Fighting Hackers without Sinking to Their Level
With cyber attacks that steal valuable intellectual property on the rise, companies need to consider their options for striking back at attackers, attendees of the annual Black Hat computer security conference in Las Vegas heard yesterday.
“We’ve been focused on defense for a long time, but there’s something else that you’ve got to do. I believe that the industry has to mitigate the threat and take on the attacker,” said Shawn Henry, who gave the opening keynote at the conference, which is being attended by 6,500 experts in cyber attack and defense techniques—both legal and otherwise.
Until this March, Henry headed the FBI’s criminal and cyber programs worldwide. He is now president of CrowdStrike, a company that is working on technology that might help targeted companies launch countermeasures, and he is not alone in calling for companies to consider striking back at those who attack them.
Many believe that striking back could be more successful in deterring attacks than just strengthening the systems designed to shut out attackers. However, what kind of offense will be technologically possible and legally allowable is still unclear.
Henry stressed that he wasn’t advocating “hacking back”—something that would probably be illegal—but rather shifting from trying to build impenetrable security systems to designing ones that make it possible to identify the identities and likely motivations of the paymasters of an attack. Various legal means could then be used to frustrate or delay the attackers’ efforts, said Henry.
Advocates of this approach are mostly concerned with what are dubbed advanced persistent threats (APTs)–sophisticated attacks that involve stealthily stealing valuable intellectual property and that have been successfully used against prominent companies such as Google and security firm RSA in recent years. Many such attacks are supported by foreign governments, said Henry. “It’s like playing poker with a marked deck when you sit down with a company that’s been given” a foreign government’s support, he said, adding that while at the FBI he learned of such a raid that copied 10 years of research and development work, worth approximately $1 billion, from one company.
Reasoning out what information is most valuable and designing security systems to gather clues about adversaries’ interests makes effective pushback possible, said Henry. “Maybe it’s denial and deception—we send them a few corrupt packets,” he said. “Or maybe we have false information that could cause the adversary pain, because it cost them four months and it cost them two zero days [newly discovered software vulnerabilities] to get on there and it didn’t work.”
Henry said that smarter analysis of a company’s network logs could help provide the necessary groundwork for such strategies, and he advocated legal changes to establish methods or even responsibilities for data sharing between private companies and government on attacks and threats. Today, companies that are attacked don’t typically share data that could help others avoid the same fate, he said. And companies often accuse government agencies of being similarly secretive.
Speaking before Henry, Jeff Moss, founder of the Black Hat conference and chief security officer of ICANN, who is also known as the Dark Tangent, said he too believed civilian computer security should be more active. “We need some white blood cells out there, companies who are willing to push the envelope and live on the edge and push the threat actors and see what happens.”
Moss mentioned CrowdStrike as one example. Another, he said, is Facebook, which has pioneered the use of evidence gathered in the wake of an attack to go after the perpetrator independently of law enforcement. In January, the social networking company filed a civil lawsuit against marketing company Ascend alleging that it had used malicious website code to hide Facebook Like buttons beneath salacious photos, tricking Web users into boosting the Like count of clients.
“I’m not a government, I don’t have treaties, I don’t have the force of military,” said Moss, “but I can hire lawyers, and they’re almost as good.” Moss believes that this approach could also help establish rules for retribution that cross international borders.
Some observers object to the idea of private companies taking on detective and enforcement work, saying that this should be left to agencies of government, particularly since many attacks on corporations are believed to originate with nation states. Henry argued that companies in the United States have been forced to consider this approach.
“In the cyber world [the Department of Homeland Security] have the responsibility and authority to protect .gov, and the NSA has the authority and responsibility to protect .mil, but nobody has the authority to protect .com,” Henry says. “The FBI will respond, but they’re not actively patrolling.”