Tag Archives: active defense

Update: Putting and End to the End of Active Defense

I recently read an article, “Putting an end to ‘strike back’ / ‘active defense’ debate…”, and another it linked to, “Managing The Legal Risks Of Active Defense,” wherein my friend Bob Clark was quoted.  Here is my response: 

Why in the world would we end the debate?  Security sucks and the bad guys have a huge advantage.  Our hands are tied.  Any debate that moves the discussion forward is a good thing. 

In the first article a guy calling himself Jericho chastises those who advocate Active Defense.  He equates it to strike back and hack back.  I have to say, I agree with two of his points; many companies are now trying to capitalize on this new term, yes new term, by offering what they call active defense or hack back tools.  In many cases this advertising is deceptive since the tools merely offer the same old software defenses under a new name.  I also agree that if your defenses don’t meet the basic standard, Active Defense is not an option.

I disagree with is his characterization of Active Defense.  I wish people would stop equating it to hack back.  Hack back is the last 1% of Active Defense.  See my definition here: http://www.titaninfosecuritygroup.com/_m1698/blog/Active-Defense-definition. 

It is a method for companies who find themselves persistently attacked to collect the intelligence needed to evaluate the attacks, develop courses of action or options, and then enable the leadership to make well-informed decisions to move forward in an effort to protect the company.

On a spectrum the options could be anywhere from do nothing or the other extreme of hack back to either find the attackers or disrupt or deny the server(s) being used to launch the attacks. The intelligence collected will allow company leadership to make decisions at pre-determined checkpoints based on risk, liability and legal issues.

The initial decision whether to simply proceed with incident response versus Active Defense is based on determining whether the attack is a one-time incident or persistent, and how much money is being lost since. Active Defense will require the company to bring in a team of experts to accomplish the various tasks: intel collection, malware analysis, tool/technique development, evaluating legal, risk and liability issues, and therefore the cost involved must be weighed against the damage to the company or loss due to the attacks.

Also, I disagree with the many people who write in opposition to Active Defense and make broad statements about how it is illegal without defining Active Defense or detailing what they believe to be illegal or why.  If you’re not an attorney stop saying it is illegal because the legality of Active Defense is not black and white. 

Jericho’s assertions strike me as hypocritical by jumping on the bandwagon of the Active Defense flurry, making broad assertions and offering NO solutions.  If defense is so easy then provide the solution, a solution that hasn’t been tried and one that will work and not subverted by hackers within a few months.  Second, see my friend Davi’s response, here: “Putting and End to the End of Active Defense”.  Good luck.

As for the article in which my friend Bob is quoted, I agree with Bob, for the most part.  You need a team of experts who know what they are doing, to include one or more attorneys who know what he/she is doing, but more than just an attorney you believe you can explain the technology to. 

This is not the kind of stuff you can just brush up on over the weekend.  This takes years of experience to understand the technology, apply the law and foresee the results or consequences.  Don’t believe it?  Ask your lawyer if he/she would be willing to put their law license on the line and provide advice in cyber security, hack back, the CFAA, ECPA, trace back, open-source collection, etc. 

What I disagree with is his comment that this is a no-win situation.  If you are a company owner and losing a lot of money or intellectual property, have tried everything else, and the attacks continue, you have a fiduciary responsibility to do something and self-defense may be your only option. 

Now, this does not mean jumping right to hack back.  My definition for Active Defense and what it entails is at the link above.  What it does mean is following a process, similar to incident response on steroids, and as the company leadership making critical decisions to protect the company.  In the end it may mean taking actions in self-defense and blocking or disrupting a CnC server or deleting your IP on a compromised server.  These options though are merely that, options in a process that requires a lot of Intel, thought and decision-making.

So, keep the debate going and don’t dismiss Active Defense as a no-win situation or illegal activity.

Active Defense/Hack Back and “Complete Ignorance”

I recently read a post about “Active Defense” or as some call it, hack back. I won’t reveal the author or the title so as not to disparage anyone. Certainly this topic is very sexy right now and many like to write about it, but most of articles I have seen constitute fear mongering with comments not based in fact or even sound theory, but ignorance of the topic, the laws, and the technology and appear to be an attempt to sensationalize the topic.

Yes, there is a problem. Yes, companies are suffering. Some of the companies have a legitimate complaint. They have done all they can and the government has tied their hands by saying things like, “if you hack back you are no different than the hackers.” A lot of companies, though, have no right to complain because their security really sucks, is like Swiss cheese and they are not willing to spend the money to fix it.

