The offensive approach to cybersecurity, motivations and risks

Cybersecurity goes to the offensive, law enforcement and private companies are discussing the possibility to adopt an offensive approach to defend their assets from the continuous cyber attacks.

The press is getting used to news of cyber attacks against companies and government agencies, to date, the trend of the representatives of the cybersecurity of these entities is to pursue a defensive approach in the face of threats.

Law enforcement  and private companies seem to desire to reverse the trend with a more aggressive approach to cybersecurity, their witnesses attending a Senate Judiciary Committee hearing on proposal of taking the fight to the attackers.

What does it mean an “offensive approach” to cybersecurity?

Many security experts are convinced that stay on defense waiting for the attackers it totally wrong, in many cases victims knows about the attacks many years after them with serious consequences, that’s way law enforcement and private companies are questioning on the possibility to adopt offensive techniques to mitigate cyber threats such as the use of intrusive malicious code to conduct “spear-phishing” attacks against those systems suspected to have originated the offensives.

Early this year CrowdStrike company, one of the most talked-about security firms at RSA 2013,  presented it offensive approach to cybersecurity, the firm  conducted a live takedown of thousands of nodes of the famous Kelihos botnet. The company is exploring all possible legal methods of “getting stolen information back from hackers, or deleting it so the information cannot be used”.

CrowdStrike officially launched its Falcon platform, a system that using Big Data is able to carry out a number of “active defense” operations, including “real-time detection of adversary activities, attribution of the threat actors, flexibility of response actions, and intelligence dissemination”.

Stewart A. Baker, partner Steptoe & Johnson LLP, before the Judiciary Committee’s Subcommittee on Crime and Terrorism discussed the paper “The Attribution Revolution: Raising the Costs for Hackers and Their Customers ”

Baker described the actual defensive approach of cybersecurity with following metaphor:

“We are not likely going to defend our way out of this problem”

“In short, we can’t defend our way out of this fix, any more than we could solve the problem of street crime by firing our police and making pedestrians buy better body armor every year.” “I’m not calling for vigilantism, I’m not calling for lynch mobs. But we need to find a way to give the firms doing these investigations authority to go beyond their network.”

“If we don’t do that we will never get to the bottom of most of these attacks,”

The theorized offensive approach has been debated for a long time, opponents argue that it represents a threat to civil liberties and to user’s privacy.

Recently White House sources revealed to the New York Times it was closing a deal that would levy steep fines against any website or internet service, including those based in foreign countries, that refused  to support the request of FBI to introduce a built-in wiretapping access within 30 days of receiving a court order.

In discussion isn’t only the possibility to install backdoors into popular and commonly used services and application, much disputed, is the willingness of law enforcement to use malware to conduct investigations, conduct that constitutes a flagrant violation of citizens’ privacy.

Mikko Hypponen, the chief research officer at F-Secure, commented the use of state-sponsored malware for investigative purposed with these words:

“It’s perfectly understandable why law enforcement wants to use malware,” “It’s an extension to what they’ve been doing with phone taps, internet taps, and using cell phone carriers to track your location — all with a court order.” “However, nothing is as intrusive as having government officials monitoring you through your own computer or smartphone,” “They see your files. They see where you surf. They can collect your passwords. They can watch what you do via your webcam.”

The hearing before the Senate Judiciary Committee was also focused on foreign cyber threats, cyber attacks originated by hackers operating in foreign states represent a serious menace against which defensive approach has proved unsuccessful.

State sponsored hackers continue to conduct to hit US network and conduct cyber espionage campaign stealing intellectual property and sensitive information. Several of the witnesses, including Kevin Mandia CEO of the security firm Mandiant, blamed Chinese hackers for numerous cyber attacks against the US, Mandiant security experts published an interesting report on the topic in which demonstrated the involvement of Peoples Liberation Army hackers.

Sen. Lindsey Graham on Chinese menace declared:

“Our Chinese friends seem to be hell-bent on stealing anything they can get their hands on here in America,” “We’re going to put nation-states on notice that if you continue to do this, you’ll pay a price.”

Rep. Mike Rodgers, known for debated CISPA act,  demonstrated skepticism on the possibility to give to private sector offensive conducts.

“I will guarantee you there will be lots of mistakes made, given the sophistication of nation-states in hiding their hand in activities,” “I get very, very concerned about an unleashed private sector doing active defense, because a lot of things are gonna go wrong, I think.” He declared in February.

I personally think that an offensive approach may be necessary in some contexts but do not agree to adopt it especially in the private sector. The attribution of responsibility in the cyberspace is a very sensitive issue and we would run the risk that a disproportionate number of companies prejudicial to their peers in order to pursue a wrong approach to cybersecurity.
The same approach applied to law enforcement should be carefully weighed, the risk is that in the name of cybersecurity you are in an uncomfortable control that undermines civil rights and would represent a threat to freedom of expression.
The discussion is far from simple.

Pierluigi Paganini

(Security Affairs – Cybersecurity)