Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

02:20 PM
Kelly Sheridan
Kelly Sheridan
Edge Features
Connect Directly

Debating Law Enforcement's Role in the Fight Against Cybercrime

The FBI's action to remove Web shells from compromised Microsoft Exchange Servers sparks a broader discussion about officials' response to cyberattacks.

(Image: Kristina Blokhin via Adobe Stock)
(Image: Kristina Blokhin via Adobe Stock)

The FBI last month was authorized to remove malicious Web shells from machines running on-premises versions of Microsoft Exchange Server, a move that caught the eyes of cybersecurity pros and sparked a conversation about the government's role in responding to these attacks.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Planning Our Passwordless Future

This operation, which specifically authorized the activity for email servers in the United States, was announced some six weeks after Microsoft disclosed critical Exchange Server vulnerabilities that have since been used to target thousands of networks around the world. An attacker could chain the flaws together to compromise an exposed server and steal data, among other actions. 

These infections commonly start with deploying a Web shell, which adversaries can later use to communicate with target machines and distribute files to infect them with additional malware. While many admins of target systems were able to successfully remove these Web shells from thousands of devices, others didn't. Web shells persisted, unmitigated, on some target servers.

They soon became the object of an FBI operation that removed the remaining Web shells of an early hacking group. The Web shells could have been used to "maintain and escalate persistent, unauthorized access to U.S. networks," the Justice Department wrote in a statement. Officials conducted the removal by issuing a command through the Web shell to the server, which was designed to cause the server to only delete the Web shell, as identified by its unique file path.

It's important to note that while the FBI copied and removed Web shells, it did not patch any of the vulnerabilities, nor did it search for or remove additional malware or hacking tools that may have been present on target servers. Officials said they were attempting to contact the owners and operators of infected machines following the operation; they did not give advance notice. 

The FBI has been involved in several operations against cybercrime. Officials most recently teamed up with global law enforcement agencies to bring down the Emotet botnet.

But this operation, in which the FBI was present on enterprise servers without owners' knowledge, caught the eyes of many. It feels different than law enforcement dismantling a botnet, which often involves tracking a command-and-control server that the bots communicate with, disrupting communication, and gaining control over it. 

"That's a nuanced difference, but it's a little different than the FBI specifically knowing endpoints that are compromised, remoting in, and deleting a Web shell," says Katie Nickels, threat intelligence director at Red Canary, who feels "pretty divided" about the operation. 

For Nickels, and for many defenders, it was difficult in early March to see many organizations compromised in the Exchange Server attacks. Security practitioners know there are teams that aren't current on security news and don't know to patch or detect Web shells, she explains. It's frustrating, as a defender, to know all these businesses are going to be compromised and not know about it. 

"Part of me as a defender is really happy that someone is trying to help these organizations remove a Web shell," she says. "Of course, there's the other side: What kind of precedent does this set, allowing law enforcement to go into a computer … what kind of precedent does that set for the future? When could these operations take actions in the future, and what could be the implications of that? That's the other side." 

"I feel squarely torn, and that's what I've heard from most people," Nickels adds. In the past few months, as the world learned about SolarWinds and the Exchange Server attacks, the security community has seen a growing disparity between organizations prepared to face these incidents and those that aren't — and a need to help lacking companies protect themselves. 

A Goal of Disrupting the Adversary
Law enforcement's role in cybercrime is an intricate matter because much of this has never been done before, legislation hasn't caught up with technology, and things move quickly, says Shawn Henry, president of CrowdStrike Services and former FBI executive assistant director. Employees in the private sector are often defending against trained military professionals.

"There's so many complexities there, and that's why these things are never easy," he says of navigating the myriad laws, issues, amendments, and ramifications of intervening. "If I [believe] the government's primary responsibility is to protect the citizens, I think that their role in a case like this is to disrupt infrastructure. That is an area that the government can have success in." 

The government's role in fighting crime is often focused on deterrence. In the physical world, this could mean seizing assets bought with stolen funds, bank accounts used to launder money, and warehouses and other facilities used to store and sell illicit products. Criminals can't operate in an environment where their infrastructure is destroyed, and their return-on-investment drops. 

Henry applies the same concept to cybersecurity, an area in which attackers "are operating with impunity" and often out of places where the host country can't be expected to intervene. 

"Therefore, US law enforcement needs to take action to try and disrupt infrastructure in areas where they can have a meaningful impact … to try and raise the cost to them, or to deny them the ability to carry out their actions," he says. Sanctions, such as those the US recently imposed on Russia in response to the SolarWinds intrusion, is one way of doing this. Disrupting a botnet, which prevents operators from launching denial-of-service attacks or sending spam, is another. 

In the case of the Exchange Server attacks, Henry continues, if law enforcement is operating within the confines of the law and applied the law within the boundaries it is allowed, this becomes a public policy issue.

On the legal front, the operation was conducted after a search and seizure warrant under Rule 41 of the Federal Rules of Criminal Procedure. Among other things, it lets law enforcement petition a judge for a warrant "to use remote access to search electronic storage media and to seize or copy electronically stored information" when investigating damage to protected computers. This warrant did not authorize "seizure of any tangible property," nor did it permit officials to seize or copy content from, or alter functionality of, electronic storage media. 

Uncertainty for the Future
While done legally, this operation goes beyond the scope of what law enforcement officials have previously done in response to cybercrime. Some experts disagree with the actions as they were taken; others wonder whether the operation should have gone farther in its defense. 

Dr. David Brumley, co-founder and CEO at ForAllSecure and Carnegie Mellon University professor of electrical and computer engineering, supports the idea of removing Web shells but questions whether the FBI should have done it. He sees the security community agreeing on the key ideas: a crime was being committed, and the Web shells were dangerous.

(Story continues on next page.)

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
1 of 2

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cartoon Caption Winner: In Tow
Flash Poll