It’s no surprise on the heels of Colonial Pipeline and the Kaseya global supply chain ransomware attacks, politicians are being boisterous about giving victims and companies power to hack back. This emotional reaction is not uncommon from a victim. They want the ability to bring perpetrators of crime to justice. But just as in real life, vigilantism is a bad idea. I went on record, along with some of my peers, describing why this is a bad idea. Instead, this is where the Government needs to step in, and we need to press our executive branch to wield its powers to address this national security threat.
Next, US Government, through its authorities and arms of the executive branch, need to exercise its tremendous powers to “strike back” or, at the minimum, cause uncomfortable pain to perpetrators as well as the sponsors of these attacks. In addition, the US Government is far better positioned through intelligence agencies and the FBI to understand who the actual perpetrators are. Then, through coordination with industry, determine what second or third order effects may result from any sort of takedown. The US Government has many levers it can pull on. In fact, in the past, it has successfully addressed cyber-attacks using its broad powers including diplomacy, curtailing economic trade, country level sanctions, individual sanctions (eg freezing bank assets), levying sealed indictments against individuals, and arresting and prosecuting individuals when they are outside the protection of a foreign government. Finally, as a last resort, we can take military action including cyber and physical attacks against actors or regimes. The timelines for these actions and their impact can sometimes take longer than we want, as I noted in this article, but history has shown these to be effective means to deter the kind of behaviors we are grappling with now.
US Law is also clear that private companies and individuals are not allowed to hack back. While this may be disappointing to many, it is probably for the best. This does not mean you are powerless to take actions against adversaries. In fact, you can legally counter adversaries on your own network using Active Defense strategies.
The concept of Active Defense has been in US DoD circles for well over a decade, but it needs revising in the commercial context.
Figure 1: Definitions of Active Defense
MITRE’s definition of active defense in Figure 1 takes the concept of Active Defense and applies it to the commercial sector. A couple points in their definition are worth expanding upon.
- Adversary engagement operations is a mentality and organizing principle for defenses. If you are merely triaging alerts, you are not conducting adversary engagement operations. Rather, you need to think of compromised device alerts in terms of attack campaigns and next steps.
Every alert is a symptom of a larger phenomenon that needs to be understood and countered before damage is done. MITRE’s ATT&CK framework is useful for understanding the context of observed behavior and how it fits in an attack campaign.
- Cyber deception is the advanced jujitsu of active defense. By populating your network and IP space with virtual devices, users, file systems, and even active documents and laying breadcrumbs to these, you are laying traps for the adversary as they attempt to discover the network.
Every time an adversary touches one of these decoys they are exposing themselves, notifying SOC teams of a potential incident, and facilitating intelligence collection on them, while triggering playbooks to stop them from accessing critical resources.
Fidelis Cybersecurity is building a portfolio ideally suited to an Active Defense approach. To learn more about how to prepare your active defense strategy, read my thoughts on Active XDR (eXtended Detection and Response).