IT Focus Area: Security
July 10, 2014
Should Your Company Hack Back?
The thirst for vengeance is part of human nature.
The very idea of it can be sweet. The phrase “just desserts” seems to promise a treat—and so it is not surprising that in the wake of a seemingly endless string of cyber attacks on American companies, an increasingly popular idea is the possibility of “hacking back.”
If you’ve been breached, and your organization is unable to stop the attack using your own internal methods, can you step outside your own walls with a counter-attack to go after your data and stop the breach at its source?
An enticing example of this took place in the government sector, when the government of Georgia lured a Russian hacker—who had been infiltrating government ministries and banks for more than a year—to a machine that planted spyware on his computer and surreptitiously used his webcam to take pictures of him. The photographs were then published in a report, essentially “outing” the hacker.
Learn the 10 essential steps to securing your cloud data. Get your guide to creating and executing a successful cloud strategy.
While advocates of hacking back think the private sector should be empowered to take similar or more aggressive actions, there are problems with the idea.
Defining the Offensive Approach
The damage caused by cyber attacks and theft of intellectual property was recently estimated to have reached a global economic cost of $400 billion dollars each year. According to Verizon’s 2014 Data Breach Investigations Report, cyber-espionage has risen threefold just in the last year, with the United States being the largest victim by far. This is no longer a problem of the defense industry—companies in all industries have become targets. Traditional defensive approaches have demonstrated their inability to mitigate the issue, and law enforcement and private companies are publicly discussing the possibility of offensively defending their assets, bringing the fight to the attackers.
The idea of hacking back, which is also referred to as striking back or active defense, is a concept that has been discussed in the cyber-security research community for nearly a decade. Dave Dittrich, research scientist and engineer principal at the University of Washington‘s Applied Physics Laboratory, was one of the first cyber-security experts to explore the concept, and divided it into four levels of activity:
Local intelligence gathering
Remote intelligence gathering
Actively tracing the attacker
Actively attacking the attacker
Only the first one—local intelligence gathering—is clearly legal. At this level, the victim organization is working within its own environment to analyze logs, network traffic, etc., looking for malware. These are the sorts of functions an information technology (IT) department conducts every day and has every right to do so.
Tempting, But Illegal
This is where the slope gets slippery; the other three levels of activity should be approached with caution. Levels two through four violate a federal anti-hacking law called the Computer Fraud and Abuse Act (see What You Should Know about the Computer Fraud and Abuse Act).
At the second level—remote intelligence gathering— the victim organization is venturing outside of its own environment and therefore has fewer rights. Remote intelligence gathering requires the victim to get permission from each “remote” party to gather intelligence. If it doesn’t get the necessary permission, then the victim has now become the hacker.
Don’t Bomb Switzerland
The risks increase at each step. Offensive actions could include hacking back into the hacker’s systems, shutting down servers, etc. There are legal and practical problems with each option. From a practical perspective, you may not have the skills, technology or capabilities to counter-attack effectively.
Because cyber criminals like to disguise their attacks, they often hijack the systems and networks of unsuspecting third parties to launch the attack and store the data they steal. This makes the issue of retaliating very complicated. The communications path of an attack can be convoluted and involve numerous parties, such as internet service providers (ISPs), telephone companies, and third-party systems used as proxies by the attacker, making it difficult to determine if an attack is coming directly from the hackers themselves—from a computer that they control—or from a “zombie” type of computer they’ve taken over that belongs to someone else.
So, let’s say your company takes steps to access a server you think is housing your stolen data, and then you figure out that the server actually belongs to a hospital in Ohio, not to the hackers, who may be in China or Eastern Europe. So there’s a big risk of collateral damage involving innocent parties and a whole range of privacy concerns that come up.
Legally, retaliatory counter strikes are not justified by the initial hack. The indignant claim of “They did it first!”, which may have helped you out of a tough spot when you were a child, is not a defense for hacking back. Since even domestic communications are often routed through other countries, by actively tracing and attempting to attack the attacker, the victim may be violating the cyber-crime laws of those countries. And, as you can imagine, actively planting malicious software in someone else’s systems—as the government of Georgia did to ensnare their hacker—is illegal in the U.S. There is a federal criminal statute against it, and prosecutors are threatening to use it against companies that employ the tactic.
And here is an even worse thought to consider—if your company decides to launch a retaliatory attack against foreign hackers that turn out to be state-sponsored and the hackers find out what you’re doing, what happens the next time your CEO travels to that country? Will he or she be arrested at the airport?
