Crime is still Crime! - SANS Internet Storm Center

Crime is still Crime!
Article from Network World: http://www.networkworld.com/news/2011/012011-retaliation-answer-cyber-attacks.html?hpg1=bn This may come off as somewhat of a rant but.. Disclosure given in advance. In this Handlers opinion there is no such thing as benevolent crime. Network world is running a piece that states "Is retaliation the answer to cyber attacks?" Pretty sure that I can speak for the handler team that if that was the answer we would be doing it. It might be a little bold to state that but I guarantee you that most of us have at least thought it occasionally. Now after reading this article in depth it does make some significant arguments for and against but law is the law. We have common international law, regional law and local law. It seems that government and local law enforcement should be the responsible parties for "retaliation or investigation." If we are at a point of taking the law into our own hands then perhaps it is evident that pressure should be placed on local and regional government to take Cybercrime serious. The article reminds me of a time in US History usually referred to as "The Old West" when law was sometimes conducted in what we here in the US of A call "Frontier Justice." There is probably reference to this in most cultural history and it seems that the Internet may still be in this phase of growth. The Internet Storm Center is dedicated to understanding and defending against the threat and before heeding the advice of "Retaliate" remember that you may be breaking the law in your local region. In several SANS classes they teach "Get Written Permission from the owner of the network." We teach this for a reason. So, to conclude, a quote from one of my favorite movies "You want that gun, pick it up. I wish you would." -- Rio Bravo, said by the late John Wayne as the character Chance. The concept that needs to be brought across is that things escalate, and you should weigh your decisions carefully as well as legal responsibilities. Question to the Diary readers? What are your thoughts on the subject? Richard Porter --- ISC Handler on Duty	Richard 173 Posts ISC Handler Jan 23rd 2011
Thread locked Subscribe	Jan 23rd 2011 1 decade ago
- http://www.firewallguide.com/ "... The Internet is a hostile network like the wild west without a sheriff!" ('Been there since site inception - 2000) "... gov't... take Cybercrime serious." I'm sure they do, but their resources are nowhere near any "balance of power" when compared to numbers like this: - http://www.ic3.gov/media/2010/100312.aspx March 12, 2010 - "... total loss linked to online fraud was $559.7 million..." - http://www.eset.com/blog/2010/03/17/were-not-talking-peanuts-here March 17, 2010 - "... these figures relate only to the USA. Multiply those amounts many times over to give you some idea of the size of the losses on a global basis ..." .	Jack 160 Posts
Quote	Jan 23rd 2011 1 decade ago
The book: Inside Cyber Warfare By: Jeffrey Carr Publisher: O'Reilly Media, Inc. discusses the international law aspects of when it is POSSIBLY acceptable for a NATION to retaliate in a cyber warfare situation. Retaliation by a non-nation i likely going to be considered a crime, and in certain situations could result in the target of the retaliation's nation justifiably launching military measures againt the nation harboring the retaliator; such measures are not necessarily limited to cyber actions!	Moriah 133 Posts
Quote	Jan 23rd 2011 1 decade ago
Well, some forms of retaliation seem perfectly valid. For example... null routing the source.. reporting the incident to DNS black lists.. Calling up ISPs to report traceable attacks, and request they disconnect the customer originating the attack... There are plenty of common perfectly legal ways to "retaliate" Attack responders taking the law into their own hands is more often required than not. Law enforcement generally can't or won't respond effectively to such matters. Obviously... there must be limits to any retaliation. Responding to an attack by launching a DoS is obviously bad; DoS is in effect an attack against innocent networks (generally). Responding to attack by launching an intrusion attempt, makes the "retaliater" just as guilty as the original attacker, and the argument they were attacked first does not excuse anything. If a baseball comes from your neighbor's yard, and smashes your window... you still go to jail if you run across the street and break down their front door with an axe for revenge.	Mysid 146 Posts
Quote	Jan 23rd 2011 1 decade ago
