Threat Intelligence

3/5/2018
10:00 AM
Levi Gundert
Levi Gundert
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Hacking Back & the Digital Wild West

Far from helping organizations defend themselves, hacking back will escalate an already chaotic situation.

The Internet is a modern day Wild West.

It is a largely lawless territory with still-uncharted potential.

We all find ourselves confronting modern and often elusive thugs — like the famous outlaws of the American West in the 19th century, such as Jesse James, Billy the Kid, Butch Cassidy, etc. — waging digital stagecoach robberies and worse (usually after the fact). 

Source: Recorded Future
Source: Recorded Future

 

The past two years specifically have been a cornucopia of accelerating malice and resulting chaos: attempted Olympic disruption, American election interference, global ransomware worms, central bank heists, credit bureau pillaging, global business losses, cryptocurrency exchange thefts; and these are only the highlights of what has been publicly reported. 

Individuals, businesses, and governments face extraordinary challenges protecting themselves in the digital Wild West, and history has shown that law enforcement is under-resourced to tackle all but the most pressing criminal cases. What's the answer?

U.S. Congressional Representatives Tom Graves and Kyrsten Sinema are proposing legislation — the Active Cyber Defense Certainty Act — with good intentions, aimed at reforming the Computer Fraud and Abuse Act (CFAA) – 18 U.S. Code § 1030. The CFAA is outdated (signed in 1986) and doesn't provide an adequate disincentive to cybercrime.

However, hacking back is not the answer. The Internet crosses national boundaries in milliseconds, and attackers routinely encrypt and disguise their traffic between compromised servers and victim machines in multiple geographies. Adversaries reuse existing code and tools to plant false flags and confuse attribution efforts.

For example, the origins of the recent Olympic Destroyer malware is still the subject of debate within the security community. Should the Olympics organization have engaged in a "hack back" campaign? The malware used hard-coded credentials from a major IT and telecommunications company. Does that present a green light to "hack back" against the IT company?

Similarly, India's City Union Bank was recently the victim of an unauthorized SWIFT transfer, resulting in a $2 million loss, two years after the Bangladesh Central Bank heist. The two attacks bear the same hallmarks. If the victim bank was American, should they employ offensive investigative techniques against the DPRK (Lazarus Group)? The answer should be a resounding "no." If the US is going to allow businesses to hack back, it won’t take international businesses long to follow suit.

If Congress opens the hacking-back Pandora's Box, defenders' jobs become even harder. It will become impossible to differentiate malicious activity. Far from helping organizations defend themselves, hacking back will escalate an already chaotic situation. Companies should not be initiating even basic fact-finding missions if unauthorized access is required.

There is too much nuance and potential for error when committing unauthorized access of Internet-connected information systems. Allowing — and even going so far as to encourage — "hacking back" will result in vast unintended outcomes, the consequences of which cannot be fully anticipated.

Congress should reform CFAA, but including a "hacking-back" provision is misguided and will only prolong the digital Wild West era.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Levi Gundert is the vice president of intelligence at Recorded Future, where he leads the continuous effort to measurably decrease operational risk for customers. Levi has helped position Recorded Future as the international leader in universal threat intelligence. Levi has ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
este1976
50%
50%
este1976,
User Rank: Apprentice
3/10/2018 | 10:45:21 PM
Re: prevention better than prosecution
Good analysis and wonderful say sir. Your in-depth post has cleared my many doubts. Of course, prevention is better than prosecution.
macker490
50%
50%
macker490,
User Rank: Ninja
3/10/2018 | 8:48:51 AM
prevention better than prosecution
Prevention is better than Prosecution

The Internet has been described as a "Fool's Paradise" from time to time.   I always liked that characterization.

The troubles on the net today largely originate in a general failure to authenticate.

Consider for example the troubles with fraudulent 1040 tax forms.    Or the new mortgage loan scams.  or the grand-daddy of them all: e/mail "phishing" (BEC).

