CITAS – Computer Intrusion Threat Assessment System

Last weekend, I was at a small conference and one of the people whose presentations I attended was an FBI special agent named John B. Chesson.

After he got through the obligatory introductory material about what the FBI does, what the challenges are, and how computer security at typical companies is done (or, in too many cases, not done) his presentation turned to a proposal for a particular new methodology for helping companies achieve some degree of security. That methodology is called CITAS – which stands for Computer Intrusion Threat Assessment System.

The basic problem faced by Law Enforcement in computer security, is that (and this is a direct quote from Agent Chesson) "we can’t police what we can’t see." This is a legitimate point. But many FBI and other efforts to date have been focusing on getting this "sight" specifically by subverting rather than enhancing security, and CITAS appears to be a step in the opposite direction.

I will briefly explain the difference: When you enhance the security of any asset, you are enhancing its owner’s ability to control that asset. When you subvert the security of any asset, you’re enhancing the ability of anyone who is not its owner to control that asset.

A backdoor is any channel that allows someone other than its owner to see, disclose, or modify owned data regardless of the owners’ knowledge or consent. Recently some factions in the FBI have been trying to reclassify some instances of them as "front" doors on the grounds that they exist only to be used by legitimate law enforcement concerns, but that is like trying to reclassify "blue" as "orange." It is not possible to construct a channel that cares about the identity, motives, or authorization of the people using it or whether they have a warrant, so technically speaking there is no such distinction to be made. A backdoor placed for any reason or purpose is still a backdoor, because it can be used to access owned assets without the knowledge or consent of the asset’s owner.

We have to regard backdoors as existential threats to security for two reasons: first, because backdoors placed specifically for use of American (or any other) law enforcement are one leaked secret away from being used by the Mafia, by Chinese Intelligence, by the Islamic State militants, or anybody else. And secrets eventually leak. Second, because when that secret leaks and those others do start using it, we will not know about it until the disasters they cause have already happened and it is too late for any security to do anything about them.

Right now, I think that the biggest problem we’ve got is that many of the organizations that are supposed to be supporting security have misinterpreted their missions, or simply failed to understand what security is, and so undertaken to subvert it. CITAS is important because Chesson clearly understands what security is and has not misinterpreted his mission; he has proposed something that can support rather than subvert it.

The way the proposed system works, a company, ISP, or other concern comes to the FBI seeking help and (if the FBI agrees that they are qualified to join CITAS) allocates the FBI an IP address from the company subnet to create a honeypot. A honeypot is a machine that exists for two purposes; first, it attracts attackers so that their tactics and methods can be monitored and, hopefully, their location and identity traced. Second, it keeps attackers busy with something besides attacking real targets. The FBI sets up this honeypot machine at some remote location, probably in a server farm of such machines, and the routers and switches in the company’s DMZ direct traffic between that machine and the Internet just as though it were a machine actually in the company’s network. The honeypot then pretends to be a machine on the company’s network, either within the company’s DMZ or behind it, depending on the threat model.

It is not implied by this scheme that the company DMZ should treat traffic between the company network and the honeypot any differently from traffic between the company network and the wild unfirewalled Internet. An IP address that’s part of the company’s subnet is an essential part of the illusion to be presented to an attacker that the honeypot is a company machine. So CITAS as I understand it is not asking for any special or unfirewalled access to your company network. What it is asking for is for the ability to set up a machine that someone outside your network (including a potential attacker) can’t easily identify as being outside your network.

When someone attacks your company’s network, they will attack the honeypot along with all the other machines they can see. If the honeypot is pretending to be a machine in the company DMZ, that means it will be subject to nearly every attack. If the honeypot is pretending to be a machine behind the DMZ, that means it will be subject to attacks that have penetrated your perimeter security or which originate inside it. The ability to identify attacks in the DMZ is essential for broad knowledge of what threats are out there and what is being tried, regardless of whether particular bits of it are getting through in a particular case; the ability to identify attacks that have penetrated or originate inside the perimeter is essential for rapid response and defense.

It is in the identification of attacks that the FBI has an advantage over your company IT staff. Security – reading the logs every day, knowing what they mean in the face of a bewildering and ever-changing array of threats, and effectively responding when the time between the first indication of a threat and the time when damage is done may be measured in minutes and sometimes seconds – is damned hard, unless it is literally the only thing you do and you have a large team of people doing it.

