Perimeter

4/4/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Active Cyber Defense Is an Opportunity, Not a Threat

If honest citizens can be tracked online with cookies and beacons that share where we are and what we are doing, then why should security professionals restrict their ability to hack attackers?

You could be forgiven for believing the World Wide Web is the Wild Wild West. The pervasiveness of cyberattacks certainly makes it seem as if we are living in a lawless period. Yet we are not without law enforcement. The FBI Cyber Crimes division and its Internet Crime Complaint Center (IC3) have a proven track record when it comes to investigating and reporting on cybercrime.

Many major cybercriminals have been brought to justice over the years, from TJX hacker Albert Gonzalez to Mirai botnet developers Paras Jha and Josiah White. We must give credit to the authorities for their ability to close these cases. While some of us working in the security realm have suggested that law enforcement doesn't have sufficient resources to deal with cyberattacks, the real challenge is that most organizations are unprepared to share information in a timely manner (if at all). For example, business email compromise attacks reported in the first 24 hours can often be reversed. True, cybercrimes are difficult to track and attribute, but it is even harder when attacks are not reported.

Why then, is there such resistance to the Active Cyber Defense Certainty Act? Why would we want to prevent organizations from joining in the fight against malicious actors?

The Active Cyber Defense Certainty Act is not without precedent. In our physical world, many states already recognize "Stand Your Ground" laws and the Castle Doctrine to protect ourselves and our property from coming to harm. And when it comes to cyberspace, security researchers have long used honeypots to capture information about unauthorized intrusions.

In a similar vein, Internet marketers have long tracked user activity with cookies and beacons that share where we are, what we are doing and what we are reading. If honest citizens can be tracked online, then why should we restrict the ability to track attackers? If we could apply similar techniques to attacks and our attackers, then we suddenly have a powerful source of information for our law enforcement agencies. And if we acknowledge that law enforcement agencies are under-resourced, then why wouldn't we want to provide them this resource?

Isn't it possible that so many cases go cold because law enforcement doesn't find out about the attack until long after it happened? Isn't it possible that a lack of solid attribution is what makes it so difficult for law enforcement to prioritize an effective response? This all just goes to show the inherent value of the Active Cyber Defense Certainty Act if it is approached with a positive intent.

Fears about 'Hacking Back' Are Overemphasized
The real challenge for the Active Cyber Defense Certainty Act is that the security industry has developed a straw-man argument around "hacking back" that is filled with slippery slopes. The fears are that the Active Cyber Defense Certainty Act will unleash a Pandora's box of hacking. Whereas responding to attacks with malware could have such effects, that is not what the Active Cyber Defense Certainty Act suggests. Malware can "escape" the systems on which it is unleashed— Stuxnet, for example — but no other security measures have this control problem: think tracking, automated interaction with criminals, honeypots. They are all very strong on the control aspect. I fail to understand why a responsible organization would "unleash" a hack-back technique beyond its control. I trust the focus and judgment of my colleagues in the security profession.

Suggesting that organizations should not be able to deploy resources to track down who is attacking them is to deny those very same resources to law enforcement by proxy, since the evidence extracted by security controls would be fed to law enforcement. It is short-sighted advice.

Certainly, some organizations will not have the internal resources to gather counterintelligence, but that just suggests the need for external security controls that help them perform this task in a controlled and auditable manner.

This is where the focus of the discussion should be: how can organizations without sufficient internal resources to track attacks outsource the task, obtaining threat intelligence in return, and helping feed data to law enforcement that helps their activities? I am confident that the information security community is prepared to help fill the need for active cyber defense, to the benefit of organizations and law enforcement, as well as preventing potential future victims.

This commentary was written in response to Hacking Back & the Digital Wild West, by Levi Gundert.

 Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist, and entrepreneur, studying phishing, crimeware, and mobile security at leading organizations. In his role at Agari, he leads the company's security research with a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8939
PUBLISHED: 2019-02-19
data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a crafted Plex username that is mishandled when constructing the History page.
CVE-2019-8935
PUBLISHED: 2019-02-19
Collabtive 3.1 allows XSS via the manageuser.php?action=profile id parameter.
CVE-2019-3812
PUBLISHED: 2019-02-19
QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host.
CVE-2019-8933
PUBLISHED: 2019-02-19
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on ...
CVE-2019-7629
PUBLISHED: 2019-02-18
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.