In light of the growing number of mega breaches (e.g., MEGA Collection #1, Dunkin’ Donuts, Citrix) and the ongoing ransomware epidemic, politicians on both sides of the aisle are pushing for legislations that would allow organizations to take an offensive posture vis-à-vis attackers — often called “hack back”.
Initially introduced in 2017, the Active Cyber Defense Certainty Act (ACDC) was reintroduced in the U.S. Congress earlier this year. The bill would make changes to the Computer Fraud and Abuse Act (CFAA) and allow corporations and other victims of cyber-attacks to pursue adversaries outside their network boundaries to disrupt their activities. However, many security experts warn against commercial organizations taking the law into their own hands and oppose this type of legislation, since it could result in unintended consequences such as targeting the wrong groups or triggering a cyber war with nation-states.
In order to implement an active cyber defense strategy similar to the posture taken by the U.S. Cyber Command over the past few years, organizations could take several steps such as booby-trapping files to trigger alerts, conducting reconnaissance on hacker infrastructures, remotely breaking into attackers’ servers and wiping any data, and even launching distributed-denial-of-service (DDoS) attacks against cybercriminal operations.
However, under current CFAA law reaching beyond an organization’s boundaries to target hackers who have stolen their data, or are trying to steal their data, is considered illegal hacking. Organizations that still choose to implement active cyber defense strategies operate in a gray area in which no guidelines exist. That’s what the ACDC aims to address by establishing acceptable rules of engagement for responding to data breaches.
Active Cyber Defense Flaws
Cyber security experts are opposed to this legislative initiative due to the following concerns:
Most corporations lack the skills and expertise to take on professional hackers. While high-tech giants like Google might have the necessary in-house talent to carry out a “hack back” attack without causing any unwanted collateral damage, this cannot be said for many other organizations. Even the ACDC bill acknowledges that it requires a high level of sophistication to carry out “hack backs” by stating that only those that are “qualified defenders with a high degree of confidence in attribution” should be leveraging an active cyber defense strategy.
An even bigger issue is how organizations would establish the true identity of their cyber adversary. Attribution has always been the most difficult element of data breach investigations, which can often take months to complete and does not always achieve conclusive identification of the threat actor. Professional hacker groups are very skilled at concealing their tracks using spoofed IP addresses, publicly available third-party attack tools, and the computer systems of innocent corporations to carry out their attacks. As a result, organizations run the very real risk of targeting the wrong groups as part of their hack back activities.
And, finally, giving corporations the right to hack back could pit private companies against nation-states such as North Korea, Russia, China, or Iran. What would happen, for example, if a major private sector company that believes it has been hacked by China, decides to hack back? This could have major national security implications if they decide to go after the computer of the attacker.
Back to the Basics
Before implementing an active cyber defense strategy, organizations should conduct a self-assessment to determine if they are applying the most basic cyber hygiene best practices, which can go a long way towards preventing security infections and minimizing the risk of falling victim to a cyber-attack.
When conducting post-mortem analysis of data breaches, it becomes apparent that lack of cyber hygiene was often a contributing factor. Therefore, organizations should focus on implementing the following cyber security best practices:
• Maintain a comprehensive asset inventory and classify all assets based on their sensitivity and risk;
• Conduct security awareness training among employees and contractors;
• Back up data regularly;
• Use preventive security technology such as anti-virus, anti-malware, and email spam filtering tools;
• Continuously patch vulnerabilities based on a risk assessment; and
• Configure access controls with least privilege in mind.
When it comes to assessing the leading security vulnerabilities facing today’s organizations, the human factor is high on the list. In fact, analyst firm Gartner identified Privileged Access Management as one of the Top 10 information security projects in 2018 and again for 2019, since it is an area where organizations can achieve the greatest return on IT security investments.
While the urge to hack back after a data breach is very appealing, going back to the basics and applying proper cyber hygiene is a better alternative with a higher reward and lower risk of producing unintended consequences.
Related: Proposed Legislation Would Give Legal Right to Hack Back
Related: Hitting Back at Hackers: Debate Swirls on How Far to Go
