Home > Uncategorized > CERT’s with Teeth?

CERT’s with Teeth?

Joe Stewart of SecureWorks recently went on record as favoring giving Computer Emergency Response Teams (CERTs) the authority to engage in operations that disrupt attackers’ activities. .In a recent SecurityFocus posting, Stewart propounded that when attacks occur, the attention of those who respond to the incident should be on the perpetrators of the attack, not the attacks themselves. This strategy, Stewart argues, will result in disruption of the attacker’s ability to perpetrate further attacks, and will also greatly increase the risk associated with perpetrating attacks on systems, thereby potentially decreasing the likelihood that perpetrators will actually carry out attacks that they have planned. Stewart has touted the model for South Korea’s CERT, which has the power to crash entire domains or (if necessary) isolate parts of networks to thwart further attacks.

Stewart’s views are not exactly new. Almost seven years ago in a SecurityFocus piece an information security professional named Tim Mullin advocated striking back at attackers and infected machines. Mullin’s views were met with considerable resistance within the information security community, and perhaps not surprisingly, I have never seen any other such opinion piece by this person. While similar, Stewart’s and Mullin’s views are not identical, however. Mullin’s advocating striking back smacks of a kind of vigilanteeism, the right to reprisal by any aggrieved person, whereas Stewart sees going on the counteroffensive as an option to be exercised only by CERT teams such as the US-CERT. CERT teams must almost without exception operate in accordance with approved procedures and are accountable to senior management or the equivalent. Therefore, if a CERT team brings down a host that is believed to be launching attacks, there is a better proverbial safety net around what they do compared to a system administrator who is irritated by a series of attacks and thus without consultation with others launches counterattacks against a perceived adversary.

CERTs have existed for over 20 years. Most of them have only the authority to analyze and advise. Has this model worked? The answer is “sort of,” at least in case of some CERTs that have proven their value by developing sound incident response methodologies, training others to respond to incidents, sharing information and other resources with those who need it during incidents, and more. Despite the heroic efforts of some CERT teams, however, the number and variety of cyberattacks have grown to the point where things are now out of control. Attackers, particularly attackers whose attacks cross international boundaries, currently have very little to fear concerning possible apprehension by law enforcement, let alone the prospect of being convicted in a court of law. Perhaps if CERTs were given the authority to launch counteroffensive actions, there would be some kind of negative motivator for potential attackers.

But giving CERTs the authority to go on the counteroffensive would pose numerous additional risks. For one thing, there is always a possibility that a counteroffensive action will harm the wrong entity. After all, IP addresses are routinely spoofed, and many machines from which perpetrators launch attacks are owned and operated by members of the white hat community, but taken over temporarily by a perpetrator. Damaging such machines is akin to burning down the house of an innocent person because a criminal is holed up inside—it just does not make sense. Furthermore, there is no guarantee that CERT members will do the right things if they engage in counteroffensive actions. Finally, not every CERT, let alone every CERT team member, is technically proficient—a truly scary thought when it comes to striking back.

So—Stewart may be on to something. The present model by which we operate in cyberspace clearly isn’t working. We need to try something else. Clearly, Stewart’s views deserve careful consideration.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.