Join us for the Honeynet Workshop 2024: May 27th–29th, Copenhagen, Denmark

Hide and go seek, not hide and go tweak

31 Jul 2013 David Dittrich active-response-continuum ethics humanitarian-law improper-ruse law-of-war tallinn-manual

On July 31, 2013, Jason Geffner of CrowdStrike discussed a new tool called “Tortilla” that allows incident responders and computer security researchers to hide behind the Tor network as they poke and prod malicious software infrastructure. Were I there, I would have asked Jason this question: What things should I not do while using Tortilla, and why shouldn’t I do them? I know Jason and respect his technical skills, but if he and CrowdStrike don’t have a good answer, that will say a lot about our field’s collective ability to reason about actions along the Active Response Continuum. [D. Dittrich and K. E. Himma. Active Response to Computer Intrusions. Chapter 182 in Vol. III, Handbook of Information Security, 2005.]

This may sound like a trick question to some, but it goes right to an important distinction in the way the international law of war and humanitarian law is structured so as to protect non-combatants. The first concept that must be understood is that of distinction, which means combatants can only legitimately target other combatants, and must avoid targeting innocent civilians, who are protected from hostilities under international laws of war and humanitarian laws. So innocent third parties who are not involved in conflict should not be harmed. This protected status of civilians and the requirement for distinction is one reason why combatants must wear uniforms (another being that they may lose combatant immunity and prisoner of war status: see the Tallinn Manual, Rule 26.) [M. N. Schmitt. Tallinn Manual on the International Law Applicable to Cyber Warfare., December 2012. Prepared by the International Group of Experts at the Invitation of The NATO Cooperative Cyber Defence Centre of Excellence.]. In a conflict, it is a war crime for a soldier to take off their uniform and put on civilian clothes before fighting, to fire their weapons from a vehicle marked as if it were a Red Cross or Red Crescent ambulance, to take up a fighting position in a church or mosque, or to establish operational military bases that are interspersed with civilian homes and shops. This is the issue that Tortilla raises, and is known as an improper ruse to fool the enemy into thinking the combatant is actually a protected non-combatant. As Rule 62 of the Tallinn Manual puts it, ``Improper use of [distinctive] indicators jeopardizes identification of the protected persons and objects entitled to display them, undermines the future credibility of the indicators, and places persons and objects entitled to their protection at greater risk.''

Let me be very clear. The issue here is not whether someone using Tortilla is a combatant or not, but rather are the things they are doing while using Tortilla to conceal their identity increasing the risk of harm to innocent third parties? People who use the Tor network for legitimate reasons have a right to use the network without being subjected to counter-attack. Someone using the Tor network to simply visit web pages and perform what could be considered benign counter-reconnaissance, may not look any different from normal Tor users. But just visiting web pages does not warrant a counter-attack. Now consider someone choosing to hide behind the Tor network to use it as a stepping stone to penetrate an adversary’s network, to “disrupt or destroy,” or to take other very aggressive actions that could result in a counter-counter-strike by the adversary. This is the (im)moral equivalent of firing weapons from a Red Cross truck, hiding behind innocent and protected parties around the globe, and putting those innocent and protected civilians at increased risk of harm. The risk vs. benefit distribution is not equal. The user of Tortilla to take high risk bears little if any actual risk – if Jason’s description of how well Tortilla works is correct, and I assume it is – while all of the risk is placed on those people who operate Tor exit nodes who are the only visible “last hop” before the adversary’s network.

This is a major problem that many of those who advocate taking very aggressive actions against attackers (the things that fall into the “hacking back” end of the Active Response Continuum Level 4) rarely consider. If you do something aggressive from your own network, the adversary can see you do it and can fire back. And if someone say, “Well, we are not combatants so the laws of war don’t apply here,” I answer that the problem of putting innocent third parties at risk still exists and you still have a moral obligation to address it. This actually happened with the Mariposa Working Group botnet takedown, and the resulting fire-fight took innocent third parties using the same network as MWG members off-line for several hours under a barrage of DDoS packets. [“So You Want to Take Over a Botnet…,” by David Dittrich, Microsoft Digital Crimes Consortium 2013 meeting, Barcelona, Spain,, February 2013.] If you hide yourself by blending in with major carrier broadband users, or hide behind the Tor network’s volunteer exit node operators, your actions could result in the same harm to innocent third parties from counter-fire being directed at the wrong party.

If there is no such caution against going too far with a tool like Tortilla, I feel morally obligated to question the ethics of making such tools public when they are promoted using provocative scenarios and aggressive language, but no rational warning or guidance on proper use being given to those who receive the tool. It is not sufficient to enable an improper ruse to be used in an aggressive cyber counter-attack and then say, “Hey! It was the guy who used the tool who is at fault, not me!” I believe there is a moral responsibility to exhibit integrity in these situations to minimize the harm that may result to innocent third parties. (I imagine the Tor folks might agree with this sentiment.) The recently released book by John Strand and Paul Asadoorian includes cautions that explicitly discuss Tor exit nodes, though in the counter-attack context, not the counter-counter-attack one raised here: “[Never], ever launch directed attacks against an attacker’s IP address. This can backfire in a number of different and awesome ways. For example, you may be attacking an IP address, which is part of a botnet – on a system host in DoD IP address space. Second, you could be attacking a TOR exit node.” Without providing guidance and caution against getting too aggressive while using Tortilla, another of Strand and Asadoorian’s cautions is applicable. “It just takes a few dumb moves in a few public situations and we are sunk. Let’s keep active defenses going by being smart.” [J. Strand, P. Asadoorian, E. Robish, and B. Donnelly. Offensive Countermeasures: The Art of Active Defense. PaulDotCom, 2013.]

Rather than just say what not to do, let me say what what I have done in the past to deal with this situation. I have opted to hide in plain site, which could involve using the same IP addresses as systems within my own network that have been compromised so the attacker would only see connections that they believed where “legitimate” (i.e., coming from their own actions of compromising computers), and only gone so far as to do things that would appear as “normal” (or perhaps just “bugs” in the attacker’s own software) instead of things that would look like a hostile attack. For example, when performing initial experiments with enumerating the Nugache P2P botnet, we took our “honeypot” offline and used its address for the enumeration scans and did other things to be as un-detectable as possible, later switching back to the honeypot so the attacker (if they looked) would see everything appear as normal as possible. [D. Dittrich and S. Dietrich. Discovery techniques for P2P botnets. Technical Report CS 2008-4, Stevens Institute of Technology, September 2008.] If you know which of your own computers an adversary has taken control of, swapping them out for your own instrumented hosts for collecting evidence does not put innocent third parties at risk, though it does take a greater level of sophistication and careful planning and execution. (But if you are engaging in aggressive actions, you had better be sophisticated, plan and execute your actions carefully, and take responsibility for collateral damage you cause. As David Willson put it in a BrightTALK panel presentation, “What I’m saying here is that the leadership has to absolutely make the call, and say, `This is what we’re going to do, and how we’re going to do it. Keep collecting the information and the intelligence so we can make better formed decisions and continuously move forward.’ And then be willing to take responsibility for what happened. If the leadership isn’t willing to take responsibility, then they can’t do it and they are being negligent.” [P. Judge. Panel: The Single Greatest Challenge in Data Security for 2013. https://www.brighttalk. com/webcast/288/64057, January 2013, @24:00].)

I’m patiently waiting to get an answer to my question. :)