When thinking about counterhacking, turn to best practices instead
There is widespread industry discussion and debate about the current Active Cyber Defense Certainty Act (ACDC), introduced to Congress in March of 2017, that would allow companies the right to hack back after a “persistent unauthorized intrusion.” This bill has become increasingly relevant in the cybersecurity community as a result of frustration with the sheer number of breaches, damage caused by them, and low prosecution rates. However, counterhacking exposes many practical and ethically gray issues that organizations may be ill-equipped to address. One could also argue that organizations are better suited focusing their efforts on fortifying their defenses and detecting threats quickly to avoid breaches in the first place – eliminating the need for retaliation. Read more about the details of the bill here.
The bill has piqued the interest of many since it seeks to address the increase in the frequency and magnitude of breaches and the public’s growing frustration with low prosecution rates. A typical counterhack could start with probing a cybercriminal’s infrastructure for weaknesses to prepare for retaliation, followed by remotely breaking into a target’s servers and wiping any data, or disabling the attacker’s malware from delivering a payload.
{mosads}Alternatively, it could go to the extreme of committing a DDOS attack or other show of force or retaliation. However, people who can expertly defend a network’s perimeter typically lack the skills, training, and financial resources to conduct a counterhack without causing unintentional harm or finding themselves under escalating attacks from the adversary they were attempting to counterhack. Ultimately, attribution is extremely difficult, and for that reason alone, counterhacking is best left to law enforcement and military operations.
Counterhacking is highly complex and generally deemed unwise by cybersecurity experts for several reasons:
- With an open Internet, accurate attacker attribution is difficult.
- Because attribution is challenging, there is significant potential for “innocent bystanders” to be negatively impacted by counterhacking
- The bill only legalizes counterhacking against attackers within the United States, attacks involving individuals from other countries, would be subject to their local laws.
- A private organization’s counterhacking may interfere with investigations or activities by government agencies.
- It can be very difficult to prove that a given attacker “persistently” attacked a network.
- Most organizations do not have the skill set to conduct a precision hack back or to deal with the potentially escalated wrath of an aggravated attacker.
The best way to avoid a discussion on whether counterhacking is right for an organization is to prevent a successful breach in the first place. In addition to implementing best security practices for defending the perimeter and endpoints, organizations should assume that their perimeter defenses will be breached at some point, and have a means of accurately detecting the attacker once it happens. The most effective way for organizations to detect threats that have entered the network is through early detection that is paired with sound threat intelligence and counterintelligence, which can be used to shut down the attack and fortify future defenses.
The Data Security and Breach Notification Act, introduced in the United States Congress in November 2017, provides further incentive to prevent an attack from becoming a breach. This legislation is partially a response to companies like Equifax failing to disclose their breach for a shocking 41 days, and more recently, Uber neglecting to notify authorities of their breach for over a year. The Data Security and Breach Notification Act would require companies to report a breach within 30 days. If an individual knowingly conceals a breach, they could face up to five years in prison.
In the EU, the General Data Protection Regulation requires that organizations must notify the supervisory controller of any data breach involving personal data within 72 hours. Failure to comply can result in fines of up to €10M (~$12M) – or up to 2 percent of the total worldwide annual turnover of a company’s preceding financial year, whichever is higher.
With the ever-increasing costs to clean up after a breach and the financial penalties imposed by legislation on organizations who fail to report in a timely manner, it is more fiscally responsible to invest in proper detection and protection controls than it is to risk suffering a breach. This has contributed to a fundamental shift in 2017 to adopting an adaptive security defense that includes prevention, detection and response security controls. Gartner called deception technology one of its “Top Technologies for Security in 2017” in a June 2017 report.
Rather than counterhacking, IT teams can look to deception to change the asymmetry of an attack. Deception is a valuable counterintelligence tool for detection and acquiring threat intelligence for strengthening active defenses. The use of deception for in-network detection and intelligence is both legal and keeps organizations within their swim lanes of what they do best: defending their networks. Early detection, paired with indicators of compromise and intel that helps identify and neutralize adversaries targeting the organization, will not only prevent an attacker from successfully completing their attack, but will also strengthen defenses against other attackers.
“Clearly, there is no way to keep threat actors 100% out of the network, and even with the best ‘castle walls and moats,’ insiders, suppliers, and contractors all can create weak links. There is also no realistic way to eliminate all human error,” said Tushar Kothari, CEO of Attivo Networks. “Ultimately, whether you are looking to build your adaptive defense, are motivated by compliance with regulations such as the GDPR, or by the potential impact of bills like the Data Security and Breach Notification Act, it is now time for organizations to put additional focus on detection technologies to prevent breaches from ever occurring.”
While Alfred Hitchcock once said, “Revenge is sweet and not fattening,” Frank Sinatra said, “The best revenge is massive success.” For IT teams, pursuing success is best achieved through the deployment of advanced adaptive defenses that incorporate prevention and early threat detection best practices and prevent a situation in which they would ever need to retaliate.
- An updated version of the bill was referred to the House Judiciary Committee on Oct. 12 and then to the House Subcommittee on Crime, Terrorism, Homeland Security and Investigations on Nov. 1. Notably, an average of 86 percent of bills never make it out of subcommittee, and although this bill has garnered a lot of attention, there is a very reasonable chance the measure won’t ever see the light of day.
Crandall is Chief Deception Officer at Attivo Networks. Crandall has over 25 years of experience in building emerging technology markets in security, networking, and storage industries. Her current focus is on breach risk mitigation by teaching organizations how to shift from a prevention-based security infrastructure to one of an adaptive security defense based on the adoption of deception-based cyber warfare.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed..