During the keynote address of RSA Conference 2016, RSA President Amit Yoran called companies and organizations to leverage their skilled workforce to pursue an offensive approach against hackers. Online adversaries are increasing in numbers and are getting more skilled and sophisticated thus some defence teams try to adapt to that new operating environment by utilizing non-traditional measures such as Information Operations. This comes to no surprise, since it has been reported that prevalent corporate entities or nation states have done so in the past. Adversaries are increasing in numbers and are getting more skilled and sophisticated. Some defence teams try to adapt to that new operating environment by utilizing non-traditional measures. These measures include Information Operations, which might blur the lines between an attacker and a defender.
Information Operations allow defenders, i.e. companies and organizations to profile adversaries after a successful attack against them and use this knowledge to build-up their defences. Two tactics of Information Operations are Active Defence and Offensive Countermeasures. Active Defence is an act of information gathering, while an Offensive Countermeasure (commonly referred as "hack back") is a counter attack. Information Operations require one or more defence and mitigation activities to be successful. The most applicable are: deny, disrupt, degrade, or deceive and should ideally be executed without the adversary being aware that is used as a source of information.
The topic of Information Operations is controversial, yet fruitful. This note presents the concept, its merits, and its dangers, to allow readers to make a more informed decision about it.
Active Defence and Offensive Countermeasures
Active Defence is defined as a collection of intelligence capabilities that operate in an adaptive and monitored environment. These capabilities are deployed with the purpose of gaining knowledge about an adversary's operations: e.g. motive, tools, and sophistication.
An example of a realistic Active Defence deployment can be the utilization of an isolated environment, configured and enriched with information that would closely resemble a real one, and with the capability to track all movements of an attacker with high verbosity.
Offensive Countermeasures aim to source all required intelligence about an adversary's operations e.g. motive, tools, and sophistication, through the compromise of an adversary's environment.
An example of an Offensive Countermeasure would be using weaponized, decoy and seemingly high value documents, and allow them to be accessible by a medium-skilled adversary. Opening such documents would result to code execution and the compromise of an adversary's system.
Information Operations: Activities and Proportionality
Information Operations are more effective when combining the following activities with proportionality.
Deny. This action prevents an attack from being effective. For example, denying noisy traffic related to automated web attacks, while allowing traffic related to custom-crafted attacks.
Disrupt. Interrupt an attack at the point where defenders have learned enough about an adversary. Example: allow an attacker make use of his tools and techniques, and disrupt him just before the exfiltration stage.
Degrade. Make the attack conditions and the "user experience" unbearable for an attacker. For example by throttling their bandwidth to a very low rate, making the attack inefficient.
Deceive. Trick the attacker to believe that he operates within a realistic environment, while we study his actions. For example by utilizing assets that are isolated and purposefully similar to a real environment.
Depicting proportionality – two examples to avoid:
Ethical and Legal
Since an Information Operation might be an act of aggression, it sparks many ethical and legal considerations about its applicability. Victims do not have the right to become vigilantes, and depending on the jurisdiction, it might as well be illegal.
In 2013 the Dutch government introduced a legislation that allowed law enforcement to perform information operations against suspects. In the EU legislation there is no distinction between an ethical and malicious attacker. The Budapest Convention on Cybercrime has no provisions on performing Information Operations. Thus applying Information Operations within the EU is a grey area, without legislation framework or specific guidelines.
With a plethora of off-the-shelf criminal tools available to low-skilled adversaries, it is quite common that what appears to be an attack's source, is in fact only a proxy. It is also possible that the adversary plants artefacts pointing to other actors. Making sure that the defenders get the right adversary is thus a challenge.
The difficulty of attribution increases the risk for defenders to execute an Information Operation against an infrastructure used as proxy and that does not belong to the attacker. Attribution is closely tied to the ethical and legal considerations, since not only would they run an act of aggression, but it might also be against an innocent third party. Such unwarranted aggression can significantly contribute to a loss of reputation and legal damage.
An often less considered side-effect is the adversaries' reaction, should they become aware of an Information Operation against them. As mentioned before it might lead to operating in a more controlled manner, but it might as well spark a second (and possibly more sophisticated) wave of attack with a greater magnitude than the first one.
In the light of the arms race between attackers and defenders, Information Operations are a strong tool to learn more about adversaries. However they come with several severe risks, which could deter most teams from using them. The lack of an EU legislative framework is also a limiting factor in executing Information Operations consistently across Member States.
While proper use of Information Operations may provide defenders a significant advantage over their adversaries, it is highly recommended to take into consideration not only the applicable law, but all possible technical and ethical implications that might arise as well.