In the first place monitoring the logs, even with good tools, takes a lot of time, and it’s time that doesn’t produce anything immediately visible or valuable. Successful security is measured by the absence of a failure, and when you find out about a failure, it is too late for security to prevent it. Good security looks just like bad security, until you have enough failures for a valid statistical comparison, and nobody wants that many failures.

In the face of this quandary, it is nearly impossible for a company to make good decisions about how much of its resources to devote to security and whether it’s getting good value for the resources it does devote to security. Predictably given this situation, there are far more people selling supposed good security solutions than there are security solutions that are actually good, which makes the difficulty of knowing what kind of resources to devote to security even harder.

And security – which is damned hard for those reasons – is what the FBI proposes to do with its honeypots if the CITAS program is implemented. Because the FBI has a broad view of the network and an awareness of threats emerging this week, today, or even within the previous hour, it could track the progress of threats in a way that is simply not possible for people who only see what goes on inside a single company network. The FBI could leverage the human effort of keeping up to date on the threats and developing tools to monitor for each new threat across its honeypots on many company networks, and therefore do it relatively cheaply. Further, the FBI with a broader view would be looking at a statistically significant number of attacks and failures, and would be able to measure the effectiveness and cost effectiveness of tools and methodologies and allocations of time and effort in a way companies can’t until they’ve gone through multiple security disasters.

Finally, CITAS as proposed means immediately sharing information about identified threats and specific breaches of security with the affected businesses. That too has been a missing link in programs that subvert rather than enhance security. For this reason, I think that it is finally a good offering that can get many companies on board and actually help rather than harm. CITAS as proposed could help companies to detect breaches quickly and respond before minor breaches turn into disasters.

Like all such methods, it won’t ever be foolproof. For security purposes, the foolishness of a group is the sum of the foolishness of the people in it, and any misalignment between the motivations of employees and the motivations of owners or management (such as disgruntlement, etc) counts as foolishness. Even if your employees are not fools or malcontents individually, if there are enough of them it will always be possible for some attacker to leverage their aggregate foolishness. When this happens the attacker will either get on your payroll (if they leverage foolishness in HR), or get someone on your staff to cooperate in subverting the security of machines that person has access to(if they leverage foolishness elsewhere). You can’t stop that completely, though minimizing the individual foolishness of your employees and putting up internal firewalls to divide pools of foolishness when they start getting too large will definitely help.

There are some downsides to the CITAS proposal. The presence of honeypot machines whose IP addresses are within your company’s network but which you do not control, could be abused in a few ways; even if your network treats them as untrusted machines on the wild Internet, someone coming from outside your network could access a service on that machine believing it is a service provided by your company. In fact, this is exactly what attackers are doing when the system operates as intended. It becomes problematic however when the person outside your network isn’t an attacker, especially if the FBI is doing something with the machine that might convey a false impression of your company.

I would expect these honeypot machines to be used as monitored TOR onion routers and exit nodes enabling the FBI (and all US intelligence agencies, because the data would be pooled) to track a substantial portion of TOR traffic, as web proxy servers, IRC servers and VPNs that the FBI can monitor, etc. Many would be Bittorrent or Gnutella systems where the FBI could track file sharing and copyright infringement. Some might be used as public wifi servers in selected locations anywhere in the country, as the FBI tracks attackers who use any open wifi server they can find to connect to the Internet. They might put up a webserver, whose IP address would confirm it to be within your company’s subnet no matter what server name they equipped it with through DNS, and use links to that web server in some operation. In a true nightmare scenario for the company’s reputation, the FBI could be running a "sting" operation to catch kiddie porn traders or terrorists or some equally loathsome crooks, and the honeypot machines could convey the impression that those activities happen somewhere in your company’s subnet. So there are causes for concern.

Although a company using the CITAS service would of course never be legally liable for anything that happened on these machines, such services could become known to the public and traced back to your company’s subnetwork, and then your choices would be to reveal that the machine is an FBI honeypot (which the FBI would probably rather you did not do and which your agreement if you join CITAS would probably forbid), or participate in concealing your lack of control over that machine.

Anyway, I’m regarding the CITAS proposal as a positive step in that it could genuinely support rather than actively subverting the security of those it seeks to protect. It is problematic in that it is a threat to privacy; it would provide a platform for suppression of free (by virtue of anonymity) speech. It would most likely kill whatever effectiveness TOR has left for purposes of privacy and make monitoring of Bittorrent, Gnutella, etc, even more ubiquitous than it is now.

Leave a Reply