Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/4/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Active Cyber Defense Is an Opportunity, Not a Threat

If honest citizens can be tracked online with cookies and beacons that share where we are and what we are doing, then why should security professionals restrict their ability to hack attackers?

You could be forgiven for believing the World Wide Web is the Wild Wild West. The pervasiveness of cyberattacks certainly makes it seem as if we are living in a lawless period. Yet we are not without law enforcement. The FBI Cyber Crimes division and its Internet Crime Complaint Center (IC3) have a proven track record when it comes to investigating and reporting on cybercrime.

Many major cybercriminals have been brought to justice over the years, from TJX hacker Albert Gonzalez to Mirai botnet developers Paras Jha and Josiah White. We must give credit to the authorities for their ability to close these cases. While some of us working in the security realm have suggested that law enforcement doesn't have sufficient resources to deal with cyberattacks, the real challenge is that most organizations are unprepared to share information in a timely manner (if at all). For example, business email compromise attacks reported in the first 24 hours can often be reversed. True, cybercrimes are difficult to track and attribute, but it is even harder when attacks are not reported.

Why then, is there such resistance to the Active Cyber Defense Certainty Act? Why would we want to prevent organizations from joining in the fight against malicious actors?

The Active Cyber Defense Certainty Act is not without precedent. In our physical world, many states already recognize "Stand Your Ground" laws and the Castle Doctrine to protect ourselves and our property from coming to harm. And when it comes to cyberspace, security researchers have long used honeypots to capture information about unauthorized intrusions.

In a similar vein, Internet marketers have long tracked user activity with cookies and beacons that share where we are, what we are doing and what we are reading. If honest citizens can be tracked online, then why should we restrict the ability to track attackers? If we could apply similar techniques to attacks and our attackers, then we suddenly have a powerful source of information for our law enforcement agencies. And if we acknowledge that law enforcement agencies are under-resourced, then why wouldn't we want to provide them this resource?

Isn't it possible that so many cases go cold because law enforcement doesn't find out about the attack until long after it happened? Isn't it possible that a lack of solid attribution is what makes it so difficult for law enforcement to prioritize an effective response? This all just goes to show the inherent value of the Active Cyber Defense Certainty Act if it is approached with a positive intent.

Fears about 'Hacking Back' Are Overemphasized
The real challenge for the Active Cyber Defense Certainty Act is that the security industry has developed a straw-man argument around "hacking back" that is filled with slippery slopes. The fears are that the Active Cyber Defense Certainty Act will unleash a Pandora's box of hacking. Whereas responding to attacks with malware could have such effects, that is not what the Active Cyber Defense Certainty Act suggests. Malware can "escape" the systems on which it is unleashed— Stuxnet, for example — but no other security measures have this control problem: think tracking, automated interaction with criminals, honeypots. They are all very strong on the control aspect. I fail to understand why a responsible organization would "unleash" a hack-back technique beyond its control. I trust the focus and judgment of my colleagues in the security profession.

Suggesting that organizations should not be able to deploy resources to track down who is attacking them is to deny those very same resources to law enforcement by proxy, since the evidence extracted by security controls would be fed to law enforcement. It is short-sighted advice.

Certainly, some organizations will not have the internal resources to gather counterintelligence, but that just suggests the need for external security controls that help them perform this task in a controlled and auditable manner.

This is where the focus of the discussion should be: how can organizations without sufficient internal resources to track attacks outsource the task, obtaining threat intelligence in return, and helping feed data to law enforcement that helps their activities? I am confident that the information security community is prepared to help fill the need for active cyber defense, to the benefit of organizations and law enforcement, as well as preventing potential future victims.

This commentary was written in response to Hacking Back & the Digital Wild West, by Levi Gundert.

 Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Markus Jakobsson, chief scientist for ZapFraud, has worked for more than 20 years as a security researcher, scientist, and entrepreneur, studying phishing, crimeware, and mobile security at leading organizations. He leads ZapFraud's security research with a focus on using ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.