As Gandhi once said, "An eye for an eye will only make the whole world blind." The same could be said about using hack-back technology for vengeful purposes, such as security defenders who respond to attackers with the intent to harm their systems. Many large technology firms are going on the record with their opposition to the concept of hacking back. They’re posing many questions. What might happen if we make it legal for corporations to take cyber justice into their own hands? Many hack-back critics in the technology field fear it will make the Internet less safe and unintended harm will be directed at innocent bystanders. But others say that active defense is the right tactic. Why should we live at the mercy of attackers who have more control over our data than we do?
For those who say that legal, active defense has the potential to turn into the “Wild West,” here’s news for you: from the cyber attacker’s perspective, the Wild West is already here, and has been for some time. The 2018 Verizon Data Breach Investigations Report revealed that 73% of all reported data breaches were perpetrated by outsiders; 50% of those were orchestrated by criminal groups and 12% of breaches were perpetrated by nation-state attackers. More than 76% of breaches were financially motivated, and 48% of data breaches involved hacking – the favorite method being malware. Overall, the total number of reported breaches has doubled over the previous year. In short: the bad guys are winning. Traditional endpoint and network defense is not enough.
Perhaps the experts who oppose active defense are asking the wrong questions. The right question is: What if it were possible to hack back in an ethical and safe way?
Un-breaking the law: decriminalizing active defense
In the aftermath of high-profile data breaches and devastating ransomware attacks that have crippled government agencies and private companies alike, legislation has been proposed at both the state and federal level that would make it legal to respond to an attack with active defense. The ACDC Act, a bipartisan piece of federal legislation introduced in the U.S. House of Representatives last October, seems to be picking up steam again after being dismissed last year. And in Georgia, after a ransomware attack brought the city of Atlanta to its knees, state legislators passed a similar bill, but the governor of the state vetoed it when it came across his desk. The official response was that the language of the bill was too vague and required more discussion, and the bill has been sent back to the legislature.
While the language of each of these pieces of legislation is too ambiguous, the intent with these potential laws is clear. The focus should be on ways to change the asymmetric power in the ongoing cyberwar to at least provide equal footing to the defenders. Attackers have always had the high ground. It's time to change that.
It is understandable that the concept of active defense has been met with loud opposition by some academics, security professionals, and policy analysts. Many who oppose active defense as a policy believe the issue of accurate attribution of the attacker is just not solvable and could lead to mistaken identities or hacking the wrong person. That is certainly a legitimate concern, but it also depends on the definition of active defense. When there are many sides to an argument, it's important to make sure we're all talking about the same thing.
Defining active defense
The truth is, active defense is one of the best-kept secrets by some defenders and clearly runs afoul of the Computer Fraud and Abuse Act (CFAA). It is illegal for a defender to probe a remote source IP implicated in an attack on them and exploit any found vulnerabilities to implant code in the abusive machine, even if the defender seeks to recover or destroy stolen data. The cost to the defender is very high, especially if the target of the revenge turns out to be an innocent bystander. Under CFAA, the penalties can be quite stiff.
Under the definition of hacking back in the ACDC bill, it’s easy to get tripped up around the issue of being certain of the true source of an attack. True attribution remains elusive, and misdirected revenge could do far more harm, even if it is legal. With this in mind, the security community needs to look at a safer way to leverage active defense, with the sole intent to recover or destroy stolen data.
Attackers have had almost zero consequences or costs for stealing data from innocent victims. But instead of fighting fire with fire, what if defenders could hack adversaries’ wallets rather than their systems? The goal of ethical, active defense should be to confound and confuse attackers, especially those who have the primary goal of data exfiltration for monetary gain. How might we reach past the stepping stones and serve up the just rewards to the true attacker?
Disinformation as a defense
One active defense option is to deceive attackers with unbounded, exfiltrated bogus data. This strategy not only makes a hacker think twice about whether they were snookered, but he or she now has the expense of figuring out if a stolen treasure has any value. Of course, the same may be true of nation-state actors; they, too, should not operate freely any longer, even if their goal is non-monetary. This is where the concept of data deception technology comes into greater focus as a more measured approach to active defense.
