By Salvatore Stolfo on May 31, 2018 2:00:37 PM
As Gandhi once said, "An eye for an eye will only make the whole world blind." The same could be said about using hack-back technology for vengeful purposes, such as security defenders who respond to attackers with the intent to harm their systems. Many large technology firms are going on the record with their opposition to the concept of hacking back. They’re posing many questions. What might happen if we make it legal for corporations to take cyber justice into their own hands? Many hack-back critics in the technology field fear it will make the Internet less safe and unintended harm will be directed at innocent bystanders. But others say that active defense is the right tactic. Why should we live at the mercy of attackers who have more control over our data than we do?
For those who say that legal, active defense has the potential to turn into the “Wild West,” here’s news for you: from the cyber attacker’s perspective, the Wild West is already here, and has been for some time. The 2018 Verizon Data Breach Investigations Report revealed that 73% of all reported data breaches were perpetrated by outsiders; 50% of those were orchestrated by criminal groups and 12% of breaches were perpetrated by nation-state attackers. More than 76% of breaches were financially motivated, and 48% of data breaches involved hacking – the favorite method being malware. Overall, the total number of reported breaches has doubled over the previous year. In short: the bad guys are winning. Traditional endpoint and network defense is not enough.
Perhaps the experts who oppose active defense are asking the wrong questions. The right question is: What if it were possible to hack back in an ethical and safe way?
Un-breaking the law: decriminalizing active defense
In the aftermath of high-profile data breaches and devastating ransomware attacks that have crippled government agencies and private companies alike, legislation has been proposed at both the state and federal level that would make it legal to respond to an attack with active defense. The ACDC Act, a bipartisan piece of federal legislation introduced in the U.S. House of Representatives last October, seems to be picking up steam again after being dismissed last year. And in Georgia, after a ransomware attack brought the city of Atlanta to its knees, state legislators passed a similar bill, but the governor of the state vetoed it when it came across his desk. The official response was that the language of the bill was too vague and required more discussion, and the bill has been sent back to the legislature.
While the language of each of these pieces of legislation is too ambiguous, the intent with these potential laws is clear. The focus should be on ways to change the asymmetric power in the ongoing cyberwar to at least provide equal footing to the defenders. Attackers have always had the high ground. It's time to change that.
It is understandable that the concept of active defense has been met with loud opposition by some academics, security professionals, and policy analysts. Many who oppose active defense as a policy believe the issue of accurate attribution of the attacker is just not solvable and could lead to mistaken identities or hacking the wrong person. That is certainly a legitimate concern, but it also depends on the definition of active defense. When there are many sides to an argument, it's important to make sure we're all talking about the same thing.
Defining active defense
The truth is, active defense is one of the best-kept secrets by some defenders and clearly runs afoul of the Computer Fraud and Abuse Act (CFAA). It is illegal for a defender to probe a remote source IP implicated in an attack on them and exploit any found vulnerabilities to implant code in the abusive machine, even if the defender seeks to recover or destroy stolen data. The cost to the defender is very high, especially if the target of the revenge turns out to be an innocent bystander. Under CFAA, the penalties can be quite stiff.
Under the definition of hacking back in the ACDC bill, it’s easy to get tripped up around the issue of being certain of the true source of an attack. True attribution remains elusive, and misdirected revenge could do far more harm, even if it is legal. With this in mind, the security community needs to look at a safer way to leverage active defense, with the sole intent to recover or destroy stolen data.
Attackers have had almost zero consequences or costs for stealing data from innocent victims. But instead of fighting fire with fire, what if defenders could hack adversaries’ wallets rather than their systems? The goal of ethical, active defense should be to confound and confuse attackers, especially those who have the primary goal of data exfiltration for monetary gain. How might we reach past the stepping stones and serve up the just rewards to the true attacker?
Disinformation as a defense
One active defense option is to deceive attackers with unbounded, exfiltrated bogus data. This strategy not only makes a hacker think twice about whether they were snookered, but he or she now has the expense of figuring out if a stolen treasure has any value. Of course, the same may be true of nation-state actors; they, too, should not operate freely any longer, even if their goal is non-monetary. This is where the concept of Allure Decoy Documents comes into greater focus as a more measured approach to active defense.
Honeynet technologies are being marketed as a natural extension of current best practices of securing large enterprise networks. But are they the best strategy for fast time-to-detection of adversarial behavior? Not really. They are hard to deploy, and manage and depend upon the adversary finding his or her way to the honeynet while pursuing the operational networks they first entered. Further, avoiding honeynet tells are hard to do, as lack of data and data flows to the honeynet will be obvious to the adversary. No matter how clever we think we are by hiding our goods - diamonds in the safe and cubic zirconia in the jewelry box - attackers are better at thinking like us than we are at thinking like them.
A more practical approach is the use of Allure Decoy Documents, based on the assumption that attackers will inevitably penetrate an enterprise’s systems or make an effort to steal what’s valuable. What makes a cyber invasion different than a home invasion is that generally we know when something has been stolen from our home - perhaps the door was ajar or something was out of place. But chances are, you might not know when your system has been attacked or if sensitive data was copied or stolen. This is why thinking like an attacker can help secure personal data.
By populating file systems with Allure Decoy Documents in operational networks and adding Allure Beacons to sensitive data, businesses can not only track if anyone’s poking around digital assets, but also increase the likelihood that an attacker will give up or abscond with useless data. Deployment of a data deception-in-depth within actual, operational networks is a sound defensive strategy. It is the primary location where attackers root around for their quarry, before they may find the breadcrumbs leading them to deployed honeynets.
If an attacker has breached a system, he or she is probably smart enough to bypass “Fakey McFakerson” files on earnings reports or proprietary product data. If it doesn’t fool you, it’s probably not going to fool an attacker. At Allure, our world-class research team has extensively studied and tested what makes deceptive documents both convincing and effective as a security mechanism.
Here are the properties that make a deceptive document effective within the realm of data and documents:
- Believability. Perhaps one of the most important qualities of a deceptive document is whether or not it seems real. A good deceptive document will seem authentic, making it harder for an adversary to discern its authenticity.
- Enticement. A deceptive document should appear enticing to an adversary, which means it should have bogus, but realistic, information the adversary might want.
- Conspicuous. Conspicuous deceptive documents should be easily found or observed. Conspicuous documents are found because they are easily observed, whereas enticing documents are chosen because they are of interest to an attacker.
- Detectable. To know when someone’s gotten in, a deceptive document must be detectable and sound an alert if opened.
- Variability. Deceptive documents should be highly variable to make it harder for an adversary to separate the real from the fake.
- Non-interference. To operationalize the use of deceptive documents in a system, it should not interfere with normal use or get in the way of legitimate users.
As we have seen in multiple cases when a company discloses a breach, attackers can be embedded in enterprise networks for months before being detected, usually after successfully exfiltrating very large amounts of sensitive data. It’s been well established that perimeter security just doesn’t cut it anymore and that any well-designed system should have many layers of security, or a defense-in-depth approach. Using Allure Decoy Documents as part of the overall deception-in-depth strategy, businesses can change the balance of power between the attacker and defender.
Imagine if the Sony hackers had dumped bogus email logs online - the only people who would have been embarrassed would have been the hackers themselves. That is the power of responsible hacking back using deception security.