from:
http://www.crunchbase.com/person/dmitri-alperovitch#/entity

[3] J. Holdaway, E. (2001). ACTIVE COMPUTER NETWORK DEFENSE: AN ASSESSMENT. 1st ed. p.10.

[4] D’Ottavi A. Interview: Marcus J. Ranum, the "father" of the firewall [Internet]. Infoservi.it. 2003 [cited 10 October
2016]. Available from: http://www.infoservi.it/interview-marcus-j-ranum-the-father-of-the-firewall/1057

[5] J. Ranum, M. (n.d.). Marcus J. Ranum. [online] Ranum.com. Available at:

http://www.ranum.com/security/computer_security/editorials/skillsets/ [Accessed 13 Oct. 2016].

[6] M. Ranum, "The Six Dumbest Ideas in Computer Security", Ranum.com, 2016. [Online]. Available:
http://www.ranum.com/security/computer_security/editorials/dumb/index.html. [Accessed: 12- Oct- 2016]

[7] Ranum M. What Sun Tzu Would Say [Internet]. Ranum.com. 2004 [cited 14 October 2016]. Available from:
http://www.ranum.com/security/computer_security/editorials/master-tzu/index.html

[8] Ranum M. Search Engine Stuffing Defacement [Internet]. Ranum.com. 2007 [cited 11 October 2016]. Available
from: http://www.ranum.com/security/computer_security/editorials/google-defacement/index.html

[9] H. Video, "Heartbleed Bug Infests 70% of the Internet! (Infographic & Video) | ASecureLife.com",
ASecureLife.com, 2014. [Online]. Available: http://www.asecurelife.com/heartbleed-bug/. [Accessed: 14- Oct- 2016]

[10] Munroe, R. (n.d.). Heartbleed Explanation. [image] Available at: https://xkcd.com/1354/ [Accessed 12 Oct. 2016]

[11] Campbell M, Hodges J, Webb A. TalkTalk Attack Shows Firms Have No Place to Hide From Hackers [Internet].
Bloomberg.com. 2015 [cited 10 October 2016]. Available from: https://www.bloomberg.com/news/articles/2015-10-
25/talktalk-attack-shows-firms-have-no-place-to-hide-from-hackers

[12] McCandless D. World’s Biggest Data Breaches & Hacks — Information is Beautiful [Internet]. Information is
Beautiful. 2016 [cited 10 October 2016]. Available from:
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks

[13] Ranum M. The Best Defense Is a Strong Defense. Never Fight a Land War in Cyberspace. [Internet]. Fabius
Maximus website. 2015 [cited 10 October 2016]. Available from: https://fabiusmaximus.com/2015/02/23/cyberwar-
attack-defense-tactics-79170/#more-79170

[14] Alperovitch D. Active Defense: Time for a New Security Strategy - Adversary Manifesto [Internet]. CrowdStrike.
2013 [cited 10 October 2016]. Available from: https://www.crowdstrike.com/blog/active-defense-time-new-security-
strategy/

[15] R. Ruefle, "Defining Computer Security Incident Response Teams | US-CERT", Us-cert.gov, 2016. [Online].
Available: https://www.us-cert.gov/bsi/articles/best-practices/incident-management/defining-computer-security-
incident-response-teams. [Accessed: 17- Oct- 2016]

[16] "Win32/Georbot – Information Stealing Trojan and Botnet Operating in Georgia", Eset.com, 2012. [Online].
Available: https://www.eset.com/me-ar/about/press/articles/article/win32georbot-information-stealing-trojan-and-
botnet-operating-in-georgia/. [Accessed: 21- Mar- 2012]

Written by Sufiyan Ghori

[17] Computer Emergency Response Team (CERT.gov.ge), a subsidiary division of Data Exchange Agency of the
Ministry of Justice of Georgia. CYBER ESPIONAGE Against Georgian Government. Tbilisi: Data Exchange Agency
of the Ministry of Justice of Georgia; 2012 p. 1-27.

[18] J. Leyden, "To Russia with Love? Georgia snaps 'cyber-spy' with his own cam", Theregister.co.uk, 2012.
[Online]. Available: http://www.theregister.co.uk/2012/10/31/georgia_russia_counter_intelligence/. [Accessed: 16-
Oct- 2016]

[19] G. Weinberg, "Gerald Weinberg - Wikiquote", En.wikiquote.org, 2016. [Online]. Available:

https://en.wikiquote.org/wiki/Gerald_Weinberg. [Accessed: 17- Oct- 2016]

Written by Sufiyan Ghori