Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/4/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Active Cyber Defense Is an Opportunity, Not a Threat

If honest citizens can be tracked online with cookies and beacons that share where we are and what we are doing, then why should security professionals restrict their ability to hack attackers?

You could be forgiven for believing the World Wide Web is the Wild Wild West. The pervasiveness of cyberattacks certainly makes it seem as if we are living in a lawless period. Yet we are not without law enforcement. The FBI Cyber Crimes division and its Internet Crime Complaint Center (IC3) have a proven track record when it comes to investigating and reporting on cybercrime.

Many major cybercriminals have been brought to justice over the years, from TJX hacker Albert Gonzalez to Mirai botnet developers Paras Jha and Josiah White. We must give credit to the authorities for their ability to close these cases. While some of us working in the security realm have suggested that law enforcement doesn't have sufficient resources to deal with cyberattacks, the real challenge is that most organizations are unprepared to share information in a timely manner (if at all). For example, business email compromise attacks reported in the first 24 hours can often be reversed. True, cybercrimes are difficult to track and attribute, but it is even harder when attacks are not reported.

Why then, is there such resistance to the Active Cyber Defense Certainty Act? Why would we want to prevent organizations from joining in the fight against malicious actors?

The Active Cyber Defense Certainty Act is not without precedent. In our physical world, many states already recognize "Stand Your Ground" laws and the Castle Doctrine to protect ourselves and our property from coming to harm. And when it comes to cyberspace, security researchers have long used honeypots to capture information about unauthorized intrusions.

In a similar vein, Internet marketers have long tracked user activity with cookies and beacons that share where we are, what we are doing and what we are reading. If honest citizens can be tracked online, then why should we restrict the ability to track attackers? If we could apply similar techniques to attacks and our attackers, then we suddenly have a powerful source of information for our law enforcement agencies. And if we acknowledge that law enforcement agencies are under-resourced, then why wouldn't we want to provide them this resource?

Isn't it possible that so many cases go cold because law enforcement doesn't find out about the attack until long after it happened? Isn't it possible that a lack of solid attribution is what makes it so difficult for law enforcement to prioritize an effective response? This all just goes to show the inherent value of the Active Cyber Defense Certainty Act if it is approached with a positive intent.

Fears about 'Hacking Back' Are Overemphasized
The real challenge for the Active Cyber Defense Certainty Act is that the security industry has developed a straw-man argument around "hacking back" that is filled with slippery slopes. The fears are that the Active Cyber Defense Certainty Act will unleash a Pandora's box of hacking. Whereas responding to attacks with malware could have such effects, that is not what the Active Cyber Defense Certainty Act suggests. Malware can "escape" the systems on which it is unleashed— Stuxnet, for example — but no other security measures have this control problem: think tracking, automated interaction with criminals, honeypots. They are all very strong on the control aspect. I fail to understand why a responsible organization would "unleash" a hack-back technique beyond its control. I trust the focus and judgment of my colleagues in the security profession.

Suggesting that organizations should not be able to deploy resources to track down who is attacking them is to deny those very same resources to law enforcement by proxy, since the evidence extracted by security controls would be fed to law enforcement. It is short-sighted advice.

Certainly, some organizations will not have the internal resources to gather counterintelligence, but that just suggests the need for external security controls that help them perform this task in a controlled and auditable manner.

This is where the focus of the discussion should be: how can organizations without sufficient internal resources to track attacks outsource the task, obtaining threat intelligence in return, and helping feed data to law enforcement that helps their activities? I am confident that the information security community is prepared to help fill the need for active cyber defense, to the benefit of organizations and law enforcement, as well as preventing potential future victims.

This commentary was written in response to Hacking Back & the Digital Wild West, by Levi Gundert.

 Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Markus Jakobsson, chief scientist for ZapFraud, has worked for more than 20 years as a security researcher, scientist, and entrepreneur, studying phishing, crimeware, and mobile security at leading organizations. He leads ZapFraud's security research with a focus on using ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...