What You Should Know about the Computer Fraud and Abuse Act: Any consideration of retaliatory counter strikes should be discussed with an attorney familiar with the Computer Fraud and Abuse Act (CFAA) of 1986, which criminalizes unauthorized access to third-party data and systems. While many lawyers and legal scholars feel it is outdated, the CFAA covers the basics of the “protected computer.” The CFAA specifically covers computers used by financial institutions and those of the U.S. government, but it also covers any computer affecting interstate commerce or communication (the latter of which brings mobile phones within its purview). The CFAA makes it illegal for anyone to distribute computer code or place it in the stream of commerce if they intend to cause damage or economic loss. It provides criminal penalties for either knowingly or recklessly releasing a computer virus into computers used in interstate commerce. Someone convicted under the CFAA could face a prison sentence as long as 20 years and a fine of up to $250,000. The CFAA also allows civil actions for accessing a computer to obtain information or to defraud, for damaging a computer, trafficking in passwords, or engaging in extortion. An up-to-date resource on cases arising under or referring to the CFAA can be found at www.CFAADigest.com.
Despite the fact that a U.S. grand jury recently indicted five Chinese military officers on charges of hacking American companies and stealing trade secrets, it was largely a symbolic—although gratifying—gesture. It is highly unlikely that the accused officials will ever see the inside of a U.S. courtroom. The ability of law enforcement to assist organizations in the fight against cyber attacks is currently limited. Catching and prosecuting attackers isn’t easy; the number of cyber criminals is much greater than the number of “cyber cops” that can assist with investigations and match their sophistication. Highlighting the depth of this problem, FBI Director James Comey revealed that the FBI plans to relax its hiring policy of zero-tolerance for marijuana, since so many programmers and hacker-types like to smoke it.
“I have to hire a great workforce to compete with those cyber criminals, and some of those kids want to smoke weed on the way to the interview,” he said.
Until the skills of law enforcement at federal, state, and local levels can match that of the attackers—which could take years—cyber criminals will continue to face low risk and high reward, and companies have to fend for themselves. But if we cannot legally retaliate or otherwise strike out at our attackers in the traditional sense, what can we do?
Subdue the Enemy Without Fighting
We are still on the proverbial frontier of the legal doctrine surrounding self-defense in cyber space. While the law currently corrals us into maintaining our “good guy” status, that doesn’t mean we have to stand idly by while our intellectual property is being stolen and leveraged against us. In fact, the key to successfully combating our attackers may lie within the culture of one of our most prominent cyber aggressors. Even if it’s just from watching the movie “Wall Street,” you are probably familiar with a work of ancient Chinese military strategy entitled “The Art of War.” Written 2,500 years ago, it is a classic study of competition and rivalry that has been utilized by soldiers ever since. We can take a cue from one of its key declarations:
That doesn’t mean we have to be passive.
It just means that rather than charging out of our own walls with guns blazing, we need to take a proactive approach within the enterprise to thwart our enemies’ efforts. Remember, hackers are on the offensive, and their goals primarily involve making money. They are not setting out to defend themselves; when they are confronted by effective counter-measures that would require them to do so, they tend to shift to easier targets.
Creating confusion and doubt for the attacker is a good tactic. It is possible to set up internal systems to create pathways that go nowhere and caches of fake data. The point of these efforts is to take steps within your own perimeter to make an attacker’s efforts arduous and expensive and if access is gained, the hack so frustrating that the attackers will decide to move on.
Collaboration is key.
You can gain actionable intelligence by gathering adversary indicators that define and describe trends, tendencies, methods and actions taken by attackers. This will help you maintain an awareness of existing and emerging threats and achieve insight into attackers’ plans, before those plans turn into action.
Commercial security threat intelligence services are becoming critical to IT security efforts, because while many companies have the resources to act on intelligence, they don’t have enough to generate it. There are several companies that offer this sort of intelligence, and Jeff Brown—Vice President and CISO of Raytheon—told an audience at a recent CISO Executive Summit that the defense contractor is offering up to 2,000 adversary indicators a day for free in an effort to increase information-sharing across the private sector. Other companies offer additional intelligence, such as services that warn companies when their internet protocol (IP) addresses show up in botnet traffic.
Additionally, legal experts are discussing non-aggressive active defense options that could include tracking stolen data to the server where it is being stored and stealing it back, which might be deemed legal if the server is not damaged. This tactic, which the American Bar Association’s Cybersecurity Legal Task Force is focusing on, is called “beaconing.” It involves inserting code in sensitive data that would allow the company to track it if it is stolen. However, experts also warn that while this is an attractive prospect, it’s closely tied to more damaging and potentially illegal actions, such as inserting code that would cause the data to self-destruct, or taking over the servers where the data is being stored. Harvey Rishikof, co-chairman of the ABA’s task force, warns that the legality of beaconing isn't entirely clear.
