Imagine owning a company and realizing you have been hacked and the hackers are disrupting operations or stealing trade secrets, intellectual property, private information, or even money. As best as you can determine this did not just happen but has been going on for a while. You hired a company to do an incident response, clean up, patch the holes and get you back up and running. They may or may not have claimed to have secured your network, but state in no uncertain terms that any action beyond what they have done would be illegal. Within months you notice the same activity. So, you call the company again. More money, more time, and more meetings about how much is being lost. Do you call law enforcement? Do you continue with the cyber security company and keep paying them? Do you have a data breach notice responsibility to shareholders, the board, and customers/clients?
What you need is a clear and concise plan of action to follow in these situations.
When lecturing on “Active Defense” I often hear comments like, “hack back is illegal,” “without attribution you might hurt an innocent bystander,” or my favorite, “you might start a war with China.” So what is “Active Defense”? Many people equate it to hack back. My definition of “Active Defense” is “a clear and concise process or plan for addressing a compromise to the security of your network and/or the loss or theft of data.” The process begins with an incident response and could ultimately end with hack back. It includes a series of predetermined check points requiring leadership/CEO involvement in making various decisions. One of the first decisions is whether, based on the information available and/or gathered, the attack is a one-time occurrence or an ongoing intrusion/breach. If it is determined to be a one-time occurrence the decision is easy, initiate an incident response plan, clean up, patch holes, and provide notifications required by law. If the attack appears to be ongoing some of the follow-up on decisions may include: what end-state the company is seeking (find the hacker and prosecute, block the attack, get data back, etc.); what intelligence/information should be gathered; what tools/techniques should be developed and/or used and how; as information is gathered and options presented, which should be considered and pursued; and many more, most of which are all dependent on the facts, information available, best interests of the company, the fiduciary responsibility, etc. At each stage and as each decision is made risk, liability and legal issues are discussed, evaluated, and factored into the decision process
Okay, so why is attribution not that important?
Certainly, being able to identify your attacker makes life much easier for you and your company. Even if you can’t identify the attacker, being able to identify who owns the server being used to attack you makes life simpler. You can simply call the owner of the company whose server has been compromised and is attacking your network and work together to block the hacker. If, for some reason, the owner of the compromised server will not work with you then you can proceed as if he is the hacker. You might contact law enforcement or if for some reason that decision has been ruled out or, law enforcement for some reason is not able to assist, then you might decide to take action to block the attacks. At this point the leverage you can garner against the server owner is pretty great. Chances are his server is not only being used to attack you but many other companies as well. The server owner will likely not want all of the other companies to know his compromised server is responsible for their pain, assuming they are aware of it. When this fact is revealed to him he may suddenly be more than ready to negotiate and assist
In many cases though, you will not be able to determine the identity and/or whereabouts of the server owner.
In that case, if you strike back and inspect the server attacking you, have you lashed out at an innocent bystander? Many people claim just that. I would argue this person is a victim like you, but innocent bystander, not even close. Consider the 2006 movie “Firewall” with Harrison Ford. His wife and daughter were kidnapped and the kidnappers, using this leverage, forced him to hack into a bank he was hired to protect and steal millions of dollars for them. Now, granted, I like Harrison Ford, but, if he is stealing my money he’s not an innocent bystander. He is a victim, but, if it is me or him, choices must be made. Equally, if it is my company losing thousands or millions of dollars, then attacking the server being used to attack me seems like a pretty good option and it is “game on!” This is where, depending on how you accomplish blocking the attack against your network, self-defense becomes a factor and part of the decision-making process. I will leave self-defense for the next installment in this series of blogs entries.