Overview
If I leave my house unlocked and unprotected, is that an invitation for you to come in?
When we pause to think about the nature of internet scanning, let’s give thought to the reasoning behind it – and not only the action of it. Is it about the fact that we open the unlocked door, look inside, and go in uninvited? Or is the reason behind why we enter what matters?
The digital space has become a boundary-less playground for cybercriminals. Then how do we meet this problem head-on? How do we get ahead of these attackers and cause pause to this drama? As defenders, access to the bigger scope of the situation is not always as easy to obtain without being able to more easily and broadly scan the internet. Being able to better scan and gain scope and context can help defenders show up in the same “playground”. Being able to make faster more insightful observations of what the criminals are doing and putting a clearer picture together helps to outsmart them. Doing so without them even knowing you were looking for them in the first place is even better. If we are to outpace these adversaries, we must apply this thinking. To do so, we start by looking and going into the same places they are – but with our clear, forward-facing, ethically driven intentions. Let’s look at internet scanning as if it were in our own backyard.
Being a Typical Neighbor
Picture yourself in your neighborhood (aka "the Internet") and you have a next-door neighbor. One day your "typical neighbor is returning from work, and they think they will pop by and see if you're home. Knock, knock. They wait, no one answers. Now, you could in fact be at home, but maybe you don't answer. The reality is, no one is going to open this door for them, even if someone is inside to do so. And they are not supposed to invite themselves in.
Port scanning is like being a typical neighbor. They check to see if you are at home, and this is completely reasonable. Now, it is possible that you can be at home, but decide not to answer (blocking scanners by IP). No matter, they are not allowed to get in. So, they go home and cook dinner.
Gray Scale: A Whiter Shade of Pale
Being a Nosey Neighbour
Let’s say your neighbor is a little more of a curious need-to-know person. The "nosey neighbor” knocks at the door, but when there is no answer, they don’t leave. Rather, they step from the front porch and peek inside the front window. Taking a good look through the open curtains to see if you're inside. A not too invasive way of checking to see if someone is home.
Banner grabbing in scanning can be paralleled to that kind of a check. A little more investigative than simply knocking at the door, but still benign. Not illegal. Again, no one is opening the door, so they go on their merry way.
Gray Scale: Light Gray
Being an Overly Helpful Neighbour
Imagine your neighbor thinks something is wrong. Perhaps they have seen something strange like smoke coming out of the kitchen window. Knock, knock. Anyone home? No answer. They peek in through the curtain. Still no response. However, this time they also opt to press the front door handle to see if it opens. It does AND they open it. Not exactly breaking and entering, but they weren’t exactly invited in either. Getting a bit gray.
The argument is that this could be considered illegal. Internet scanners do a similar activity when they check to see if a service is vulnerable by applying a benign test to it. It is not completely illegal. Like our overly helpful neighbor here, there could be good motivation behind it. They believe someone inside could be in trouble and since the door opened, they think they are doing the right thing by opening the door.
However, opening the door could lead to bad results. For example, maybe you've already run out of the house to get away from a negative situation. By opening the door, the neighbor has caused a further disturbance. Maybe something caught fire while on the stove, but no one was in trouble inside, and now a bigger explosion occurred. Not as helpful as initially expected.
NOTE: In some countries, like the Netherlands, there are some situations where this is in fact considered legal.
Gray Scale: Gray
Being an In-Your-Face "Part of the Neighborhood Watch" Neighbour
Imagine the previous scenario, but this time the neighbor doesn’t just stay in the front entrance when they open the door, they go into the house and walk around actively looking around. Their intent is to check if perhaps someone has lost consciousness and help them in case they can’t get to safety on their own.
Similarly, in the case of Internet scanning, this corresponds to using benign exploits. This is a borderline activity in terms of legality, but sometimes this is the only way to find out if there is trouble present.
Gray Scale: Dark Gray
Not Your Neighbour At All
And then, you’ve got the neighbor that is in fact not a neighbor at all. Someone that has been looking for an opportunity – a moment when your house is at its’ most vulnerable – to go in and take what isn’t theirs. They’ve been watching your habits to see when you drop the kids off or when deliveries arrive. They’ve even hopped on the porch a time or two and likely checked to see if the front door was unlocked. Today, they discover it is unlocked, open it and capitalize on this opportunity to go in unnoticed.
This is when it is clearly illegal. No good intent matches this thinking. A strong comparison can be made with exploiting a discovered vulnerability and performing illegitimate activity in a system. Definitely, this is way outside of the gray area.
Gray Scale: Beyond the Gray, into the Deep Black
In Closing
Why this story? It’s intended to add the layer of intent over top of the actions we take – to not-so-subtly remind us that the ethics behind what we do matter. Cyber security is no different from countless industries in that there are times when intent is key because it’s not a clear black and white situation. There’s a lot of gray area. It's relevant and required to not look at the gray area as a single point. We must consider it as more of a gradient and approach the research, tool development, and actions we take not singularly, but with context.
For those of us that belong in the neighborhood and haven’t infiltrated, we must look at each situation and think about both defending the neighborhood, and proactively protecting it to prevent threat actors from finding and optimizing opportunities. The context matters in the situation. With the very present need to build strong cyber resiliency, we need to outthink our adversaries. With every action we take, we must be thoughtful, intentional, and always have context to make good neighborly decisions.