"There's the black-letter law, and there's the gray area. Can you put a beacon on your data? Another level is, could you put something on your data that would perform a more aggressive action if the data was taken?" -- Harvey Rishikof, co-chairman of the ABA’s task force.
Pro-Activate Your Defenses
From a technology solution side, adequately combating attackers will require your organization to bolster its security controls, and even more importantly, the staff and operational support behind them. Many organizations have robust technologies in place but need experienced professionals to configure and monitor them in order to effectively close security gaps. You need visibility into your networks, systems, and applications and proof that your systems are doing exactly what your organization wants them to do. Without this insight, you cannot hope to fight off attackers.
An effective vulnerability assessment and an architecture review, followed by detailed technical reviews and configuration changes will be critical. Ensure your architecture accounts for network, data and access control segmentation.
Technology solutions to consider include next-generation firewall (NGFW), intrusion detection and prevention systems (IDPS), secure email and Web gateways, advanced threat protection (dedicated advanced malware scanning platforms), system and file integrity monitoring, Web application firewalls (WAFs), database activity monitoring (DAM), identity and access management (IAM) controls, network traffic analysis, and endpoint behavior analysis. From a post-breach perspective, network and endpoint forensics can be of great value.
Additionally, big data analytics technologies can combine network monitoring, traditional log-centric SIEM, forensics, compliance, and big data management and analytics to enable intelligence-driven threat detection and faster security investigations. They can help provide the context and visibility to enable real-time insight into events that spring not only from your organization’s own IT environment, but also from mobile, social media, cloud, and Internet activities.
Organizations that are concerned about distributed denial-of-service (DDoS) attacks should develop a DDoS defense strategy that considers all the components of the IT infrastructure. In its recent Worldwide Infrastructure Security Report, network security company Arbor Networks reported that over one-third of its survey respondents who operate data centers experienced attacks that exceeded total available Internet connectivity in 2013—almost double the number reported in 2012. In order to mitigate these attacks successfully, both on-premise appliances—which are designed to rapidly identify DDoS traffic—and external service providers should be considered. Because DDoS attacks are continuing to grow in size (to over 300 gbps) and on-premise solutions can have difficulty handling volumetric attacks, a hybrid approach that includes an on-premise solution and services from either an ISP that offers a “clean pipe” service in which they monitor your traffic or a DDoS cloud-mitigation provider that offers massive amounts of bandwidth and can scrub all types of network traffic is best.
Managed security services providers (MSSPs) can prove to be invaluable in the effort to combat cyber attacks. It can be very difficult to make the necessary infrastructure and software upgrades to address the full range of today’s cyber security and compliance issues. MSSPs offer 24/7 monitoring for security events, acting as an extension of your security team and providing cost-effective access to security expertise and best practices for a secure IT infrastructure.
Attacking the Attackers
Despite the numerous legal and practical issues surrounding retaliatory counterstrikes, which may never be overcome, companies who feel that an attack involving the theft of their IP is posing an imminent threat to their survival, or even threatening lives—for instance, a hospital with patients connected to critical life support systems—may still feel it is appropriate to step outside their walls and aggressively strike back. To those companies, we offer this advice from Robert Clark, Distinguished Professor of Law for the U.S. Naval Academy’s Center for Cyber Security Studies:
“If you're going to do this, you're going to need a great team of lawyers, or at least one really great lawyer, to handle this for you.” --- Robert Clark, Distinguished Professor of Law for the U.S. Naval Academy’s Center for Cyber Security Studies
War in the Fifth Domain
It is true that the Pentagon has officially named cyber space “the fifth domain of warfare” after land, sea, air and space. But the sheer chaos that could erupt out of an all-out cyber war involving an endless cycle of strikes and counter-strikes between numerous countries—including the government and private sectors—is an alarming prospect. Nevertheless, the time to sit around and talk about what to do as we hemorrhage data has passed.
It is time to take action.
While the legality of active defense options is being hashed out, your organization can stave off cyber attacks by proactively enhancing your staff and defenses, gathering intelligence, taking advantage of the right services, and pursuing a carefully considered continuum of mitigative actions that will help you protect your brand.
Find out how to secure your cloud data. Get your guide to building a secure cloud strategy.