You would do well to consider the possibility that the Internet is a school playground; that all of the participants should be considered to be playing; and the best response to a form of play that you don't like is to 'ignore' and go find someone else to play with. 'Crime' is in the eye of the beholder, largely. Go look for California mining law, to see how land ownership was established in the 1840's in California. And how different that is from (say) land ownership in England now. Different again from France. Forgive if you can. Do not wager more than you can afford to lose. Others may legitimately not share your business goals. Competition is good, is what drives progress. On with IPv6 !!!	Mysid 9 Posts
Quote	Jan 23rd 2011 1 decade ago
While I agree in spirit with the 'crime is still crime' meme, I have to say that in some instances, some form of retaliation is necessary. 'Mysid' nailed this concept perfectly in his post referenced above. I'm not going to perpetrate a tit-for-tat DoS attack, but I will, however, contain the attack and otherwise block/monitor where it came from.	Peyton 6 Posts
Quote	Jan 23rd 2011 1 decade ago
I have to agree that a crime is crime. I put DNS blacklist reporting, null the source tc. as an increase in you defensive posture in response to an attack/crime. Counter-attack raises this to the crime level and that is were individuals need to be very careful. And in response to Chris' playground analogy. If the bully in the schoolyard was taking your lunch money, you wouldn't have the option to go play with someone else. The Internet is not an optional part of peoples life anymore. It is integrated into just about every aspect of our life.	Peyton 5 Posts
Quote	Jan 23rd 2011 1 decade ago
If you really want to think through the process of conducting computer network exploitation (CNE) or computer network attack (CNA) in retaliation for an attack on your own systems, then a good place to start is "Strategic Warfare in Cyberspace" by George Rattray. Pay particular attention to the issues around attack attribution and battle damage assessment. IOW, identifying the adversary and assessing how badly your retaliatory actions have hurt him/her are difficult issues independent of the question of criminality. Another good resource is Cyberdeterrence and Cyberwar by Martin Libicki which delves into whether or not classical "deterrence" is even practical in the cyber-realm.	Peyton 1 Posts
Quote	Jan 24th 2011 1 decade ago
In western society we believe that self defense is not a crime. If someone comes up to me on the street with a crowbar and attacks me, I take that crowbar and smash his skull in, that is NOT assault, murder, or manslaughter that is self defense within a reasonable amount of force based on the threat posed to you. In my opinion, if someone is deliberately attacking your systems, disrupting your service, threatening your customer data, or trying to steal sensitive company information, you have every right to do whatever is in your power to defend yourself, your company, and your network, without legal ramifications. I have had a number of time where I have had to take the law into my own hands as local, provincial(I'm in Canada) and even federal law enforcement just did not give a damn. I'm not saying hack into the system steal all the naked pictures of the attackers wife and plaster them on the internet, I'm saying that any attack which reasonably disables the attack source to a point where you feel comfortable that they will not attack you again is completely legitimate, just as defending yourself in a physical altercation which you did not start is completely acceptable and unpunishable.	Peyton 2 Posts
Quote	Jan 24th 2011 1 decade ago
An attack effects more than just the target. A counterattack would also effect more than just the target. Except in extreme circumstances both my be considered equally evil. MHO	Peyton 7 Posts
Quote	Jan 25th 2011 1 decade ago
SO how do you measure an "in-kind" counter attack in cyberspace? Your attacker could be coming from a 1000 zombies or redirectors. Retaliation against those "agents" could have far worse consequences, since under this paradigm, they could counter-counter attack	Peyton 5 Posts
Quote	Jan 25th 2011 1 decade ago
"In western society we believe that self defense is not a crime. If someone comes up to me on the street with a crowbar and attacks me, I take that crowbar and smash his skull in, that is NOT assault, murder, or manslaughter that is self defense within a reasonable amount of force based on the threat posed to you." I'm pretty sure you'd at least get manslaughter charges if you took the crowbar from your assailant and murdered him with it. If you took the crowbar (or whatever weapon) away from the assailant, it would be reasonably assumed that you eliminated or minimized the threat. Attacking the assailant at that point could be considered excessive. I agree that neutralizing threats should be the goal. That means blunting the attack or shutting off the access; it does not mean viciously counter attacking.	Jasey 93 Posts
Quote	Jan 26th 2011 1 decade ago

Article from Network World: http://www.networkworld.com/news/2011/012011-retaliation-answer-cyber-attacks.html?hpg1=bn

This may come off as somewhat of a rant but.. Disclosure given in advance.

