The New Security: Hacking Back at a Hack Attack
The best defense is a good offense. However, it’s important to know your legal limits.
Any smart development organization is concerned about security, but there’s considerably more nuance to it these days than just throwing up a wall and a moat and hoping it keeps the dragons out.
Security expert Iftach Ian Amit, director of services at security consulting company IOActive, believes that computer security defense needs to be just as romantic as hacking, which is why he calls his methods “SexyDefense.”
To start with, find your weaknesses. Some organizations evaluate their security with “penetration tests,” also known as “pentests.” But you can’t stop there, Amit says, because pentests are simply designed to pass compliance.
The next step is to have a “red team,” typically composed of outside consultants, attempt to break into the company. “A red-team test is a full-scope engagement that simulates a real-world attacker materializing a threat on an organization,” Amit writes in his paper, “Sexy Defense.”
“Such a test is very different than a traditional penetration test, and as such, if you thought you were ready after ‘passing’ previous penetration tests, you are probably surprised by the findings that the red-team found: full compromise, physical intrusion, stolen intellectual property, and pivoting through different elements (technical and social) inside your organization.”
This can end up being quite a shock, because red teams don’t play by the rules, Amit says. But, you know, neither do hackers. Instead, he advises, company security staff should look at the way red teams operate and look at their own company the same way. Think in terms of the home-field advantage they enjoy, starting by looking at the vulnerabilities found in the red team test.
But looking at potential attacks from a defensive position is like looking outside from inside the walls. The problem is, “You expect that things can only sneak in through the holes,” Amit says. But these days, that’s no longer true. “I see your CEO on social media and talking on development forums, I see your guards in the bar at night,” and other methods of “social engineering” that break in using human vulnerabilities rather than hardware and software ones. “People are hackable just like computers are,” he says. Potentially suspicious people to look for include stalkers, tailgaters, new people who join the outside smokers, construction workers, and sales leads.
Measure Twice, Cut Once
Typical security defense focuses on detecting intrusions and mitigating and containing damage, which is a reactive response. Instead, organizations should focus on areas such as threat modeling, intelligence gathering, and data correlation – the same sort of research that hackers do when planning how to break into your system.
“Logs are the best investment you can make,” Amit says. Like the adage of measuring twice and cutting once for wooden logs, he advises organizations to get all the information and all the logs they can, and to filter information later, he says. Having all these logs help you spot early warning signs, such as the volume of calls to support, unusual physical elements around the office, sales inquiries that are actually fishing for information, probes on company websites, changes in file permissions, and access to specific files on network storage. Keep the raw logs around afterwards, too, in case something else comes up, he adds.
Then, correlate the log information with external events and timelines such as the local and regional news, sports, entertainment, financial, and even national and international events, Amit recommends. “Usually, attacks are aligned to use environmental elements such as holidays, sporting events, industry-related events, geo-political events, etc.,” he writes. “The context of a singular event or a correlation of events may be crucial based on the timeline in which they occur.”
It’s also important to train employees to identify and report things that seem out of the ordinary. “Until then, you’re just giving money to vendors,” Amit says. “You can’t just sit there and monitor by yourself. There is no replacement for the human factor in the defensive strategy. It is the cheapest and most ‘fuzzy logic’ solution that can be brought into the security field,” he writes.
“Tools and automation can be used to minimize the grunt work and to bring interesting aspects of the data to the table – but people are still needed to bring in the ‘ah-ha!’ factor, which can be then fed back to an algorithm that will learn how to automate that for the next time.”
Try the Kevin McCallister Technique
But you can go beyond that, too. How? Well, ever see the movie Home Alone? Security isn’t just a matter of defense, but offense as well. You can set “traps,” or honeypots, of intelligence or technology – even booby traps. For example, identify your threat communities and agents, locate their hangouts and where they get tools, and infiltrate them to get information on their techniques and how they operate, Amit says.
Amit also suggests developing your own intrusion tools to spread around the hacking community, with back doors that leave a distinctive signature should they be used. For example, you could find a known Trojan Horse program, and put another Trojan Horse inside it that helps you identify and catch perpetrators. After all, he points out, “They’re not going to scan it because, you know, it’s a Trojan.”
You can also use counterintelligence. For example, if you find that dormant accounts are being used for fraud or money laundering, create a series of fake accounts that are tracked, add them to the list of dormant accounts, and then seed that list to places where it could be picked up – and then follow the tracked fake accounts, Amit says.
It’s important, though, when setting up any set of traps, to work with law enforcement and the company’s legal department to make sure you’re not stepping over the line into illegal hacking yourself, Amit says, also noting that he’s not an attorney.
Security specialist Robert Clark, however, is, warning users that there is no “castle doctrine” when it comes to computer systems, and it’s important to think of the ramifications of any response. “If you see someone download information from your site, look up their FTP site and get a password, and log into their server, you have no authority to do so,” he says, which is liable itself to be a crime under the 1986 Computer Fraud and Abuse Act.
Clark is also dismissive of the notion of striking back at hackers using booby-trapped software, such as an application with the potential of damaging equipment. ”If your intent is for them to take it and melt their machine, your intent is to violate the Computer Fraud Act,” he says. Besides, “No self-respecting hacker is going to open up a system on their computer on the Internet,” he says. And for honeypot software that “beacons” its location back to you, legally you would have to set up a court order first, he says.
So before setting up any sort of revenge, check with an attorney, Clark advises. “A lawyer should never say, ‘You can’t do that,’” he says. “A lawyer should provide you advice and say, ‘If you do it this way instead, it will not be a violation of the law.’”
Be prepared to do a lot of explaining. “You must explain technology on a third-grade level to attorneys, so they can explain it to a judge at a first-grade level,” he says. The attorney could also advise you on what else you could do that’s less destructive than destroying a machine, as well as on steps you have taken to minimize your risk and exposure – especially if you end up having to show them to a judge, Clark says.
Lawyers can also help figure out ways to hack the law itself, much like Chicago gangster Al Capone was finally arrested, not for murder or bootlegging, but for tax evasion. For example, Microsoft shut down botnet networks, which sent out messages pretending to be from the company, using trademark infringement laws, Amit says.
Amit’s final technique is to “align outwards,” which means comparing notes with peers. Keep track of what’s new on the offensive side and how it relates to you and your organization. While some organizations like to practice “security through obscurity,” or hoping bad guys just don’t find the security holes, that strategy doesn’t work.
Most important, don’t accept a successful audit or compliance test – even a failed red team attack – as a sign of an effective defense, Amit says. All it means is that you are now one with the lowest common denominator of lowest bidders.
Finally, remember that your security strategy document is never finite, but needs to be constantly updated to take advantage of new information and techniques. “Make it a living document,” Amit says.