How to hone an effective vulnerability management program
A comprehensive collection of articles, videos and more, hand-picked by our editors
SAN FRANCISCO -- It's hard to agree whether "hacking back" is an acceptable enterprise defense practice when no one can agree what the term means.
That was perhaps the only concrete takeaway from a discussion at RSA Conference 2013 last week, during which a panel of experts -- led by Joshua Corman, Akamai Technologies Inc.'s director of security intelligence -- sought to take on the nebulous concept of offensive security, loosely defined as any effort to "turn the tables" on an attacker (or would-be attacker) by penetrating their networks or disabling their systems.
The topic, once largely theoretical, has taken on more practical undertones as of late, especially in the wake of the bombshell APT1 report by Mandiant Corp.
In the report, released just prior to the RSA Conference, Mandiant offered compelling evidence showing how a military group supported by the Chinese government has allegedly been hacking into enterprises for years and stealing intellectual property, with little, if any, repercussions.
Andrew WoodsStanford University Law School
Corman said he's noticed an increase recently in industry discussion about the acceptability of offensive security. George Kurtz, CEO of Irvine, Calif.-based active defense vendor CrowdStrike Inc., said enterprises are increasingly frustrated about their inability to stop advanced attacks, particularly those conducted by nation states.
"Most of our customers who have had a persistent and active threat over the past couple of years are tired of [being exploited and] going through forensic examinations, capturing the memory, flattening the boxes and starting over, and that frustration has manifested in this discussion of offensive security," Kurtz said. "People are saying, 'The government isn't protecting us; what can we do?'"
Yet at what point does an enterprise's effort to secure its IT infrastructure shift from defensive to offensive? Adam O'Donnell, chief architect for the cloud technology group at Columbia, Md.-based security vendor Sourcefire Inc., said an organization's efforts are no longer defensive when they involve crossing the boundaries of another organization's network to affect change.
O'Donnell expressed concern that more organizations may be considering "hacking back" against attackers. He said not only is it a bad idea for private organizations to assume authority reserved expressly for the federal government, but it's also inherently dangerous to go after malicious actors who may be associated with or aided by foreign governments.
"You're responding to an adversary with bytes when they're used to responding with bullets," O'Donnell said. "They're not operating in a world where they're simply going to compromise your host and deface your website. They're going to come back shooting. It's something to consider if you're going to punch the bully in the nose."
Christopher Hoff, senior director and chief security architect with Sunnyvale, Calif.-based Juniper Networks Inc., argued a different perspective. He offered up a hypothetical scenario involving an attacker attempting to access a victim's website, making "an authorized and expressed connection" with the intent of doing harm. Hoff asserted that, if an organization can detect that attack attempt, it should be reasonable to respond with similarly hostile packets.
"If somebody directly connects to me, and I issue a response back, whether I deliver what they were expecting or not, that's not penetrating; that's replying to a request in an authorized manner," Hoff said.
While some panelists seemed to subtly bristle at Hoff's assertion, like many in the industry, they were reluctant to counter with their own definitions of hacking back. At one point, Corman challenged the panelists to define the term for the audience, and like a hot potato they tossed the issue back and forth, with Hoff eventually proposing that it should be the process of doing harm to an attacker, above and beyond the "request response" in his example. O'Donnell said hacking back is to go after a machine that's outside one's control, and alternatively active defense is going after a machine that one doesn't own.
Part of the reason the functional parameters are so difficult to define is because the legal parameters are equally unclear, if not more so. Panelist Andrew Woods, an attorney and fellow at Stanford University Law School, said the primary U.S. law governing such activity would be the 1984 Computer Fraud and Abuse Act (CFAA).
The law, Woods said, provides criminal penalties for anyone who intentionally exceeds authorized network access. However, he added, access has been broadly defined by the courts over the years -- originally it meant physical access to a computer, but has been taken to mean that access begins and ends at the bounds of any particular network.
From the editor: More from RSA Conference 2013
See more exclusive news, analysis and video from the year's biggest information security conference on SearchSecurity.com's RSA Conference 2013 special coverage page.
In terms of what's allowable under the CFAA, Woods offered up examples like blocking cyber-intruders, obfuscating them with false data and misdirecting them toward false targets. Using tools to affect an attacker's network, however, would likely be a violation of CFAA, and the law offers little to no guidance when adversaries are outside the jurisdiction of the U.S.
"Offensive security is a big term," said Woods, "and it's compounded by the fact that the laws governing it are also vague."
Kurtz said as significant as the criminal statutes may be, enterprise executives are often more concerned with the civil and financial implications. He said a CIO councils' first question may be whether offensive security is legal, but their second question will be whether the company could be sued.
Rather than seeking to strike back at attackers directly, Kurtz offered a more measured response to attackers, a two-pronged approach that he called "block and get rid" and "watch and contain." Determined cyberattackers, he said, are like termites; in some cases it's necessary to "tent the whole house" and in others, like in the case of a targeted attack, it can be better for an organization to position itself to observe the behavior of attackers and learn what they want and why by planting false information.
"With high-end nation-state IP theft, information is gathered en masse, and someone on the other end of the keyboard has to go through it," Kurtz said. "If they don't know what's real, that drives up the cost. So you're active, but you're not breaking into something."