In this Handlers opinion there is no such thing as benevolent crime. Network world is running a piece that states "Is retaliation the answer to cyber attacks?" Pretty sure that I can speak for the handler team that if that was the answer we would be doing it. It might be a little bold to state that but I guarantee you that most of us have at least thought it occasionally.

Now after reading this article in depth it does make some significant arguments for and against but law is the law. We have common international law, regional law and local law. It seems that government and local law enforcement should be the responsible parties for "retaliation or investigation." If we are at a point of taking the law into our own hands then perhaps it is evident that pressure should be placed on local and regional government to take Cybercrime serious.

The article reminds me of a time in US History usually referred to as "The Old West" when law was sometimes conducted in what we here in the US of A call "Frontier Justice." There is probably reference to this in most cultural history and it seems that the Internet may still be in this phase of growth.

The Internet Storm Center is dedicated to understanding and defending against the threat and
before heeding the advice of "Retaliate" remember that you may be breaking the law in your local region. In several SANS classes they teach "Get Written Permission from the owner of the network." We teach this for a reason.

So, to conclude, a quote from one of my favorite movies "You want that gun, pick it up. I wish you would." -- Rio Bravo, said by the late John Wayne as the character Chance. The concept that needs to be brought across is that things escalate, and you should weigh your decisions carefully as well as legal responsibilities.

Question to the Diary readers? What are your thoughts on the subject?

Richard Porter

--- ISC Handler on Duty

Richard

173 Posts
ISC Handler

Jan 23rd 2011

- http://www.firewallguide.com/
"... The Internet is a hostile network like the wild west without a sheriff!"
('Been there since site inception - 2000)

"... gov't... take Cybercrime serious."
I'm sure they do, but their resources are nowhere near any "balance of power" when compared to numbers like this:
- http://www.ic3.gov/media/2010/100312.aspx
March 12, 2010 - "... total loss linked to online fraud was $559.7 million..."
- http://www.eset.com/blog/2010/03/17/were-not-talking-peanuts-here
March 17, 2010 - "... these figures relate only to the USA. Multiply those amounts many times over to give you some idea of the size of the losses on a global basis ..."
.

Jack

160 Posts

The book: Inside Cyber Warfare
By: Jeffrey Carr
Publisher: O'Reilly Media, Inc.

discusses the international law aspects of when it is *POSSIBLY* acceptable for a *NATION* to retaliate in a cyber warfare situation. Retaliation by a non-nation i likely going to be considered a crime, and in certain situations could result in the target of the retaliation's nation justifiably launching military measures againt the nation harboring the retaliator; such measures are not necessarily limited to cyber actions!

Moriah

133 Posts

Well, some forms of retaliation seem perfectly valid. For example... null routing the source.. reporting the incident to DNS black lists..

Calling up ISPs to report traceable attacks, and request they disconnect the customer originating the attack...

There are plenty of common perfectly legal ways to "retaliate"

Attack responders taking the law into their own hands is more often required than not. Law enforcement generally can't or won't respond effectively to such matters.

Obviously... there must be limits to any retaliation. Responding to an attack by launching a DoS is obviously bad; DoS is in effect an attack against innocent networks (generally).

Responding to attack by launching an intrusion attempt, makes the "retaliater" just as guilty as the original attacker, and the argument they were attacked first does not excuse anything.

If a baseball comes from your neighbor's yard, and smashes your window... you still go to jail if you run across the street and break down their front door with an axe for revenge.