For prevention we need to turn to the work of Whitfield Diffie and Martin Hellman.    These gentlemen understood this issue and knew what they needed to do.   What we need to do is to understand our part in their work: authentication.

When my daughter sat down in the office at the Credit Union to open a new account: that is when the Credit Union -- and my daughter -- should have authenticated the keys needed -- for her online interface(s).

This will need to be incorporated into systems as packaged technology.

We are talking about Public Key Cryptology: PGP, PKI, SSL, TLS, X.509 GnuPG ... it's "out there" -- but to make it work it is necessary to authenticate the keys.

I could give you the "fingerprint" for my key: 4DEA0DAD.  and you could download it from the servers.   But you still wouldn't know who I am.  Once you find a way to identify me and verify the fingerprint on my key THEN you can SIGN my key.   This will make my key VALID in your system meaning you are satisfied that you know who I am.    This doesn't happen with X.509: it's too easy for anybody to acquire an x.509 certificate -- and -- generally -- users have no idea what the certificates are supposed to look like or what data they should contain.

That doesn't matter: HERE -- but -- at the Credit Union or with my tax software and such : yes, it does matter.

Note: the most important aspect of PKI/PGP/GnuPG --- is AUTHENTICATION.

what was the cost of hacking last year:   I'm remembering $600B - .8% of GDP
dave.dittrich
50%
50%
dave.dittrich,
User Rank: Apprentice
3/6/2018 | 1:08:14 AM
"Active Response Continuum" is a better phrase, better model, than "active defense"
I fully agree with Levi, that current proposals to modify existing computer crime statutes are insufficiently nuanced, insufficiently framed, and not ready to move forward. He is right that the consequences of allowing the private sector to become too agressive, too casually, will likely make the situation for law enforcement more difficult rather than easier. I published my own analysis of the ACDC Act 2.0 (and proposals to improve it) along the lines of Levi's suggestions. You can find that analysis on Medium (search for "Medium Dittrich Active Defense Certainty Act", since URLs are not allowed in comments) and read about the Active Response Continuum (search "Dittrich Active Response Continuum").

I believe the end goal here should be to facilitate victims' reporting of meaningful evidence of computer crimes in a timely manner to law enforcement, to better enable the U.S. government to use its sovereign levers of power (diplomacy, intelligence, military, economic sanctions and law enforcement, DIME-LE for short) to pursue criminal actions and violations of international norms and laws against foreign and domestic actors. The private sector does not have the authorities, nor the "whole of government" options, necessary to reduce international incidents like those Levi listed.

There are many examples of corporations using civil legal process (e.g., botnet "takedowns" using temporary restraining orders) within the U.S. justice system. When and if a victim determines that the situation is sufficiently grave to justify violating domestic laws and taking aggressive uncooperative actions on systems not under their authority, outside of civil or criminal legal process, they already have the option under U.S. law to make an affirmative defense for their actions. The idea in the ACDC Act of forcing a harmed intermediary to bring suit in civil court for damages resulting from an entity taking ill considered "active defense measures" seems to me to be unfair and unecessary.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Compliance and Risk Management Officer, AvePoint, Inc,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1394
PUBLISHED: 2018-08-20
Multiple IBM Rational products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 138425.
CVE-2018-1517
PUBLISHED: 2018-08-20
A flaw in the java.math component in IBM SDK, Java Technology Edition 6.0, 7.0, and 8.0 may allow an attacker to inflict a denial-of-service attack with specially crafted String data. IBM X-Force ID: 141681.
CVE-2018-1656
PUBLISHED: 2018-08-20
The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0 , 7.0, and 8.0) does not protect against path traversal attacks when extracting compressed dump files. IBM X-Force ID: 144882.
CVE-2015-5160
PUBLISHED: 2018-08-20
libvirt before 2.2 includes Ceph credentials on the qemu command line when using RADOS Block Device (aka RBD), which allows local users to obtain sensitive information via a process listing.
CVE-2015-5243
PUBLISHED: 2018-08-20
phpWhois allows remote attackers to execute arbitrary code via a crafted whois record.