The blog I read recently quoted a former DoJ attorney who stated that it is illegal to go outside of your network and hack back at your attacker. In the next paragraph the writer quotes a so-called security expert who says his company has the capability to determine who attackers are and collect intelligence on them, and this is not illegal but good practice. The expert provides the usual, “do not try this at home,” warning. I will leave it to you to decide whether this warning is good advice or simply self-serving.

So here’s my problem: These quotes claim on one hand it is illegal to attack your attacker but on the other hand not to take the steps necessary to determine who your attacker is? If determining who attackers are was really that easy and clearly lawful everyone would be doing it. Most would admit the greatest challenge with cyber crime is determining who the attacker is, e.g. Attribution. One of the great claims by those who believe “Active Defense” is illegal and immoral is that attribution is extremely difficult and if you can’t determine attribution then you may be, “attacking an innocent victim.”

As a side note to the above comment, and as I have said in previous blogs, if someone has been compromised and their server is being used to attack my company, that person is NOT innocent. A victim like me, yes, but innocent, no. If I have to disrupt his server to protect my company then so be it. Chances are that server owner does not want the other hundreds or thousands of companies who are victims of his server attacks to know that he is the patsy attacking them due to his crappy security

So, I would kindly ask those who like to write about “Active Defense” to please do some research, think the process through, stop confusing the issue and stop writing fear mongering comments like, “you might start a war with China.”

Active Defense: Attribution is just not that important

Imagine owning a company and realizing you have been hacked and the hackers are disrupting operations or stealing trade secrets, intellectual property, private information, or even money.  As best as you can determine this did not just happen but has been going on for a while.  You hired a company to do an incident response, clean up, patch the holes and get you back up and running.  They may or may not have claimed to have secured your network, but state in no uncertain terms that any action beyond what they have done would be illegal.  Within months you notice the same activity.  So, you call the company again.  More money, more time, and more meetings about how much is being lost.  Do you call law enforcement?  Do you continue with the cyber security company and keep paying them?  Do you have a data breach notice responsibility to shareholders, the board, and customers/clients? 

What you need is a clear and concise plan of action to follow in these situations.

When lecturing on “Active Defense” I often hear comments like, “hack back is illegal,” “without attribution you might hurt an innocent bystander,” or my favorite, “you might start a war with China.”  So what is “Active Defense”?  Many people equate it to hack back.  My definition of “Active Defense” is “a clear and concise process or plan for addressing a compromise to the security of your network and/or the loss or theft of data.”  The process begins with an incident response and could ultimately end with hack back.  It includes a series of predetermined check points requiring leadership/CEO involvement in making various decisions.  One of the first decisions is whether, based on the information available and/or gathered, the attack is a one-time occurrence or an ongoing intrusion/breach.  If it is determined to be a one-time occurrence the decision is easy, initiate an incident response plan, clean up, patch holes, and provide notifications required by law.  If the attack appears to be ongoing some of the follow-up on decisions may include: what end-state the company is seeking (find the hacker and prosecute, block the attack, get data back, etc.); what intelligence/information should be gathered; what tools/techniques should be developed and/or used and how; as information is gathered and options presented, which should be considered and pursued; and many more, most of which are all dependent on the facts, information available, best interests of the company, the fiduciary responsibility, etc.  At each stage and as each decision is made risk, liability and legal issues are discussed, evaluated, and factored into the decision process

Okay, so why is attribution not that important? 

Certainly, being able to identify your attacker makes life much easier for you and your company.  Even if you can’t identify the attacker, being able to identify who owns the server being used to attack you makes life simpler.  You can simply call the owner of the company whose server has been compromised and is attacking your network and work together to block the hacker.  If, for some reason, the owner of the compromised server will not work with you then you can proceed as if he is the hacker.  You might contact law enforcement or if for some reason that decision has been ruled out or, law enforcement for some reason is not able to assist, then you might decide to take action to block the attacks.  At this point the leverage you can garner against the server owner is pretty great.  Chances are his server is not only being used to attack you but many other companies as well.  The server owner will likely not want all of the other companies to know his compromised server is responsible for their pain, assuming they are aware of it.  When this fact is revealed to him he may suddenly be more than ready to negotiate and assist

In many cases though, you will not be able to determine the identity and/or whereabouts of the server owner. 