Mysid

146 Posts

You would do well to consider the possibility that the Internet is a school playground; that all of the participants should be considered to be playing; and the best response to a form of play that you don't like is to 'ignore' and go find someone else to play with.

'Crime' is in the eye of the beholder, largely. Go look for California mining law, to see how land ownership was established in the 1840's in California. And how different that is from (say) land ownership in England now. Different again from France.

Forgive if you can. Do not wager more than you can afford to lose. Others may legitimately not share your business goals. Competition is good, is what drives progress.

On with IPv6 !!!

Mysid
9 Posts

While I agree in spirit with the 'crime is still crime' meme, I have to say that in some instances, some form of retaliation is necessary. 'Mysid' nailed this concept perfectly in his post referenced above. I'm not going to perpetrate a tit-for-tat DoS attack, but I will, however, contain the attack and otherwise block/monitor where it came from.

Peyton

6 Posts

I have to agree that a crime is crime.

I put DNS blacklist reporting, null the source tc. as an increase in you defensive posture in response to an attack/crime.

Counter-attack raises this to the crime level and that is were individuals need to be very careful.

And in response to Chris' playground analogy. If the bully in the schoolyard was taking your lunch money, you wouldn't have the option to go play with someone else. The Internet is not an optional part of peoples life anymore. It is integrated into just about every aspect of our life.

Peyton
5 Posts

If you really want to think through the process of conducting computer network exploitation (CNE) or computer network attack (CNA) in retaliation for an attack on your own systems, then a good place to start is "Strategic Warfare in Cyberspace" by George Rattray. Pay particular attention to the issues around attack attribution and battle damage assessment.
IOW, identifying the adversary and assessing how badly your retaliatory actions have hurt him/her are difficult issues independent of the question of criminality.

Another good resource is Cyberdeterrence and Cyberwar by Martin Libicki which delves into whether or not classical "deterrence" is even practical in the cyber-realm.

Peyton
1 Posts

In western society we believe that self defense is not a crime. If someone comes up to me on the street with a crowbar and attacks me, I take that crowbar and smash his skull in, that is NOT assault, murder, or manslaughter that is self defense within a reasonable amount of force based on the threat posed to you. In my opinion, if someone is deliberately attacking your systems, disrupting your service, threatening your customer data, or trying to steal sensitive company information, you have every right to do whatever is in your power to defend yourself, your company, and your network, without legal ramifications. I have had a number of time where I have had to take the law into my own hands as local, provincial(I'm in Canada) and even federal law enforcement just did not give a damn. I'm not saying hack into the system steal all the naked pictures of the attackers wife and plaster them on the internet, I'm saying that any attack which reasonably disables the attack source to a point where you feel comfortable that they will not attack you again is completely legitimate, just as defending yourself in a physical altercation which you did not start is completely acceptable and unpunishable.

Peyton
2 Posts

An attack effects more than just the target.
A counterattack would also effect more than just the target.
Except in extreme circumstances both my be considered equally evil.
MHO

Peyton
7 Posts

SO how do you measure an "in-kind" counter attack in cyberspace? Your attacker could be coming from a 1000 zombies or redirectors. Retaliation against those "agents" could have far worse consequences, since under this paradigm, they could counter-counter attack

Peyton
5 Posts

"In western society we believe that self defense is not a crime. If someone comes up to me on the street with a crowbar and attacks me, I take that crowbar and smash his skull in, that is NOT assault, murder, or manslaughter that is self defense within a reasonable amount of force based on the threat posed to you."

I'm pretty sure you'd at least get manslaughter charges if you took the crowbar from your assailant and murdered him with it.

If you took the crowbar (or whatever weapon) away from the assailant, it would be reasonably assumed that you eliminated or minimized the threat. Attacking the assailant at that point could be considered excessive.

I agree that neutralizing threats should be the goal. That means blunting the attack or shutting off the access; it does not mean viciously counter attacking.

Jasey

93 Posts