Skip to Content
Uncategorized

Fighting Hackers without Sinking to Their Level

At this year’s Black Hat hacker conference in Las Vegas, attention turns from defense to offense.
July 26, 2012

With cyber attacks that steal valuable intellectual property on the rise, companies need to consider their options for striking back at attackers, attendees of the annual Black Hat computer security conference in Las Vegas heard yesterday.

“We’ve been focused on defense for a long time, but there’s something else that you’ve got to do. I believe that the industry has to mitigate the threat and take on the attacker,” said Shawn Henry, who gave the opening keynote at the conference, which is being attended by 6,500 experts in cyber attack and defense techniques—both legal and otherwise.

Until this March, Henry headed the FBI’s criminal and cyber programs worldwide. He is now president of CrowdStrike, a company that is working on technology that might help targeted companies launch countermeasures, and he is not alone in calling for companies to consider striking back at those who attack them.

Many believe that striking back could be more successful in deterring attacks than just strengthening the systems designed to shut out attackers. However, what kind of offense will be technologically possible and legally allowable is still unclear.

Henry stressed that he wasn’t advocating “hacking back”—something that would probably be illegal—but rather shifting from trying to build impenetrable security systems to designing ones that make it possible to identify the identities and likely motivations of the paymasters of an attack. Various legal means could then be used to frustrate or delay the attackers’ efforts, said Henry.

Advocates of this approach are mostly concerned with what are dubbed advanced persistent threats (APTs)–sophisticated attacks that involve stealthily stealing valuable intellectual property and that have been successfully used against prominent companies such as Google and security firm RSA in recent years. Many such attacks are supported by foreign governments, said Henry. “It’s like playing poker with a marked deck when you sit down with a company that’s been given” a foreign government’s support, he said, adding that while at the FBI he learned of such a raid that copied 10 years of research and development work, worth approximately $1 billion, from one company.

Reasoning out what information is most valuable and designing security systems to gather clues about adversaries’ interests makes effective pushback possible, said Henry. “Maybe it’s denial and deception—we send them a few corrupt packets,” he said. “Or maybe we have false information that could cause the adversary pain, because it cost them four months and it cost them two zero days [newly discovered software vulnerabilities] to get on there and it didn’t work.”

Henry said that smarter analysis of a company’s network logs could help provide the necessary groundwork for such strategies, and he advocated legal changes to establish methods or even responsibilities for data sharing between private companies and government on attacks and threats. Today, companies that are attacked don’t typically share data that could help others avoid the same fate, he said. And companies often accuse government agencies of being similarly secretive.

Speaking before Henry, Jeff Moss, founder of the Black Hat conference and chief security officer of ICANN, who is also known as the Dark Tangent, said he too believed civilian computer security should be more active. “We need some white blood cells out there, companies who are willing to push the envelope and live on the edge and push the threat actors and see what happens.”

Moss mentioned CrowdStrike as one example. Another, he said, is Facebook, which has pioneered the use of evidence gathered in the wake of an attack to go after the perpetrator independently of law enforcement. In January, the social networking company filed a civil lawsuit against marketing company Ascend alleging that it had used malicious website code to hide Facebook Like buttons beneath salacious photos, tricking Web users into boosting the Like count of clients.

“I’m not a government, I don’t have treaties, I don’t have the force of military,” said Moss, “but I can hire lawyers, and they’re almost as good.” Moss believes that this approach could also help establish rules for retribution that cross international borders.

Some observers object to the idea of private companies taking on detective and enforcement work, saying that this should be left to agencies of government, particularly since many attacks on corporations are believed to originate with nation states. Henry argued that companies in the United States have been forced to consider this approach.

“In the cyber world [the Department of Homeland Security] have the responsibility and authority to protect .gov, and the NSA has the authority and responsibility to protect .mil, but nobody has the authority to protect .com,” Henry says. “The FBI will respond, but they’re not actively patrolling.”

Keep Reading

Most Popular

Workers disinfect the street outside Shijiazhuang Railway Station
Workers disinfect the street outside Shijiazhuang Railway Station

Why China is still obsessed with disinfecting everything

Most public health bodies dealing with covid have long since moved on from the idea of surface transmission. China’s didn’t—and that helps it control the narrative about the disease’s origins and danger.

individual aging affects covid outcomes concept
individual aging affects covid outcomes concept

Anti-aging drugs are being tested as a way to treat covid

Drugs that rejuvenate our immune systems and make us biologically younger could help protect us from the disease’s worst effects.

Europe's AI Act concept
Europe's AI Act concept

A quick guide to the most important AI law you’ve never heard of

The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.