In that case, if you strike back and inspect the server attacking you, have you lashed out at an innocent bystander?  Many people claim just that.  I would argue this person is a victim like you, but innocent bystander, not even close.  Consider the 2006 movie “Firewall” with Harrison Ford.  His wife and daughter were kidnapped and the kidnappers, using this leverage, forced him to hack into a bank he was hired to protect and steal millions of dollars for them.  Now, granted, I like Harrison Ford, but, if he is stealing my money he’s not an innocent bystander.  He is a victim, but, if it is me or him, choices must be made.  Equally, if it is my company losing thousands or millions of dollars, then attacking the server being used to attack me seems like a pretty good option and it is “game on!”  This is where, depending on how you accomplish blocking the attack against your network, self-defense becomes a factor and part of the decision-making process.  I will leave self-defense for the next installment in this series of blogs entries.

Active Defense/Hack Back/Attribution – The Saga Continues

I have noticed, at least amongst lawyers, there does not seem to be much middle ground when it comes to “Active Defense” or hack back and the right of self-defense.  Those who comment on it either agree self-defense exists in cyberspace, with very few in this camp, or it doesn’t, which is where the majority stand.  All I ask of most is don’t simply jump to the conclusion that self-defense does not exist and “Active Defense” or hack back is illegal, but instead look at the arguments, potential fact scenarios, and definitions.

“Active Defense,” has many definitions and should not be strictly equated to hack back.  Hack back, instead may be considered a subset of “Active Defense,” which does include cyber self-defense or cyber self-help.  Whether or not a company can utilize these theories depends entirely on the given facts of a situation.  For instance, if a company has suffered a cyber attack and cannot show the attack continues or is persistent, they will not likely be able to make a case for the use of self-defense.  My draft definition of “Active Defense” (still a work in progress) is as follows: “a meticulous and escalated approach to a persistent cyber attack wherein the company leadership makes a decision whether or not to progress at pre-determined decision-points, evaluating risk, liability and legal issues.”  Each decision-point will include all of the intelligence gathered, all potential options, tools, techniques, possible scenarios, potential risks, liability, and legal issues.  Depending on the facts and the confidence of the decision-maker there can be few decision points or many.  The number of decision-points is also a factor to consider in the scenario and the actual amount of liability, if any, may depend on how meticulous and cautious the decision-maker acted.  For example, the first decision-point may be whether the attack(s) is or are persistent.  “Active Defense” is very fact dependent.

Unfortunately most jump immediately to the conclusion that Active Defense, or hack back are illegal.  In my opinion this is a very shortsighted view.  If you are a company losing a lot of money, can show you have implemented good or better security, and have taken an escalated approach collecting intel and evaluating risk, liability and legal issues along the way, then I believe you do have a right to defend yourself.  Again, it is very fact specific.  This is where most people then pull out the “attribution” card and claim you will impact an innocent bystander.

If someone drugs and hypnotizes an innocent bystander and convinces him to shoot at you, don’t you have the right to shoot back in self-defense? This is similarly fact dependent.  For instance, if you know the person is an innocent bystander you would likely try and run away and get help, maybe call the police.  You might even attempt an escalated approach causing as little harm as possible to the innocent drugged and hypnotized bystander.  In the end if it is you or him most will likely opt to save their own lives.  Now remember, self-defense applies to person or property.  So, in the end most will opt to save their own property over the property of the innocent bystander.

So, if a server is compromised and being used to attack my company, don’t I have the right to defend against that server? In this scenario I am assuming I cannot identify who owns the server.  If I could I would simply call that person or company and ask that the server be shut down or the malware removed. Also, is the owner of the compromised used to attack me truly an innocent bystander? Is there contributory negligence on the part of that server owner for not having adequate security and allowing his system to be compromised? In a perfect world you could say no, but today many if not most compromises occur because companies have not used due diligence in keeping systems patched and implementing basic security.  Enough for now, comments?

Active Defense: Is it time to test in court? Correcting the Record!

by David Willson

On 16 January I did two webinars with Bright Talk.  One titled, “Active Defense: It is Legal and Will It Actually Improve your Security?,” and the other a panel entitled, “The single greatest security challenges for 2013.” 

Quick side note, due to my zeal for this topic I babbled on too long in the Active Defense webinar and ran out of time before getting to the meat of the issue.  But I am going to do another on 13 March and will manage my time better.  Anyway, Peter Judge moderated the panel for the other webinar and Active Defense was my portion. 

We had a great discussion and I would encourage you to listen if you are interested.  It can be found here: https://www.brighttalk.com/webcast/288/64057. 

On 22 January Peter wrote an article for Tech Week Europe entitled, “Its Time to Test Active Defence in Court,” found here: http://www.techweekeurope.co.uk/comment/2013-time-to-test-active-defence-in-court-105048. 

