246 ◾ Security Strategy: From Requirements to Reality
eir system has been compromised and is being used to disguise the attackers’ actual location.
Depending on your jurisdiction, a retaliatory response may subject you or your organization to
criminal charges and/or civil liabilities.
ere are a number of ways to achieve anonymity, including hidden Internet Assigned Numbers
Authority (IANA) registrations for specifi c IP ranges, but the more popular method is exploita-
tion. Exploitation is the compromise of third-party systems or communications channels that is
subsequently used to target other systems. Botnets are a great example; hackers and cybercrimi-
nals using various exploits implant a zombie on a victim’s computer system and send it remote
commands to carry out their illicit activities. For example, the Cimbot zombie uses the victim’s
e-mail accounts to send spam. Cimbots accounts for some 15% of the world’s spam; that’s about
13% of all e-mail! Botnets are also used for Distributed Denial of Service (DDoS) attacks. But
exploitation doesn’t necessarily have to involve remote control zombies; any access that allows the
attackers to disguise their actual source address is suffi cient, and it is not unusual for attackers to
use multiple hops to make it more diffi cult to trace their actions back to the source.
In the popular book e Cuckoo’s Egg: Tracking a Spy through the Maze of Computer Espionage,
Markus Hess, a West German hacker, used up to 10 intermediate sites to disguise his hacking
eff orts against U.S. military sites, national laboratories, and NASA. It took more than two years
to backtrack this maze of connections to Hess’s telephone line. Another means of achieving ano-
nymity is through account compromise or hijacking. Various means are used to capture a user’s
credentials (userID, password, session ID), which are then employed to conduct illicit activities.
Because such usage is readily traceable to the source, hackers may use this technique in combina-
tion with a compromised system or a publicly accessible system (e.g., library computer, Internet
café) for greater anonymity.
Defensive anonymity can use the same techniques to disguise the actual location of the agent,
but the interactive nature of digital reconnaissance (i.e., chat rooms, blogs, etc.) makes it harder
to maintain. Like any clandestine operation, there is always a possibility that the agent’s cover will
get blown. Black-hats tend to be smart intuitive people; they are not easily fooled or taken in, and
they are not at all nice when they discover they’ve been had. Anonymity is the only real control
objective associated with the target retaliation risk, and getting caught is the only real metric. Even
with good anonymity controls, it is smart to prepare for massive retaliation attacks just in case
your true identity is uncovered.
e following actions are recommended for the target retaliation risks:
1. Train your people. Spying, intelligence gathering, reconnaissance, whatever you choose to
call it, is a craft. In fact, the CIA calls it “the craft.” Training people in the craft, including
how to maintain anonymity, build and promote a persona (cover), and avoid detection or
tracing, are all important to their eff ectiveness. Natural ability, attitude, intelligence, and
experience are the other ingredients.
2. Maintain separation. To the greatest extent possible, try to keep your reconnaissance activities
completely separate from the agency or organization sponsoring them. ere should be nothing
on the systems used for reconnaissance associating it or the operator with the sponsor. If some-
one is going to retaliate, you want him to retaliate against the agent, not the organization.
3. Prepare for retaliation. Whether you are doing off ensive or defensive intelligence gathering,
when people discover what you are doing they are likely to retaliate. Be prepared for it by
creating a good incident response process capable of managing the attack. You should be
able to “pull the plug,” rebuild the system, and be back in business as a diff erent entity in a
half hour or so.
TAF-K11348-10-0301-C012.indd 246TAF-K11348-10-0301-C012.indd 246 8/18/10 3:11:57 PM8/18/10 3:11:57 PM