Friday, March 24, 2006

Hackers and Guerrillas: Information Security and Lessons from History

Casually skim through any five books on hacking and information security the next time you are in the computer section of Borders. Guaranteed four out of five, if not all five will explicitly draw comparisons between cyber security and military science. Titles like "Know Your Enemy", "Cyber War" using terms like "attack" " reconnaissance" Defense in Depth". Business texts also tend to go a bit overboard with Sun Tzu and Clausewitz, almost as if General Electric should be building up armored divisions to launch their next marketing campaign.

In the case of Cyber Security, the analogies are not that far off. Truly, no one is getting bombed or straifed, and the worst casualties are blunted careers, defrauded banks, wasted time and the occasional prosecution. Still, malicious hackers and the opposed security teams are engaged in something more like war than say, a foot ball game or competitive marketing. Consider that like war:

- There are targets defended by security groups and their attending systems.
- There are attackers attempting to breach these targets using their skill and systems.
- Breaching or disabling the system provides gain for the attacker and loss to the defender, even if the gain is the knowledge of the damage done to the target. It is a pure zero sum situation.
- The only rules are those imposed by the laws of nature and physics.

A few more minutes of thought would bring more parallels to light, but for now we can see the outline. Cyberwar really is cyber war.

One objection to this analysis may be that hackers have many motivations that are beyond simple economic gain. Max Kilger, Ofir Arkin and Jeff Stutzman, in their chapter on Profiling in the Honeynet Project's book, "Know Your Enemy" make the argument that hackers are driven as much by the societal imperatives of their counter culture as they are by the lure of ill gained credit card numbers. If war is politics by other means, and if politics are in the end driven by economics, where then how do we understand the need for hackers to exploit simply to impress fellow hackers?

Interestingly, the answer may be found in another modern work, John Keegan's " The History of Warfare". That distinguished historian and scholar makes a lucid and compelling argument that war, much to the chagrin of the realists, is a cultural phenomena that is not necessarily tied to realpolitik or the dismal caculus of loss and gain. If nations can go to war because the culture demands that men prove themselves on the field of battle, what is different about a hacker proving his skill in an elegant exploit that brings down an e-commerce site?

It is useful to those of us in the security community to think on what kind of war we are fighting. Military theorists spend much time studying the history of war as a way of understanding present and future conflict. Technology advances can morph the tactics and change the damage profile, but the fundamental principles remain suprisingly invariant across time, across space and across technology. Perhaps this is true because in the end, war is a human endeavor. If we can categorize modern hacking as a form of understood warfare, then at an operational and strategic level, we can use it as a model for our own actions and as a guide to solutions.

Simple reflection gives us a hypothesis, as it is obvious that hacking is not like the classic stand up fight between armies. (Though some days security professionals feel a lot like Custer at the Little Bighorn.) Malicious Hacking shares common characteristics with three conflict styles, guerilla war as practiced in the twentieth and twenty-first centuries, submarine warfare of the last eighty years and the Barbarian Raids of Ancient times. We will leave the ax wielding savages and the U-boats for another time and article, and focus on guerrillas.

Mao's book on guerilla war is the best basic reference on insurgencies. To paraphrase from Mao:

-Win the hearts and minds of the people
-Fight where the enemy is weak, retreat where he is strong
-Secure bases are critical
-Stay decentralized, cells are isolated from each other
-Strive to have better intelligence than the government
-Stay mobile, stay flexible. Use tatical innovation to counter government superiority in numbers and material
-Live off the enemy

There is more, but this is enough to draw some parallels to hacking. Mao saw the population as a sea and the guerilla as a fish that swam in that sea. Now, clearly the hearts and minds of the computer using populace is not with the hackers (except for maybe a few anarchist webzians) but in this case, it is not the mind of the owner that matters, but the processor of the computer.

Parallel One, hackers view the mass of poorly secured home and small office PC's as the populace to win and use. It is the "sea" that he swims in. Also, just as Mao sees the populace as a necessary source of supplies and intelligence, the hacker sees the home computer as a necessary source of processing power and storage. I leaned this one some years back when, as a neophyte user of DSL, I found one day that my laptop was hosting, among other things, an IRC chat server.

Parallel Two of note is the need for secure bases. In every case, the insurgent invariably must set up secure base areas, preferably across an international border, where they can rest and re-supply away from the danger of the government security forces. For the hackers of today, that is often accomplished by being located in a country other than the one where the targets are located. In particular, the more dangerous, profit motivated hacking groups of recent years are located in countries where law enforcement is practically an impossibility (think former east block, China and India). In the US for example, there is always the possibility that a hacker in Connecticut could be tracked and prosecuted. If not a deterrent, at least this fact makes the hackers job harder and forces more caution. A foreign based hacking gang can launch attacks with impunity, the only thing risked is time.