Although he got the facts correct and most of what I said in the webinar correct, the tone in which he portrays my comments I feel needs some clarifying.  This is not me trying to pull myself out of the fire, since I have not seen any feedback from his article, but simply my clarification.  So, now that I am done with my overly wordy intro, here we go.

To his first point, I agree that cyber crime victims are within their right to retaliate, but would preface this as any good attorney would with “it depends!”  It depends on the facts and circumstances.  For instance, if the attack is a one-time attack and is over, then you DO NOT have a right to retaliate. 

Similar to when someone robs your house.  If they are gone you have no right to pursue the burglar on your own.  On the other hand, if you have been attacked repeatedly and are sure it continues or will happen again you have a right to defend yourself.

Okay, next comment, “Itching to test this in court.”  Well, personally yes, but I did not say this, and other than my passion for trial work and arguing in court, no one likes to find themselves dragged into court.  But, if the situation dictates that you must do something to protect your company, you have tried all other options and are interested in moving to the next level, then you have options.

Next: “. . . instead of putting in a “huge hodgepodge of security measures” to stop any threat.”  Security is a MUST.  Anti-virus, despite what Josh Corman says, is a MUST.  Anything that can help protect your network and valuable information is a MUST.  If you are going to move into Active Defense you MUST show that you have taken the high ground, done all you can, within reason, and taken an incremental approach slowly escalating as you collect the needed intel.

Next: “Persistent attacks may be bleeding hundreds of thousands of dollars from companies, and in that situation, they should be within their rights to respond, says Willson.”  Yes, they should.  If your company is losing 50 to 100 thousand dollars a week and you have done everything else you believe possible, to include called or considered calling law enforcement, to no avail, self-defense should be an option.

In the interest of time I will make this my last point.  Peter claims that I said those whose networks have been hacked and are being used to attack others are not necessarily innocent victims.  I agree, although this sounds rather ugly. 

Let’s use a physical world example.  Let’s say a bad guy has drugged and brainwashed your neighbor to believe he is a contract killer and his mission is to kill you.  Even if you know this is fact and your neighbor is an innocent unknowing pawn, if he tries to kill you wouldn’t you defend yourself?  You would likely try to diffuse the situation with the least amount of harm to your neighbor, but in the end if it is him or you unless you have a death wish it will be him. 

Active Defense entails escalation, taking the minimal approach at first and slowly escalating with the leadership of the company, not the IT department, making informed decisions based upon risk, liability and legal issues.  The nuclear weapon of cyber is your last resort if that is what the leadership decides to do.

So, there you have it.  Obviously there are many more issues none of them black and white, and this is a very difficult problem.  If it wasn’t there wouldn’t be so much debate about it. 

One last point.  Lately I have been reading a lot of articles, especially by attorneys saying things like, “it’s illegal, don’t do it, but, we are the experts and we can help you.”  Help you do what?  If they are not willing to explore the options then there is nothing for them to do.  Also many articles lately have claimed that “attribution” is impossible.  Stop it.  If it was impossible no one would ever be arrested and prosecuted for hacking.  It is difficult, but not impossible.  So, keep an open mind, think outside the box, and have a nice day ;- ).

‘Active Defense’ will Improve Cyber Security

Lately I’ve seen many articles about “active defense” and “hack back.”  This is good because current defenses aren’t working and being in a constant state of defensive mode is not a lot of fun.  Something needs to be done.  The problem is many of these articles take a doomsday approach to the topic. 

Comments like, “it’s illegal, you can’t do it;” “you will disrupt someone’s life support in a hospital;” “we will end up with vigilantes hacking back;” and many more, do not facilitate a discussion but appear to seek to end the debate.  Many of the naysayers claim the only solution is law enforcement and more of it.  How many more police would be enough and is this a realistic response? 

Consider this: one person can command a million bot attack from the comfort of his living room; nation-states are training their people to use cyberspace to attack, steal, disrupt; and working for organized crime and terrorist groups pays much better than working a legitimate job in many countries.  So, what will it take to raise the stakes and make hacking a more risky business?

Active defense will actually improve security for those who consider it.  However, regardless of how the debate proceeds and no matter what the perceived outcome, companies are not likely to suddenly flip a switch and begin hacking back.  There are still too many variables and unknowns involved, e.g. risks, liability and legal issues.  There will continue to be much caution and debate, primarily since the law on this topic is so unsettled and at this point it is difficult to tell from one jurisdiction to the next how this activity will be perceived.

