Tag Archives: hack back

Active Defense: Is it time to test in court? Correcting the Record!

by David Willson

On 16 January I did two webinars with Bright Talk.  One titled, “Active Defense: It is Legal and Will It Actually Improve your Security?,” and the other a panel entitled, “The single greatest security challenges for 2013.” 

Quick side note, due to my zeal for this topic I babbled on too long in the Active Defense webinar and ran out of time before getting to the meat of the issue.  But I am going to do another on 13 March and will manage my time better.  Anyway, Peter Judge moderated the panel for the other webinar and Active Defense was my portion. 

We had a great discussion and I would encourage you to listen if you are interested.  It can be found here: https://www.brighttalk.com/webcast/288/64057. 

On 22 January Peter wrote an article for Tech Week Europe entitled, “Its Time to Test Active Defence in Court,” found here: http://www.techweekeurope.co.uk/comment/2013-time-to-test-active-defence-in-court-105048. 

Although he got the facts correct and most of what I said in the webinar correct, the tone in which he portrays my comments I feel needs some clarifying.  This is not me trying to pull myself out of the fire, since I have not seen any feedback from his article, but simply my clarification.  So, now that I am done with my overly wordy intro, here we go.

To his first point, I agree that cyber crime victims are within their right to retaliate, but would preface this as any good attorney would with “it depends!”  It depends on the facts and circumstances.  For instance, if the attack is a one-time attack and is over, then you DO NOT have a right to retaliate. 

Similar to when someone robs your house.  If they are gone you have no right to pursue the burglar on your own.  On the other hand, if you have been attacked repeatedly and are sure it continues or will happen again you have a right to defend yourself.

Okay, next comment, “Itching to test this in court.”  Well, personally yes, but I did not say this, and other than my passion for trial work and arguing in court, no one likes to find themselves dragged into court.  But, if the situation dictates that you must do something to protect your company, you have tried all other options and are interested in moving to the next level, then you have options.

Next: “. . . instead of putting in a “huge hodgepodge of security measures” to stop any threat.”  Security is a MUST.  Anti-virus, despite what Josh Corman says, is a MUST.  Anything that can help protect your network and valuable information is a MUST.  If you are going to move into Active Defense you MUST show that you have taken the high ground, done all you can, within reason, and taken an incremental approach slowly escalating as you collect the needed intel.

Next: “Persistent attacks may be bleeding hundreds of thousands of dollars from companies, and in that situation, they should be within their rights to respond, says Willson.”  Yes, they should.  If your company is losing 50 to 100 thousand dollars a week and you have done everything else you believe possible, to include called or considered calling law enforcement, to no avail, self-defense should be an option.

In the interest of time I will make this my last point.  Peter claims that I said those whose networks have been hacked and are being used to attack others are not necessarily innocent victims.  I agree, although this sounds rather ugly. 

Let’s use a physical world example.  Let’s say a bad guy has drugged and brainwashed your neighbor to believe he is a contract killer and his mission is to kill you.  Even if you know this is fact and your neighbor is an innocent unknowing pawn, if he tries to kill you wouldn’t you defend yourself?  You would likely try to diffuse the situation with the least amount of harm to your neighbor, but in the end if it is him or you unless you have a death wish it will be him. 

Active Defense entails escalation, taking the minimal approach at first and slowly escalating with the leadership of the company, not the IT department, making informed decisions based upon risk, liability and legal issues.  The nuclear weapon of cyber is your last resort if that is what the leadership decides to do.

So, there you have it.  Obviously there are many more issues none of them black and white, and this is a very difficult problem.  If it wasn’t there wouldn’t be so much debate about it. 

One last point.  Lately I have been reading a lot of articles, especially by attorneys saying things like, “it’s illegal, don’t do it, but, we are the experts and we can help you.”  Help you do what?  If they are not willing to explore the options then there is nothing for them to do.  Also many articles lately have claimed that “attribution” is impossible.  Stop it.  If it was impossible no one would ever be arrested and prosecuted for hacking.  It is difficult, but not impossible.  So, keep an open mind, think outside the box, and have a nice day ;- ).

‘Active Defense’ will Improve Cyber Security

Lately I’ve seen many articles about “active defense” and “hack back.” This is good because current defenses aren’t working and being in a constant state of defensive mode is not a lot of fun.  Something needs to be done.  The problem is many of these articles take a doomsday approach to the topic. 

Comments like, “it’s illegal, you can’t do it;” “you will disrupt someone’s life support in a hospital;” “we will end up with vigilantes hacking back;”and many more, do not facilitate a discussion but appear to seek to end the debate.  Many of the naysayers claim the only solution is law enforcement and more of it.  How many more police would be enough and is this a realistic response? 

Consider this: one person can command a million bot attack from the comfort of his living room; nation-states are training their people to use cyberspace to attack, steal, disrupt; and working for organized crime and terrorist groups pays much better than working a legitimate job in many countries.  So, what will it take to raise the stakes and make hacking a more risky business?

Active defense will actually improve security for those who consider it.  However, regardless of how the debate proceeds and no matter what the perceived outcome, companies are not likely to suddenly flip a switch and begin hacking back.  There are still too many variables and unknowns involved, e.g. risks, liability and legal issues.  There will continue to be much caution and debate, primarily since the law on this topic is so unsettled and at this point it is difficult to tell from one jurisdiction to the next how this activity will be perceived.

