Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
12/14/2017
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Is a Good Offense the Best Defense Against Hackers?

A proposed new law could make it legal for companies to hack back against attacker. But will it work?

The global costs of dealing with hacking — destruction, loss of data, intellectual property theft, fraud, embezzlement, disruption to business, restoration, estimated by Cybersecurity Ventures at $3 trillion in 2015 — are projected to double to $6 trillion annually by 2021. Yet under US law, it’s illegal to attack the hackers back.

In February, a Georgia Republican introduced a bill to Congress to give legal protection to hacking victims who "hack back" at attackers. The law is continuing to wend its way through the legislative process and might just end up (in some form) as a real a law.

That’s right: you could hit the bad guys back — and hard.

The Active Cyber Defense Certainty (ACDC) Act would amend section 1030 of the Computer Fraud and Abuse Act of 1986 that bars accessing a system that does not belong to you, or distributing code designed to enable unauthorized access to anyone's system. If the bill passes, it will be legal to do both.

"This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault," said Rep. Graves in a press release March 3, 2017.

ACDC would allow victims of cybercrime to gain unauthorized access to their attackers’ systems legally, as long as their actions are only meant to identify the attacker or disrupt the attack. The bill doesn't allow retaliation that destroys the attacker's data, causes physical injury, or "creates a threat to the public health or safety."

Though the bill may never become law in this form, it’s certainly opening discussions around “hacking back,” and raises awareness of the difficulty in stopping criminal cyber activity.

High Return, Low Risk. What’s not to Like?
Attackers work anonymously and, largely, with impunity. Billions of dollars are stolen each year, with little to none of it recovered, and the criminals are rarely caught. Even when they are, it’s difficult to prosecute them; it can take years to track them down, build a case, indict and convict them. Moreover, some countries or regions tolerate—or even profit from—cybercriminals’ activities, and offer little help to or even thwart international law enforcement efforts.

If the incentives are good, and the risks low, powerful cybercrime syndicates will continue. And as things currently stand, the law limits CISOs’ options. The hope among leading CISOs is that shifting to offense will change the game. After all, the adversary remains ahead if you simply react to every problem defensively.

But, Hacking Back Is Never as Simple as It Sounds
First there’s the issue of "attribution." How do you correctly identify your attacker? It’s not as easy as it sounds. What if an attack comes from a botnet? Not one computer, but thousands or millions spread over the globe. Owners of botnet computers may not know they’re contributing to an attack. If your attacker is somewhere in the cloud, good luck finding her. Are you going to strike back against your cloud provider? They’re potentially innocent middlemen.

Second, ACDC wouldn’t allow striking back against distributed denial-of-service (DDoS) attacks, for example, a common attack. DDoS attacks don’t involve unauthorized access. And who are you going to blame? Typical DDoS attacks come from devices that are part of the Internet of Things (IoT). Say Grandma’s digital picture frame routed requests in a DDoS attack. Are you going to hack back against Grandma?

Third, what if your attacker is not on US soil? You will not be legally protected if you’re retaliating in another country with different laws. In fact, you could find yourself being the one carted off by the police or buried in lawsuits.

Strike Back Already Exists for the Largest Tech Players
If the problem is large, those with resources — primarily large IT vendors — will work with law enforcement to stop attackers. When your actions are sanctified by the authorities, it isn’t vigilantism. It helps if you’re a large company with a good legal team. In fact, many large IT vendors hire ex-DOJ prosecutors and investigators as company liaisons with law enforcement.

For example, Microsoft security researchers aided international law enforcement agencies to disrupt one of the most widely distributed malware families, "Dorkbot," estimated to have infected more than 1 million PCs in more than 190 countries. In another instance, a collaboration between Trend Micro, INTERPOL, Microsoft, Kaspersky Lab, and the Cyber Defense Institute resulted in the destruction of the notorious SIMDA botnet.

How You Can Strike Back Now
Hack backs can take several forms that you can take advantage of without the additional legal protection of the proposed ACDC law. A less legally risky defense is to set up "honeypots," or fake servers and services to lure attackers in. Once attackers have entered your network, you can sinkhole their traffic, feed them fake data, and confuse them with false systems. Studies have shown deceptive defenses do deter attacks. Best of all, deceptive defense would meet the goals of the ACDC, since you are simultaneously disrupting the attack and gathering information about the attacker.

Moreover, it’s passive, not active. With deceptive defense, you don’t go to them, the bad guys come to you. The disruption and spying happens on your equipment, on your premises, where you have a legal right to be — and the hacker doesn’t.

You can even put up warning banners: Warning—this system is the property of XYZ bank. Unauthorized users consent to being recorded and allowing XYZ to take measures to disable unauthorized access to the extent necessary to stop the illegal activity and support law enforcement investigations. An alert like this should get you off the legal hook for any defensive moves you make.

If it happens, the ACDC debate is going to be interesting to watch. Though the bill is unlikely to pass as it is, if it comes up for debate, it’s certain to spark discussions. In the meantime, CISOs have other options, such as deceptive defenses.

Get the latest application threat intelligence from F5 Labs.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Threat Intel: Finding Balance in an Overcrowded Market
Kelly Sheridan, Staff Editor, Dark Reading,  4/23/2018
Coviello: Modern Security Threats are 'Less About the Techniques'
Kelly Sheridan, Staff Editor, Dark Reading,  4/24/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.