A company with any sense of corporate responsibility will attack this problem with a very cautious approach.  For instance, if your company is persistently attacked the first question is why and how.  Is the company being targeted for a particular reason or is your security so crappy that every hacker and his brother are using you as their playground? 

If your security is good, which is relative because no matter whom you are, your security can always be improved, you will likely take an escalated approach to the problem and not jump right in to hacking back.  During this escalated approach you should be collecting the necessary intelligence to evaluate the problem. 

To use an analogy, let’s say you are in a combat zone and encounter a sniper.  In most circumstances you will not call in an airstrike on the sniper.  There are many factors to consider, like where is he, what type of collateral damage may occur, what is the least amount of effort and resources necessary to take him out, etc.?  So, when facing a cyber-attack the same considerations apply:

  • Where is the hacker coming from;
  • What is his motive and end-state;
  • Based on the Intel you have collected, what tools and techniques can you use;
  • What collateral damage may occur; and,
  • Since time and resources are money, what is the least time and resource intensive course of action you can take to resolve this issue?

Companies have too much to lose to take this lightly and jump forward without a very careful analysis.  It is this analysis that will inevitably lead to much better security and more focus on the problem.

Other questions for a company to ask are, is the attack persistent or a one-time hit and how much Intel can be collected regarding the attack: can a motive be determined, what is the source and means of the attack, potential location and/or identity of the attacker, how many hops in-between your network and the attacker, what type of servers and who owns those servers; then, what is your end-state (block attack, find hacker, prevent further disruption, retrieve intellectual property/trade secrets, etc.), and finally, what are the risks, liability, and legal issues involved? 

Any company that would attempt to hack back without ensuring that their security is good or better than average is just asking for trouble.  A lot of avenues of approach beyond the standard defenses currently employed exist for companies persistently attacked.  The fear mongering spewed in many articles over active defense and hack back will simply drive companies, which are persistently attacked and frustrated with the state of security, to go underground with their response, act in a haphazard manner, and hope they don’t get caught.

Active Defense: Moving the Discussion Forward

Cyber-attacks against companies, organizations and governments have hit an unprecedented high. The ease with which hackers can launch multiple attacks has also increased.  Hacking has become big business with nation-states, terrorist groups, organized crime and others capitalizing on the theft of information (trade secrets, technology, intellectual property, others) and disrupting businesses they are in competition with. Are the current defenses working?  Unless you live in a shoe box you realize, especially based on daily news reports, that the cyber war appears to be one the good guys are losing.

A change is needed because the problem has gotten out of hand. Current laws hinder organizations from defending themselves while at the same time facilitating the efforts of hackers. So, rather than jumping to the conclusion that any action to defend your organization beyond the currently accepted techniques is illegal, a discussion needs to be started and moved forward about better and more effective options.  It appears it has.

In a recent Washington Post article[1] the issue of defending outside of one’s network and possibly entering the server of another, active defense, was raised.  Again the knee jerk reaction is that it’s illegal, but the conversation continued. 

“[It is] important to enable companies whose computer networks are targeted by criminals and foreign intelligence services to detect who’s penetrating their systems and to take more aggressive action to defend themselves,  said Steven Chabinsky, a 17-year FBI veteran who stepped down this month as the FBI’s top cyber lawyer.    The article continued with Stewart A. Baker, a former senior Homeland Security Department official stating, “The issue . . . is that entering another party’s server and deleting or encrypting data could, under some circumstances, violate a number of state and federal laws — including those against computer fraud or trespassing.”  “But, he said, there is a legal argument to be made that such an action is a reasonable defense of one’s property.  Though common in other contexts, that defense has yet to be tested in the cyber area in court.”

Top officials and leaders in this area predict growth as companies decide enough is enough.  “Former CIA director Michael V. Hayden has said that given the limits of the government in protecting companies in cyberspace, he expects to see the emergence of a “digital Blackwater,” or firms that hire themselves out to strike back at online intruders.”

I agree, this is exactly where we are headed and the discussion must go further.  Based on current laws, technology and state of affairs there is much more companies and organizations can do to defend themselves.  I am not advocating vigilantism, but a military-like operation that helps leaders of organizations walk through possible tools and techniques while evaluating risk, liability and legal issues every step of the way in an effort defend their most precious assets.

That is why Davi and I will be presenting at several upcoming conferences, including ISSA and RSA, a practical and legal approach to Active Defense. I look forward to seeing you there.


[1] Nakashima, Ellen, “Cybersecurity should be more active, official says,” The Washington Post – National Security (September 16, 2012)