A company with any sense of corporate responsibility will attack this problem with a very cautious approach.  For instance, if your company is persistently attacked the first question is why and how.  Is the company being targeted for a particular reason or is your security so crappy that every hacker and his brother are using you as their playground? 

If your security is good, which is relative because no matter whom you are, your security can always be improved, you will likely take an escalated approach to the problem and not jump right in to hacking back.  During this escalated approach you should be collecting the necessary intelligence to evaluate the problem. 

To use an analogy, let’s say you are in a combat zone and encounter a sniper.  In most circumstances you will not call in an airstrike on the sniper.  There are many factors to consider, like where is he, what type of collateral damage may occur, what is the least amount of effort and resources necessary to take him out, etc.?  So, when facing a cyber-attack the same considerations apply:

  • Where is the hacker coming from;
  • What is his motive and end-state;
  • Based on the Intel you have collected, what tools and techniques can you use;
  • What collateral damage may occur; and,
  • Since time and resources are money, what is the least time and resource intensive course of action you can take to resolve this issue?

Companies have too much to lose to take this lightly and jump forward without a very careful analysis.  It is this analysis that will inevitably lead to much better security and more focus on the problem.

Other questions for a company to ask are, is the attack persistent or a one-time hit and how much Intel can be collected regarding the attack: can a motive be determined, what is the source and means of the attack, potential location and/or identity of the attacker, how many hops in-between your network and the attacker, what type of servers and who owns those servers; then, what is your end-state (block attack, find hacker, prevent further disruption, retrieve intellectual property/trade secrets, etc.), and finally, what are the risks, liability, and legal issues involved? 

Any company that would attempt to hack back without ensuring that their security is good or better than average is just asking for trouble.  A lot of avenues of approach beyond the standard defenses currently employed exist for companies persistently attacked.  The fear mongering spewed in many articles over active defense and hack back will simply drive companies, which are persistently attacked and frustrated with the state of security, to go underground with their response, act in a haphazard manner, and hope they don’t get caught.

Congress: Cyber Security & the Private Sector. FBI Hacked

This week the House Energy & Commerce Subcommittee on Communications & Technology held hearings on how to address the cyber security threat and better implement private/public cooperation to mitigate the threat.  A question was raised about current laws and whether they hamper the private sectors’ ability to defend itself.  The Committee recognized the White House commission report on cyber security and its discussion on current law gaps (White House Cyber Security Policy Review).  At least in my opinion, the laws clearly hamper the private sectors’ ability to defend themselves.

Every time I lecture on my article, “Hacking Back In Self-Defense: . . .,” there is at least one or two people in the audience who argue that my theory is illegal. Is hacking back illegal? Yes, in some respects, and no in others.  It all depends.  I also receive pushback when I claim self-defense does exist in cyberspace. Regardless of where you stand on these issues, the discussion needs to be had and pushed down the road quickly. The naysayers do not provide solutions but only roadblocks. Attacks move at the speed of light and can severely damage and destroy companies. We need answers and solutions sooner rather than later.

Case in point, the FBI as they spoke to Scotland Yard about how to take down the Anonymous hacker group was hacked. Their 15 minute conversation was recorded by Anonymous and put out on the Internet. 

We are being challenged in cyberspace and must act now.  If you are interested in further discussion on tools and techniques for the private sector, attend a webinar on 16 Feb. titled, “Mitigative Counterstrike.”

Fox News Exclusive: WikiLeaks

Many interesting issues are raised in the scenario contemplated in a recent Fox News Exclusive titled, “WikiLeaks to move servers offshore, sources say.”  I am interested since I am quoted numerous times about international law issues; but regardless, this topic could raise some interesting discussion.

The issue is similar to the concept of Sealand, the man-made platform off the coast of England whose owners claim it belongs to no nation and they are their own sovereign territory.  At one time Havenco placed a server farm on Sealand and offered server space.  The only restriction in the terms of service was no child porn.  Anyone could rent server space and keep anything, other than child porn, on the servers regardless of the data’s legality, e.g. copyrighted material, terrorist info, data related to various criminal activity such as stolen info, money laundering, etc.  It seems the server farm went out of business at some point in the early 2000’s, but that is not confirmed.

Placing servers in international territory, let’s say on a ship in international waters, raises some interesting legal questions, especially international law, when a nation feels it needs to seize or prevent whatever activity is occurring on those servers.  In some regards this situation may be easier, legally speaking.  If the server owners claim no law controls their actions, well then, what law can they cite to that would prevent a nation from taking action, especially if the nation believes their national security is threatened?  If the server owners claim to be citizens of a particular nation then that nation’s laws apply to them and they may potentially be captured and extradited, or just snatched up out of international waters by the offended nation.  It gets trickier when you have a nation that has no laws to criminalize the activity.  This was the case with the creator of the “I Love You” virus.  The Philippines could not prosecute since they had no law criminalizing the activity.

Many very interesting issues to consider and discuss.  Anyway, here is a link to the Fox News article:   “WikiLeaks to move servers offshore, sources say”.  Enjoy and I would love to hear your comments.