Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
12/14/2017
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Is a Good Offense the Best Defense Against Hackers?

A proposed new law could make it legal for companies to hack back against attacker. But will it work?

The global costs of dealing with hacking — destruction, loss of data, intellectual property theft, fraud, embezzlement, disruption to business, restoration, estimated by Cybersecurity Ventures at $3 trillion in 2015 — are projected to double to $6 trillion annually by 2021. Yet under US law, it’s illegal to attack the hackers back.

In February, a Georgia Republican introduced a bill to Congress to give legal protection to hacking victims who "hack back" at attackers. The law is continuing to wend its way through the legislative process and might just end up (in some form) as a real a law.

That’s right: you could hit the bad guys back — and hard.

The Active Cyber Defense Certainty (ACDC) Act would amend section 1030 of the Computer Fraud and Abuse Act of 1986 that bars accessing a system that does not belong to you, or distributing code designed to enable unauthorized access to anyone's system. If the bill passes, it will be legal to do both.

"This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault," said Rep. Graves in a press release March 3, 2017.

ACDC would allow victims of cybercrime to gain unauthorized access to their attackers’ systems legally, as long as their actions are only meant to identify the attacker or disrupt the attack. The bill doesn't allow retaliation that destroys the attacker's data, causes physical injury, or "creates a threat to the public health or safety."

Though the bill may never become law in this form, it’s certainly opening discussions around “hacking back,” and raises awareness of the difficulty in stopping criminal cyber activity.

High Return, Low Risk. What’s not to Like?
Attackers work anonymously and, largely, with impunity. Billions of dollars are stolen each year, with little to none of it recovered, and the criminals are rarely caught. Even when they are, it’s difficult to prosecute them; it can take years to track them down, build a case, indict and convict them. Moreover, some countries or regions tolerate—or even profit from—cybercriminals’ activities, and offer little help to or even thwart international law enforcement efforts.

If the incentives are good, and the risks low, powerful cybercrime syndicates will continue. And as things currently stand, the law limits CISOs’ options. The hope among leading CISOs is that shifting to offense will change the game. After all, the adversary remains ahead if you simply react to every problem defensively.

But, Hacking Back Is Never as Simple as It Sounds
First there’s the issue of "attribution." How do you correctly identify your attacker? It’s not as easy as it sounds. What if an attack comes from a botnet? Not one computer, but thousands or millions spread over the globe. Owners of botnet computers may not know they’re contributing to an attack. If your attacker is somewhere in the cloud, good luck finding her. Are you going to strike back against your cloud provider? They’re potentially innocent middlemen.

Second, ACDC wouldn’t allow striking back against distributed denial-of-service (DDoS) attacks, for example, a common attack. DDoS attacks don’t involve unauthorized access. And who are you going to blame? Typical DDoS attacks come from devices that are part of the Internet of Things (IoT). Say Grandma’s digital picture frame routed requests in a DDoS attack. Are you going to hack back against Grandma?

Third, what if your attacker is not on US soil? You will not be legally protected if you’re retaliating in another country with different laws. In fact, you could find yourself being the one carted off by the police or buried in lawsuits.

Strike Back Already Exists for the Largest Tech Players
If the problem is large, those with resources — primarily large IT vendors — will work with law enforcement to stop attackers. When your actions are sanctified by the authorities, it isn’t vigilantism. It helps if you’re a large company with a good legal team. In fact, many large IT vendors hire ex-DOJ prosecutors and investigators as company liaisons with law enforcement.

For example, Microsoft security researchers aided international law enforcement agencies to disrupt one of the most widely distributed malware families, "Dorkbot," estimated to have infected more than 1 million PCs in more than 190 countries. In another instance, a collaboration between Trend Micro, INTERPOL, Microsoft, Kaspersky Lab, and the Cyber Defense Institute resulted in the destruction of the notorious SIMDA botnet.

How You Can Strike Back Now
Hack backs can take several forms that you can take advantage of without the additional legal protection of the proposed ACDC law. A less legally risky defense is to set up "honeypots," or fake servers and services to lure attackers in. Once attackers have entered your network, you can sinkhole their traffic, feed them fake data, and confuse them with false systems. Studies have shown deceptive defenses do deter attacks. Best of all, deceptive defense would meet the goals of the ACDC, since you are simultaneously disrupting the attack and gathering information about the attacker.

Moreover, it’s passive, not active. With deceptive defense, you don’t go to them, the bad guys come to you. The disruption and spying happens on your equipment, on your premises, where you have a legal right to be — and the hacker doesn’t.

You can even put up warning banners: Warning—this system is the property of XYZ bank. Unauthorized users consent to being recorded and allowing XYZ to take measures to disable unauthorized access to the extent necessary to stop the illegal activity and support law enforcement investigations. An alert like this should get you off the legal hook for any defensive moves you make.

If it happens, the ACDC debate is going to be interesting to watch. Though the bill is unlikely to pass as it is, if it comes up for debate, it’s certain to spark discussions. In the meantime, CISOs have other options, such as deceptive defenses.

Get the latest application threat intelligence from F5 Labs.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.