Perimeter

4/4/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Active Cyber Defense Is an Opportunity, Not a Threat

If honest citizens can be tracked online with cookies and beacons that share where we are and what we are doing, then why should security professionals restrict their ability to hack attackers?

You could be forgiven for believing the World Wide Web is the Wild Wild West. The pervasiveness of cyberattacks certainly makes it seem as if we are living in a lawless period. Yet we are not without law enforcement. The FBI Cyber Crimes division and its Internet Crime Complaint Center (IC3) have a proven track record when it comes to investigating and reporting on cybercrime.

Many major cybercriminals have been brought to justice over the years, from TJX hacker Albert Gonzalez to Mirai botnet developers Paras Jha and Josiah White. We must give credit to the authorities for their ability to close these cases. While some of us working in the security realm have suggested that law enforcement doesn't have sufficient resources to deal with cyberattacks, the real challenge is that most organizations are unprepared to share information in a timely manner (if at all). For example, business email compromise attacks reported in the first 24 hours can often be reversed. True, cybercrimes are difficult to track and attribute, but it is even harder when attacks are not reported.

Why then, is there such resistance to the Active Cyber Defense Certainty Act? Why would we want to prevent organizations from joining in the fight against malicious actors?

The Active Cyber Defense Certainty Act is not without precedent. In our physical world, many states already recognize "Stand Your Ground" laws and the Castle Doctrine to protect ourselves and our property from coming to harm. And when it comes to cyberspace, security researchers have long used honeypots to capture information about unauthorized intrusions.

In a similar vein, Internet marketers have long tracked user activity with cookies and beacons that share where we are, what we are doing and what we are reading. If honest citizens can be tracked online, then why should we restrict the ability to track attackers? If we could apply similar techniques to attacks and our attackers, then we suddenly have a powerful source of information for our law enforcement agencies. And if we acknowledge that law enforcement agencies are under-resourced, then why wouldn't we want to provide them this resource?

Isn't it possible that so many cases go cold because law enforcement doesn't find out about the attack until long after it happened? Isn't it possible that a lack of solid attribution is what makes it so difficult for law enforcement to prioritize an effective response? This all just goes to show the inherent value of the Active Cyber Defense Certainty Act if it is approached with a positive intent.

Fears about 'Hacking Back' Are Overemphasized
The real challenge for the Active Cyber Defense Certainty Act is that the security industry has developed a straw-man argument around "hacking back" that is filled with slippery slopes. The fears are that the Active Cyber Defense Certainty Act will unleash a Pandora's box of hacking. Whereas responding to attacks with malware could have such effects, that is not what the Active Cyber Defense Certainty Act suggests. Malware can "escape" the systems on which it is unleashed— Stuxnet, for example — but no other security measures have this control problem: think tracking, automated interaction with criminals, honeypots. They are all very strong on the control aspect. I fail to understand why a responsible organization would "unleash" a hack-back technique beyond its control. I trust the focus and judgment of my colleagues in the security profession.

Suggesting that organizations should not be able to deploy resources to track down who is attacking them is to deny those very same resources to law enforcement by proxy, since the evidence extracted by security controls would be fed to law enforcement. It is short-sighted advice.

Certainly, some organizations will not have the internal resources to gather counterintelligence, but that just suggests the need for external security controls that help them perform this task in a controlled and auditable manner.

This is where the focus of the discussion should be: how can organizations without sufficient internal resources to track attacks outsource the task, obtaining threat intelligence in return, and helping feed data to law enforcement that helps their activities? I am confident that the information security community is prepared to help fill the need for active cyber defense, to the benefit of organizations and law enforcement, as well as preventing potential future victims.

This commentary was written in response to Hacking Back & the Digital Wild West, by Levi Gundert.

 Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist, and entrepreneur, studying phishing, crimeware, and mobile security at leading organizations. In his role at Agari, he leads the company's security research with a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Diversity: It's About Inclusion
Kelly Jackson Higgins, Executive Editor at Dark Reading,  4/25/2018
Coviello: Modern Security Threats are 'Less About the Techniques'
Kelly Sheridan, Staff Editor, Dark Reading,  4/24/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.