23. Final thoughts
You can find this presentation here:
And reach me:
@dstrom on Twitter
Let’s talk about a growing trend in information security, being able to hack back or use various direct measures to attack your attackers. There are several issues:
attributing an attack to the right source,
understanding the attacker's intent, and
developing the right red team skills.
In this talk, I will talk about the ways that an enterprise can defend itself, and how to go about this process.
Let’s start off with this fact: currently, a private company has no legal right to defend themselves against a cyberattack. Nada. But there are several laws on the books and new ones that are being proposed.
Last month, two Democratic Senators introduced this bill, which will impose mostly financial sanctions on foreign attackers.
is Georgia Senate Bill 315, which was vetoed earlier this summer by Governor Nathan Deal. The bill would have created a new crime of unauthorized access to a network, but didn’t include any definition of criminal intent. If enacted without any changes, it could have meant that security researchers would be liable for prosecution, just for entering a client’s network
Canada is also considering allowing hacking back in its Communications and Security Establishment under Bill C-59. That bill is still working its way through Parliament. If passed, it would give this group the ability to conduct hacking back activities.
The practice of hacking back isn’t new: the 1983 movie War Games inspired the Computer Fraud and Abuse Act of 1986, which prohibits anyone from knowingly accessing a computer without proper authorization.
Rep. Tom Graves introduced last year the Active Cyber Defense Certainty Act (ACDC) (H.R. 4036) that modifies the older laws
This reporter for Slate called it a highway to hell, and a bill that almost no one wants. It hasn’t gone anywhere in Congress since its introduction.
Google made questionably legal use of discovery technologies back in 2009 to find the command and control servers in Taiwan which were running the Operation Aurora attacks, as documented in this report from George Washington University researchers published last year.
And a security researcher was fired from his job after doing some hacking back to investigate a 2003 Lockheed Martin breach in Orlando, documented in a recent New Yorker article. The researcher took Lockheed to court and sued for damages, and won the suit.
These are two major issues with hacking back. With Google and Operation Aurora, they could prove who did it, thanks to their own telemetry on their networks. They used questionable techniques that could have compromised privacy, but they do that more and more anyway.
Attribution is a very elusive target to achieve so your error ratio can be quite high,” says Dudu Mimran, chief technology officer at Telekom Innovation Laboratories in Israel. Timeliness matters, he says, especially if you can analyze an attack in progress and connect the dots. The more time that lapses after an attack, the harder the attribution process becomes.
Attribution is also very much a cat-and-mouse game, as attackers get more adept at hiding their origins or deliberately mislead researchers by including someone else’s code to throw them off the trail. Many hackers also employ obfuscation technologies so their malware can persist longer in corporate networks to do more damage.
Second is understanding the intent of the attacker and the defender. For attackers, their intent could range from deliberate criminal action to a mistake in network configuration, so obviously it is important to determine this before any hacking back activity is permitted. And there is a similar assessment of intent for defenders too: are they trying to get their data back, monitor what the attacker is doing, cause harm to their attacker, or destroy illegal use of proprietary technology?
Some proposed laws are considering the use of cyber poison pills as one of the countermeasures.
If you are thinking about having a so-called Red Team, composed of security staff that are used for offensive measures, they don’t necessarily have to be hacking back -- they can be penetration testers that are trying to leverage their way in and identify weak points of leverage. You can either hire your own staff, find a MSSP to provide this service, or make use of various open source and paid tools to help.
Here are four products that I tested that leverage the MITRE ATT&CK platform -- all operate somewhat differently, all are free. ATT&CK can look at the actual malware components and lay them out in detail. Most modern malware uses a combination of techniques to hide its operation, stage its exploits, evade detection, and leverage network weaknesses. How you find these various building blocks is a key defensive strategy.
This is Caldera, one of the common open source tools. I wrote about this for CSOonline earlier this summer.
Another way is for government to cooperate with private industry, as what happened when it came time to try to stem the tide of Somali pirates. The government eventually accepted the use of private security services by the commercial shippers, and having both work with insurers help to provide a solution to stop the numerous raids of ocean cargo in that part of the world. This public-private cooperation has the side benefit of being able to help improve attribution, according to another report published last year by the Carnegie Endowment.
We still have a lot of work to do before hacking back is both a legal and an acceptable response to a data breach or cyberattack. But as technologies get better at figuring out attribution and in proving the intent of both parties, it could become a regular weapon for IT and security managers to use.