MIAMI -- The questions are being asked more often: When a cyberattack hits your network, is it right to launch a counter-attack of some type to try to at least identify the source if not stop it? Since the wheels of justice do indeed grind slowly, should frustrated IT professionals with security skills take matters into their own hands or hire others to do so?
"You want to go after them and block them," said David Willson, an attorney and retired Army JAG officer who, like other lawyers in the field, is concentrating on understanding the limits of what IT and security managers can or should do under the limits of today's law. Speaking at the Hacker Halted conference, Willson said there is no consensus among lawyers focusing on this topic. But he emphasized that companies being attacked "should look beyond your network and figure out what's coming after you," and there's a case to be made that you should "strike back defensively."
"Can you do it technically? Yes. Legally? I'd argue, yes," he said. Although some have argued in the past that even using a network-based honeypot to fool cybercriminals into thinking they've broken into a network is illegal, Willson said he disagrees. Companies might want to try and pinpoint attackers through use of so-called beacons and "digital dye-packs," such as documents that when stolen can report back where they are.
But there are tough questions about how far an IT manager can go to actually try and pursue attackers who are often organizing and launching attacks through compromised computer systems all over the world. The U.S. Computer Fraud and Abuse Act, which applies to anyone in the U.S. regardless of what they do across the global Internet, suggests you can't make unauthorized entry into a computer owned by another entity.
Willson says this law, too, gets argued over as to what unauthorized access really means. But he says companies should believe they have the right to "defend persons or property." This means that potentially the corporate management in an organization -- not the IT department, he says -- could make a decision to go after an attacker in some way based on risk, liability and other legal issues.
This general concept is being described in the security industry as "active defense," and Willson advocates that organizations pull together a team to have an active defense plan and a way to document findings. "You have to make the CEO as comfortable with this as possible," he said, because active defense may become something that could be challenged in court.
Dmitri Alperovitch, CTO at startup CrowdStrike, which is launching its own active defense-style services, says to his knowledge there has not yet been a significant legal case in this area, though if there were one, it might help distinguish how far the victimized organization can go to pursue and disrupt an attacker.
If there's a "marquee case" where "someone takes the bullet" in a court battle arguing for the ability to strike back in active defense, then the result might be to raise awareness that could get Congress to modify current law. He added that Microsoft has shown some success in lawsuits oriented toward dismantling botnets around the world by going after individuals running them and also revealing their identities.
"We need to get some deterrence," said Alperovitch. It's his opinion that nation-state industrial espionage that occurs over the Internet, often linked to China, is simply something that for political reasons the U.S. government does not want to take on as a public issue now. Despite the huge number of computer intrusions blamed on Chinese attackers stealing U.S. data from corporations and government over the past few years, the U.S. government is not motivated to make waves over it. "On the nation-state side, the government is locked in inaction," said Alperovitch.
Hacking back at servers where you think attacks have originated violates the law and "you don't get much out of it," said Alperovitch. Active defense, he said, is better understood as "offensive tactics" that could involve everything from attempting to get stolen data back to legal action and public relations-oriented actions to expose the identities of attackers in full and their motivations.
Although there's certain to be debate, CrowdStrike is starting with the basic belief that the private sector has the authority "to go into a server to get that data back," said Alperovitch. He said there's a common-law precedent, and an affirmation defense under the law. But the usual circumstances would be that you'd first call the FBI or other law enforcement and have them try and take action, but "if the government and law enforcement is unwilling or unable to take that action, you can," he said. "It's defense of property," along with the idea, "I'm holding you until the law arrives." He said there's a lot of precedent in the legal system for this, but it hasn't really been done before for cyberattack response and he acknowledges that court rulings would be uncertain.
In terms of active defense, there are also techniques related to deception that could come into play that are akin to distributing disinformation in order to fool an attacker. He said this could go way beyond honeypots, which he says aren't usually effective because they are hard to make realistic. Though he declined to divulge some details, he said the best types of counterattack deceptions are those in which disinformation is very targeted toward an attacker and you try to limit the spread. Here, too, the issue of both public relations and legal fallout exist because active defense tactics that go awry could have negative consequences for companies and governments.
In the end, though, the idea of "naming and shaming" the cyberattackers has real value, though there's always seems to be another attacker out there to fill the spot.
Sean Bodmer, threat intelligence analyst at security firm Damballa, who has worked hard to combat Russian cybercriminals in organized crime running botnets for financial gain by providing some technical assistance to the FBI with some operations, acknowledged some frustration in it. Speaking at the Hacker Halted conference this week, he said the gravity of what he sees coming from Russian cybercrime and Chinese-related espionage is immense. Law enforcement is "too slow" and they tend to have the mindset that "they're looking for the next big case," he said. He added he's now more optimistic about tactics that involve taking actionable information related to criminal activities and showing it directly to companies such as hosting providers in data centers where they will cut off criminal proxies, for example.
The idea that there should be direct action against attackers taken even in the course of identifying their unwanted presence in a corporate network is growing, however uncertainly. Jonathan Cran, chief technology officer at security firm Pwnie Express, advocated "fighting fire with fire" during his presentation at Hacker Halted. State-sponsored attackers are a fact of life and they will be using phishing, remote-access Trojans, and other stealthy means to accomplish exfiltration of stolen data, he noted. These so-called "advanced persistent threats" in the corporate network suggest there should be more focus on APT "counter attack" to develop "offensive capabilities" that shorten the time from detection to constraint. He said the idea of the typical penetration test needs to evolve into a process that will grant ways to hook the bad guy.
How the security industry will grow to engage -- within the confines of the law -- in active defense tactics is unclear, but sources planning the RSA Conference 2013 say they expect this to become a central theme in session tracks at the conference early next year.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: firstname.lastname@example.org.