Deception technology broadly covers a number of techniques designed to achieve the same goal: make it harder for attackers to get access by misdirecting, lying to them, or even faking them out using decoys. Many deception technologies, like the widely used honeypot, are based on setting up decoys or traps to detect attackers. The new wave of deception technology has even expanded to include decoy media of all kind, from file systems, to endpoints, documents, credentials and users to name a few, and it’s more about prevention than passive detection.
Honeynet technologies are being marketed as a natural extension of current best practices of securing large enterprise networks. But are they the best strategy for fast time-to-detection of adversarial behavior? Not really. They are hard to deploy, and manage and depend upon the adversary finding his or her way to the honeynet while pursuing the operational networks they first entered. Further, avoiding honeynet “tells” are hard to do, as lack of data and data flows to the honeynet will be obvious to the adversary. No matter how clever we think we are by hiding our goods - diamonds in the safe and cubic zirconia in the jewelry box - attackers are better at thinking like us than we are at thinking like them.
A more practical approach is the use of decoys in deception, based on the assumption that attackers will inevitably penetrate an enterprise’s systems or make an effort to steal what’s valuable. What makes a cyber invasion different than a home invasion is that generally we know when something has been stolen from our home - perhaps the door was ajar or something was out of place. But chances are, you might not know when your system has been attacked or if sensitive data was copied or stolen. This is why deception - and thinking like an attacker - can help secure personal data.
By populating file systems with decoys in operational networks and adding beacons to real sensitive data, businesses can not only track if anyone’s poking around digital assets, but also increase the likelihood that an attacker will give up or abscond with useless data. Deployment of a data deception-in-depth within actual, operational networks is a sound defensive strategy. It is the primary location where attackers root around for their quarry, before they may find the breadcrumbs leading them to deployed honeynets. Understanding what kind of information entices attacker will help you understand what data to protect, and where to place decoys and beacons. And understanding what kind of sensitive data is most vulnerable is the first step in creating effective decoys.
If an attacker has breached a system, he or she is probably smart enough to bypass “Fakey McFakerson” files on earnings reports or proprietary product data. If it doesn’t fool you, it’s probably not going to fool an attacker. At Allure, our world-class research team has extensively studied and tested what makes decoys both convincing and effective as a security mechanism.
Here are the properties that make a decoy effective within the realm of data and documents, though these attributes apply to decoys in other mediums:
- Believability. Perhaps one of the most important qualities of a decoy is whether or not it seems real. A good decoy will seem authentic, making it harder for an adversary to discern its authenticity.
- Enticement. A decoy should appear enticing to an adversary, which means documents should have bogus, but realistic, information the adversary might want.
- Conspicuous. Conspicuous decoys should be easily found or observed. A conspicuous decoy is similar to enticing but differs in how the information is found. Conspicuous documents are found because they are easily observed, whereas enticing documents are chosen because they are of interest to an attacker.
- Detectable. To know when someone’s gotten in, a decoy must be detectable and sound an alert if touched.
- Variability. If all decoys have the same property, they’ll be easy to sniff out. Decoys should be highly variable to make it harder for an adversary to separate the real from the fake.
- Non-interference. To operationalize the use of decoys in a system, it should not interfere with normal use or get in the way of legitimate users.
- Differentiable. While decoys should be believable to the attacker, they should also be distinguishable to the legitimate user. A decoy is considered differentiable if the legitimate user always succeeds.
As we have seen in multiple cases when a company discloses a breach, attackers can be embedded in enterprise networks for months before being detected, usually after successfully exfiltrating very large amounts of sensitive data. It’s been well established that perimeter security just doesn’t cut it anymore and that any well-designed system should have many layers of security, or a defense-in-depth approach. Deception-in-depth should be one of those layers. By using decoys as part of the overall deception-in-depth strategy, businesses can change the balance of power between the attacker and defender.
With modern deception technology, the attacker has to discern between real and fake data, which is hard to do if you’ve created realistic decoys. Imagine if the Sony hackers had dumped decoy email logs online - the only people who would have been embarrassed would have been the hackers themselves. That is the power of responsible hacking back using deception security.