One of the main reasons American businesses are losing the global cyberwar is that it remains illegal for anyone to actively pursue his cyberattackers. The Computer Fraud and Abuse Act is the federal anti-hacking statute written in 1984 that prohibits unauthorized access to computers and networks. But lawmakers, as they frequently do, wrote the law so poorly that while it makes it illegal to intentionally access a computer without authorization or in excess of authorization, the law does not explain what “without authorization” actually means.
Now some big banks and retailers have decided to take things into their own hands and are actively going after the hackers, the laws be damned. And it’s about time.
The combination of this draconian law, and the persistent denial under which most companies still operate, has kept the United States from muscling up on one of the primary pillars of cyberwarfare: information. Up until now, the hackers have known vastly more about their American targets than we know about them and their techniques, that we have had to counter these cyberattacks on an extremely asymmetrical playing field. The Equifax attack is clear evidence that what we have been doing has not been working, and the resulting consequences for the 143 million consumer victims are dire.
[lz_ndn video= 33019444]
Whether that hack causes businesses to arouse from their slumber and start addressing the issue or not, serious companies have already begun to strike back.
One of the world’s largest banks just engaged a sort-of inverted “Red Team” to go after a group of hackers who had permeated the bank’s perimeter defenses through a sophisticated phishing attack. In an inverted breach, the good guys hacked the hackers in process, collected valuable, and heretofore unobtainable intel, and confiscated the stolen data during the heist while learning where the hack had originated and the identities of many of the key players.
In short, they stopped the breach and discovered a lot about the perps.
Hacking back, also known as active defense, employs a broad range of techniques and technologies. Many aggressive businesses are now employing white-hat hackers (good guys) to camp on the targeted servers and when an attack begins, remotely track the attack vector back to the originators’ servers, collect the malware strains for analysis, wipe the servers clean and launch a distributed denial of service (DDoS) attack to slow the criminals’ operations to a crawl and demonstrate a version of shock and awe. What would be really cool would be to leave a banner after the hack-back that says, “Brought to you courtesy of Bank of America,” but that’s a no-no.
Hacking back is a huge step forward in developing attribution. Due to the false-flag practices most hackers employ, it has been virtually impossible to identify the attackers or their source of origin. Until now. Instead of relying on generally useless, after-the-crime forensic evidence hackers leave on a network, our policing and investigative agencies can actually fall immediately into pursuit while perps are on the run, get into their safe house and confiscate live evidence. In many cases, discovery has included stockpiles of stolen information from earlier heists.
While there are issues related to interference with law enforcement investigations, potential violations of breach wiretapping legislation and the possibility of criminal prosecution, more and more companies are embracing the practice of operating in the shadows with these clandestine strike-backs. Like Equifax, plausible deniability is always a good defense.
Some countries, including the Israeli government, are unsurprisingly working to legalize the practice of hack-backs.
Whenever we contemplate cybersecurity policy, my advice would be to look to the Israelis. They have a long history of implementing rational and practical self-defense measures and probably understand cybersecurity better than anyone. In spite of the fact that most U.S. cybersecurity entities and the majority of Congress remain steadfastly against hacking back, there is at least one U.S. congressman who is trying to do something about the law.
Rep. Tom Graves (R-Ga.) has proposed legalizing parts of hacking back with the Active Cyber Defense Certainty Act (ACDC). The proposal would allow companies to operate a limited set of hack-back techniques so they could learn more about attackers’ methods, stop ongoing hacking campaigns in progress, and gather information that could lead to the actual identity of the hacker. This should not be a revolutionary idea, but based on the way it has been received thus far, you would think Graves proposed nudity every other Wednesday on the House floor.
Many companies in the cybersecurity business are ignoring the law and are quietly offering hack-back services, often using former employees of the United States Cyber Command and the National Security Agency, and some highly skilled rogue hackers that have become legends at DEF CON’s “World Series of Hacking” where the best of the best hackers compete. We now employ some of the most skilled hackers on the planet, and it is time we started listening to them.
Additionally, several startups are now selling software to enable private companies to launch DDoS attacks and basic SQL-injections, which are the most common technique for stealing customer data. Their clients today are found in the gaming, retail, hedge fund, banking and health sectors. Sorry, no credit rating agencies have signed up yet.
More and more, companies will start to strike back, because whether illegal or not, lying against the ropes and taking a beating every day is not sustainable. We can’t just sit here and wait for the next Equifax breach. Something has to give.
By the way, if you are wondering about the result of that big bank’s reverse “Red Team” engagement? It was very effective.
Steve King is the COO of Netswitch Technology Management.