RSA Conference 2018 featured hundreds of sessions covering today’s cybersecurity issues. The theme was “Now Matters,” and among the immediate issues featured was the question of whether companies should engage in active defense, or “hacking back.”
The idea of hacking back has been discussed by security researchers for over a decade. Dave Dittrich, SANS instructor and Affiliate Information Assurance Researcher at the University of Washington, was one of the first experts to explore the concept, and divided it into four levels of activity:
- Local intelligence gathering
- Remote intelligence gathering
- Actively tracing the attacker
- Actively attacking the attacker
Only the first one—local intelligence gathering—is clearly legal. At this level, the victim organization is working within the confines of its own environment. The other three levels violate the Computer Fraud and Abuse Act (CFAA), which criminalizes unauthorized access to systems and data. In the past, prosecutors have threatened to use it against companies that aggressively hack back, and organizations have been hesitant to employ the tactic.
Active Cyber Defense Bill
During National Cybersecurity Awareness Month in 2017, members of the U.S. House of Representatives introduced the Active Cyber Defense Certainty Act (ACDC), a bill that proposes changes to the CFAA to allow the use of active defense measures extending beyond the victim organization’s own network to identify, disrupt, and potentially destroy their stolen data.
The bill has serious limitations. It only allows for the targeting of computers within the U.S., which dramatically stunts its usefulness since hackers tend to route attacks through foreign servers. Additionally, it doesn’t allow counter-attackers to destroy anything other than their own files, and it requires them to notify the National Cyber Investigative Joint Task Force of their intentions so that the FBI can ensure American boundaries are being respected, and that plans don’t interfere with ongoing investigations.
Companies are also liable for any inadvertent damage they cause to innocent parties during their efforts. And of course, the reality is that the vast majority of organizations simply don’t have the resources to identify and target hackers’ systems.
Go After Attackers in Your Network
Despite these stumbling blocks, speakers at the RSA Conference emphatically stressed the need for private sector response. In a session titled, “Hack Back for Good, Not Vengeance: Debating Active Defense for Enterprises” featuring presenters from Columbia University, Allure Security and DARPA, there was disagreement on the value of attribution, but complete unanimity on the idea of hacking back.
Salvatore Stolfo, a professor at Columbia University and CTO of Allure Security Technology, asserted that hacking back is viable if done right in order to avoid “self-inflicted wounds.” He highlighted the impact deception technology can have in the effort to actively confront cyber adversaries within the bounds of the CFAA.
The Role of Deception
The use of distributed decoy systems enables organizations to create counterfeit resources for the attacker to find, spreading the appearance of endpoints and servers throughout the range of IP addresses being used by the company, and setting alluring traps such as fake credentials for accounts on decoy machines. These systems offer the benefit of low false positives (legitimate users have no reason to be in contact with decoys), and because they are in-line, they take up very little bandwidth. When a decoy is breached, the security team can choose to let the attacker continue while they watch, which aids in the development of intelligence about specific attack vectors, and attackers’ ultimate goals.
Some solutions also provide advanced threat-hunting capabilities, enabling direct action against attackers within legal boundaries. They extend forensics, control, and mitigation capabilities to attacker-controlled computers within the targeted network, allowing organizations to actively defend their infrastructure within their own environment and making it easier to investigate, contain, and engage with intruders.
While certain actions enabled by the technology equate to automated incident response operations against live attackers, more aggressive actions can also be taken that—as deception provider Cymmetria puts it—“require careful consideration.”
In its Top 10 Strategic Technology Trends for 2018, Gartner says exploring deception technologies to catch bad guys that have penetrated your network is one of the new techniques that should be explored to make an adaptive approach to risk management a reality.
Developing a Strategy
Just as a single mistake can destroy a magician’s illusion, a misstep during an effort to mislead cyber attackers can derail all of your efforts, and put your data at risk. Deception strategies must be carried out with precision using intrusion-detection methods to minimize damage to legitimate users, and avoid business disruptions. Legal counsel and decision-making policies should also been in place to support active defense efforts, so organizations can decide which actions can be taken under which conditions, and just how aggressive they can be.
Learn more about leveraging deception for active defense in 6 Ways to Deceive Cyber Attackers.