As the topic of hacking back continues to resurface among elected officials, those of us in the cybersecurity community are scratching our heads over why this concept refuses to die. After digging deeper, one can see that there are many misperceptions regarding what the terms “hacking back” and “active cyber defense” (ACD) actually mean. General frustration and misinformation are driving the interest, but the mixing of definitions is fueling confusion.
Attivo Networks will present alongside the FBI at this year’s FS-ISAC Annual Summit, held May 20-23 in Boca Raton, Fla. This year’s event theme is Strength in Sharing and will focus on how to solve the challenges of the evolving threat landscape and support corporate strategies by leveraging advanced technologies and services that expand the cybersecurity perimeter.
There is widespread industry discussion and debate about the current Active Cyber Defense Certainty Act (ACDC), introduced to Congress in March of 2017, that would allow companies the right to hack back after a “persistent unauthorized intrusion.” This bill has become increasingly relevant in the cybersecurity community as a result of frustration with the sheer …
By: Carolyn Crandall There is widespread industry discussion and debate about the current Active Cyber Defense Certainty Act (ACDC), introduced to Congress in March of 2017, that would allow companies the right to hack back after a “persistent unauthorized intrusion.” This bill has become increasingly relevant in the cybersecurity community as a result of frustration with the sheer number of breaches, damage caused by them, and low prosecution rates.
More specifically, ACDC allows individuals and companies to hack hackers if the goal is to disrupt, monitor or attribute the attack, or destroy stolen files. The bill does not allow counter-attackers to destroy anything other than their own stolen files and requires that someone “hacking back” under the bill’s provisions notify the FBI National Cyber Investigative Joint Task Force.
An updated version of the bill was referred to the House Judiciary Committee on October 12 and then to the House Subcommittee on Crime, Terrorism, Homeland Security and Investigations on Nov. 1. Noting that an average of 86 percent of bills never make it out of subcommittee, there is a very reasonable chance the bill may never pass.
With the bill, sponsors and supporters are looking to address the increase in the frequency and magnitude of breaches and the public’s increasing frustration, but at Attivo Networks, we believe legalizing counter-hacking for private organizations is not the best solution for several reasons:
• Attribution is challenging and there is the potential for innocent “bystanders” to be negatively impacted
• The bill only legalizes counter-hacking against hackers in the United States, and many attacks cross international boundaries and their laws will still prevail
• A private organization’s counter-hacking may interfere with other investigations or activities by government agencies
It can be very difficult to prove a given hacker “persistently” attacked a network.
Typically, people who are good at security are experienced at defending a network’s perimeter. However, they generally lack the skills, training, and financial resources to conduct a counter hack.
It is clear there is no way to keep threat actors 100 percent out of the network and even with the best “castle walls and moats,” human error, insiders, suppliers and even contractors can all create weak links.
However, counterhacking, as the answer, exposes many practical and ethically gray issues that organizations may be ill-equipped to address. One could also argue that organizations are better suited focusing their efforts on fortifying their defenses and detecting threats quickly to avoid breaches in the first place – eliminating the need for retaliation.
Rather than counterhacking, IT teams can look to deception to change the asymmetry of an attack. Deception is a valuable threat, adversary, and counter-intelligence tool for detection and acquiring information for strengthening active defenses. The use of deception for in-network detection and intelligence is both legal and keeps organizations within their swim lanes of what they do best: defending their networks. Early detection, paired with indicators of compromise and intel that helps identify and neutralize adversaries targeting the organization, will not only prevent an attacker from successfully completing their attack, but will also strengthen defenses against other and future attackers.
There has been a fundamental shift in 2017 towards organizations building an adaptive security defense that includes prevention, detection and response technologies. Gartner called deception one its “Top Technologies for Security in 2017” in a June 2017 report. In a new report issued in October, Gartner lists “Continuous Adaptive Risk and Trust” as a “Top 10 Strategic Technology Trend for 2018,” and noted, “CARTA can also be applied at runtime with approaches such as deception technologies.”
I encourage organizations to look at building an adaptive defense that includes the use of distributed deception platforms instead of going down the path of a vigilante. Retribution, in some cases, may make sense, but it is best left to military or law enforcement that possess the skills and resources to take execute a counter hack with the precision required.
Is it next-generation threat detection? Is it counter-hacking? One thing we know is that it’s designed to lure hackers to a replica enterprise environment so that threats can be eliminated. It’s deception.
“Why does this company exist? It really boils down to that a perimeter-based defense is just not reliable anymore,” Carolyn Crandall, chief deception officer and CMO at Attivo Networks told Security Now. “People can and will get into the network, and over the last couple of years, people are accepting that.”
Crandall is adding her voice to a growing number of experts that agree the better strategy is to accept that penetration is inevitable and therefore the focus should be on protecting the data in the network, not erecting a fence.