The rest of the list can be summarized in Parallel Three. Like the guerilla, the hacker adopts tactics to seize and keep the initiative, choosing the time and avenue of attack. He pursues and exploits weakness, when faced with strength or risk, he breaks off quickly, re-groups and starts probing for a new weak spot. This can be very frustrating and demoralizing for security forces and security departments alike.

It is possible to take the analogies too far, but clearly government security forces in an insurgency and information security teams face a similar nightmare scenario; immobilized behind static defenses in a hostile, or at least an insecure populace, waiting for the next attack from an enemy that has both initiative and a safe place of retreat. For the information security professional, in the new world of organized hacker crime networks, it presents a question not of if, but when they are going to be cracked, against a backdrop of every increasing hardware, software and personnel expense devoted to information defense.

What the study of counter insurgency does is give us a few new ways of thinking about information security. Firstly, it points out the potential ultimate futility of just investing increasing dollars and hardware to defeat a mobile, flexible attacker (think Viet Nam). Secondly, as counter insurgency experts have learned, victory is less about technology and more about properly addressing the strategic requirements of the insurgent. Lets focus on three concepts from counter insurgency and see how they can address computer security.

1. Deny the insurgent a friendly populace. For a security force, it means taking action to defend the populace from the insurgent, seeing to the populace's welfare and win the people's hearts and minds away from the guerilla. From an information security perspective, the populace is the vast number of personal computers that are sitting, unprotected, on a broadband connection.

The state of the internet today results in most installations being improperly patched with poorly maintained or non existent anti-virus and firewall technology. This provides the hacking community with unlimited computing resources that can be used in sophisticated attacks against more valuable targets. These systems also provide a small source of easy revenue.

The web community needs to start moving these systems into defended and managed networks, much like a government would relocate populations to defended hamlets to better protect and provide for the populace. To be successful, any such policy should provide benefits to users for participation (better on line security, protection from hackers) and consequences for the user not taking steps to protect their machine. An example would be greater responsibility for losses incurred or caused due to improper protection.

AOL and Earthlink, among others, provide such services today. What is now needed is a concerted push by technology and financial companies to get the job completed, in a way that is both a net positive for the consumer and protective of their privacy rights. If every machine connected to an ISP was part of a Defended ISP Security Zone, hackers would be denied access to a critical resource.

2. Seal off the borders. The British succeeded in Malaysia partly because they could and did seal off insurgents from their cross border bases. In the same way, the web and financial community needs incent countries that turn a blind eye to hacking to start taking computer crime seriously and act aggressively to close down hacking rings. This will be a very hard task that will take time. However, the community needs to start the work now. One step might be to devise a series of sanctions among ISP's and at a minimum get each countries ISP's serious about responding to intrusion attempts, blocking the sources and referring cases to law enforcement. If it seems like too much trouble, think about what you would do if thieves could rob your house and then just get across the county line to escape prosecution?

3. Take the initiative. The security community as a group needs to get off the defensive and on to the offensive. While counter-hacking attacks are a no-no, I think that the Honeynet project is an example of a good start and methodology. Another thing to Google is Microsoft's Honey Monkey project, where "Honey Monkey" machines crawl the web looking for and identifying websites that exploit or launch Spyware. What is needed is cross industry support, cooperation and perhaps legislation providing legal protection to Honeynet operators and incentives to companies to participate.

The final lesson of counter insurgency is the need for coordinating actions. Groups working in a vacuum or without a central strategy, no matter how well intentioned, will be only marginally effective and possibly counterproductive. Remember, the insurgent by definition seeks and exploits gaps in the security structure of a target country. Nothing creates gaps and wastes valuable resources like uncoordinated effort the counter insurgent.

A great model for coordination is the VISA CISP program, where companies that want to utilize the VISA network must agree to, and be audited on, a standard set of security practices and policies. One can imagine a web e-commerce Association, led by major ISP and financial networks that could coordinate these kinds of policies across the web.

All of us that are on the internet for peaceful and beneficial reasons are smack dab in the middle of a guerilla war. If we want to be successful, we cannot just hide in our firebases while the bad guys run wild. We need to get coordinated, we need to take the initiative, we need to get the people into defended zones and starve the hackers, isolate them and shut them down.

posted by Maurice_Basilius @ 1:49 PM

0 Comments:

Post a Comment

<< Home