Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Fighting Hackers without Sinking to Their Level

At this year’s Black Hat hacker conference in Las Vegas, attention turns from defense to offense.

  • by Tom Simonite
  • July 26, 2012
  • Cyber warrior: Ex-FBI cyber-crime expert Shawn Henry gives the keynote speech at Black Hat.

With cyber attacks that steal valuable intellectual property on the rise, companies need to consider their options for striking back at attackers, attendees of the annual Black Hat computer security conference in Las Vegas heard yesterday.

“We’ve been focused on defense for a long time, but there’s something else that you’ve got to do. I believe that the industry has to mitigate the threat and take on the attacker,” said Shawn Henry, who gave the opening keynote at the conference, which is being attended by 6,500 experts in cyber attack and defense techniques—both legal and otherwise.

Until this March, Henry headed the FBI’s criminal and cyber programs worldwide. He is now president of CrowdStrike, a company that is working on technology that might help targeted companies launch countermeasures, and he is not alone in calling for companies to consider striking back at those who attack them.

Many believe that striking back could be more successful in deterring attacks than just strengthening the systems designed to shut out attackers. However, what kind of offense will be technologically possible and legally allowable is still unclear.

Henry stressed that he wasn’t advocating “hacking back”—something that would probably be illegal—but rather shifting from trying to build impenetrable security systems to designing ones that make it possible to identify the identities and likely motivations of the paymasters of an attack. Various legal means could then be used to frustrate or delay the attackers’ efforts, said Henry.

Advocates of this approach are mostly concerned with what are dubbed advanced persistent threats (APTs)–sophisticated attacks that involve stealthily stealing valuable intellectual property and that have been successfully used against prominent companies such as Google and security firm RSA in recent years. Many such attacks are supported by foreign governments, said Henry. “It’s like playing poker with a marked deck when you sit down with a company that’s been given” a foreign government’s support, he said, adding that while at the FBI he learned of such a raid that copied 10 years of research and development work, worth approximately $1 billion, from one company.

Reasoning out what information is most valuable and designing security systems to gather clues about adversaries’ interests makes effective pushback possible, said Henry. “Maybe it’s denial and deception—we send them a few corrupt packets,” he said. “Or maybe we have false information that could cause the adversary pain, because it cost them four months and it cost them two zero days [newly discovered software vulnerabilities] to get on there and it didn’t work.”

Henry said that smarter analysis of a company’s network logs could help provide the necessary groundwork for such strategies, and he advocated legal changes to establish methods or even responsibilities for data sharing between private companies and government on attacks and threats. Today, companies that are attacked don’t typically share data that could help others avoid the same fate, he said. And companies often accuse government agencies of being similarly secretive.

Speaking before Henry, Jeff Moss, founder of the Black Hat conference and chief security officer of ICANN, who is also known as the Dark Tangent, said he too believed civilian computer security should be more active. “We need some white blood cells out there, companies who are willing to push the envelope and live on the edge and push the threat actors and see what happens.”

Moss mentioned CrowdStrike as one example. Another, he said, is Facebook, which has pioneered the use of evidence gathered in the wake of an attack to go after the perpetrator independently of law enforcement. In January, the social networking company filed a civil lawsuit against marketing company Ascend alleging that it had used malicious website code to hide Facebook Like buttons beneath salacious photos, tricking Web users into boosting the Like count of clients.

“I’m not a government, I don’t have treaties, I don’t have the force of military,” said Moss, “but I can hire lawyers, and they’re almost as good.” Moss believes that this approach could also help establish rules for retribution that cross international borders.

Some observers object to the idea of private companies taking on detective and enforcement work, saying that this should be left to agencies of government, particularly since many attacks on corporations are believed to originate with nation states. Henry argued that companies in the United States have been forced to consider this approach.

“In the cyber world [the Department of Homeland Security] have the responsibility and authority to protect .gov, and the NSA has the authority and responsibility to protect .mil, but nobody has the authority to protect .com,” Henry says. “The FBI will respond, but they’re not actively patrolling.”

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.

Subscribe today
Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.