I recently read an article, “Putting an end to “strike back” / “active defense” debate, and another it linked to, “Managing The Legal Risks Of Active Defense,” wherein my friend Bob Clark was quoted. Here is my response:
Why in the world would we end the debate? Security sucks and the bad guys have a huge advantage. Our hands are tied. Any debate that moves the discussion forward is a good thing.
In the first article a guy calling himself Jericho chastises those who advocate Active Defense. He equates it to strike back and hack back. I have to say, I agree with two of his points; many companies are now trying to capitalize on this new term, yes new term, by offering what they call active defense or hack back tools. In many cases this advertising is deceptive since the tools merely offer the same old software defenses under a new name. I also agree that if your defenses don’t meet the basic standard, Active Defense is not an option.
I disagree with is his characterization of Active Defense. I wish people would stop equating it to hack back. Hack back is the last 1% of Active Defense. See my definition here: http://www.titaninfosecuritygroup.com/_m1698/blog/Active-Defense-definition.
It is a method for companies who find themselves persistently attacked to collect the intelligence needed to evaluate the attacks, develop courses of action or options, and then enable the leadership to make well-informed decisions to move forward in an effort to protect the company.
On a spectrum the options could be anywhere from do nothing or the other extreme of hack back to either find the attackers or disrupt or deny the server(s) being used to launch the attacks. The intelligence collected will allow company leadership to make decisions at pre-determined checkpoints based on risk, liability and legal issues.
The initial decision whether to simply proceed with incident response versus Active Defense is based on determining whether the attack is a one-time incident or persistent, and how much money is being lost since. Active Defense will require the company to bring in a team of experts to accomplish the various tasks: intel collection, malware analysis, tool/technique development, evaluating legal, risk and liability issues, and therefore the cost involved must be weighed against the damage to the company or loss due to the attacks.
Also, I disagree with the many people who write in opposition to Active Defense and make broad statements about how it is illegal without defining Active Defense or detailing what they believe to be illegal or why. If you’re not an attorney stop saying it is illegal because the legality of Active Defense is not black and white.
Jericho’s assertions strike me as hypocritical by jumping on the bandwagon of the Active Defense flurry, making broad assertions and offering NO solutions. If defense is so easy then provide the solution, a solution that hasn’t been tried and one that will work and not subverted by hackers within a few months. Second, see my friend Davi’s response, here: “Putting and End to the End of Active Defense”. Good luck.
As for the article in which my friend Bob is quoted, I agree with Bob, for the most part. You need a team of experts who know what they are doing, to include one or more attorneys who know what he/she is doing, but more than just an attorney you believe you can explain the technology to.
This is not the kind of stuff you can just brush up on over the weekend. This takes years of experience to understand the technology, apply the law and foresee the results or consequences. Don’t believe it? Ask your lawyer if he/she would be willing to put their law license on the line and provide advice in cyber security, hack back, the CFAA, ECPA, trace back, open-source collection, etc.
What I disagree with is his comment that this is a no-win situation. If you are a company owner and losing a lot of money or intellectual property, have tried everything else, and the attacks continue, you have a fiduciary responsibility to do something and self-defense may be your only option.
Now, this does not mean jumping right to hack back. My definition for Active Defense and what it entails is at the link above. What it does mean is following a process, similar to incident response on steroids, and as the company leadership making critical decisions to protect the company. In the end it may mean taking actions in self-defense and blocking or disrupting a CnC server or deleting your IP on a compromised server. These options though are merely that, options in a process that requires a lot of Intel, thought and decision-making.
So, keep the debate going and don’t dismiss Active Defense as a no-win situation or illegal activity.