In this article we will learn about Exploring a new option of cyber defense.
Introduction to Exploring a new option of cyber defense:
The number of cyber attacks continues to grow over the years and the campaigns are becoming more and more sophisticated.
With increasing emphasis, the IT security industry refers to the concept of active defense, which is the ability to act in anticipation of and counter a cyber attack.
This approach is not new, it is the result of frustration in dealing with blatant attackers who continue their own raids.
In early 2013, CrowdStrike Company unveiled its offensive approach to cyber security. The company revealed details related to the takedown of thousands of nodes of the famous Kelihos botnet. In the same period, the company launched the Falcon platform, a system that uses big data to perform a range of “active defense” operations, including “real-time detection of adversary activities, threat actor matching, response flexibility. action and intelligence dissemination.”
Law enforcement and intelligence agencies, private firms and security companies are publicly discussing the possibility of adopting a new approach to defending their assets against attacks by hacking attackers.
What does an “offensive approach” mean for cyber security?
Numerous successful cyber attacks observed by security firms prove that defensive measures are no more effective in mitigating the risks of a cyber attack.
Even more often, experts are evaluating the possibility of hitting attackers with the same weapons they use to target businesses and government organizations.
Offensive defense allows for the possibility of hitting attackers with malware capable of neutralizing or strengthening DDoS attacks against the control infrastructure.
The basic components of the offensive approach are attributing the attack through the collection of clues for the hackers to trace back, and retaliation to persuade the attackers to choose a different behavior.
Stewart A. Baker, a partner at Steptoe & Johnson LLP, before the Judiciary Committee’s Subcommittee on Crime and Terrorism, in “The Attribution Revolution: Increasing Costs for Hackers and Their Customers,” described the true defensive approach to cybersecurity with the following metaphor:
“We probably won’t be blocking our way out of this problem.
“In short, we can’t fight our way out of this fix any more than we can solve the problem of street crime by firing our police and making pedestrians buy better bulletproof vests every year.” “I am not calling for vigilance, I am not calling for lynching. But we have to find a way to give the companies doing these investigations the power to cross their network.”
“If we don’t do that, we’ll never get to the bottom of most of these attacks,”
Government and hacking back
One of the first governments to publicly announce “hacking back” as part of their active defense strategy is the British one.
British experts believe that “old outdated IT systems used by many organizations in the UK” could easily be targeted by hackers causing serious problems.
The UK has announced its intention to strike back against nation state actors targeting critical national infrastructure.
Chancellor Philip Hammond unveiled a £1.9 billion package to boost the government’s defenses against cyber threats as part of a five-year national cyber security strategy. He promised retaliatory countermeasures in response to state-sponsored attacks,
The UK government’s strategy has a five-year plan and aims to “work to reduce the impact of cyber-attacks and raise security standards in both the public and private sectors”.
The cyber defense model the UK intends to adopt involves reverse hacking operations against attackers threatening national security. Hammond explained that hack back is a unique alternative to conflict, a proportionate measure in response to cyber attacks by foreign hackers.
Speaking ahead of the launch, Hammond said Britain must “keep up with the scale and pace of the threats we face” and insisted the new funding “will enable us to take even greater steps to defend in cyberspace and strike back when they are attacked.” The Guardian reported
“The money – which almost doubles the amount set for a similar strategy in 2011 – will be used to improve automated defenses to protect citizens and businesses, boost the cyber security industry and deter attacks by criminals and ‘hostile actors’.
Hammond stressed the importance of securing critical national infrastructure and businesses from nation-state hackers.
“We will deter those who seek to rob us or harm our interests,” Hammond said at Microsoft’s Future Decoded conference in London recently. “We will strengthen law enforcement to increase costs and reduce rewards,” he said of criminal attackers.
This is just the first step forward on cyber security, he promised that the UK would “continue to invest in cyber defense capabilities”, particularly technology that could enable the UK’s cyber army to track down and defeat state-sponsored hackers.
“If we don’t have the ability to respond in cyberspace to an attack that destroys power grids or air traffic control systems, we are left with the impossible choice of turning the other cheek or resorting to a military response – that’s a choice we don’t have. I don’t want to face.”
“Undoubtedly, a campaign of escalating cyber attacks would be a precursor to any conflict between states. We will not only defend ourselves in cyberspace, but if attacked, we will strike back.”
Hammond, who chairs the Cabinet’s cross-departmental cyber security committee, also listed high-profile cyber attacks against Britain’s critical infrastructure.
The active defense model implemented by the UK government includes a new generation of software to detect and repel cyber attacks, as well as the creation of dedicated cyber units.
Hammond pointed to the recent deployment of an app that was able to zero out 50,000 fraudulent emails from fraudsters pretending to be sent from government agencies.
The Chancellor also referred to the TalkTalk data breach which exposed details of 156,959 customers and which led the Information Commissioner to fine the company £400,000.
“CEOs and boards need to recognize that they have a responsibility to manage cyber security,” Hammond said.
Hammond emphasized adopting the right security posture also for private businesses, which are a privileged target for hackers.
“Similarly, technology companies must take responsibility for incorporating the best possible security measures into the technology of their products. Getting this right will be key to keeping Britain at the forefront of digital security technology.
The UK government is not alone in pushing for an offensive approach in dealing with cyber attacks fueled by nation state actors.
Under the PRC Cyber Security Law (Second Consultation Draft) (the “2nd Draft”), the Beijing government plans to freeze assets and take further action against foreign hackers who threaten national infrastructure.
The second draft of China’s Cyber Security Law has been submitted for third reading at the National Congress.
The decision is a clear signal to a foreign government that it intends to shift attacks from cyberspace to the country’s infrastructure.
China’s main adversaries include the US government, which has collected evidence of Chinese hacking campaigns over the years.
Tensions between the two governments are high, especially as the numerous espionage campaigns waged by Chinese state-backed hackers against the US government and businesses are discussed.
In any case, the US government’s approach to the concept of active defense is no less aggressive.
In April, the US Supreme Court approved amendments to Rule 41 that allow US judges to issue search warrants for hacking into computers also located outside their jurisdiction.
Under the original Rule 41, a judge could only authorize the FBI to hack into computers in the same jurisdiction, but the changes give US authorities more powers.
A spokesman for the US Department of Justice clarified that the change does not authorize any new authorities not already authorized by law.
US Chief Justice John Roberts has turned the rules over to Congress, which has until Dec. 1 to decide whether to apply the modifications or reject them entirely. If Congress doesn’t vote on the rules, they go into effect automatically.
The US Department of Justice explained that the changes were introduced to modernize the criminal code for the digital age, as reported by Reuters.
“The US Department of Justice, which has pushed for the rule change since 2013, described it as a minor adjustment needed to modernize the criminal code for the digital age and said it would not authorize searches or seizures that are no longer legal. Reuters reports.
The new rules drastically expand the FBI’s ability to conduct hacking campaigns on computer systems located anywhere in the world.
US authorities would use hacking tools, spyware and exploits to compromise computers around the world to mitigate cyber threats and investigate potential homeland security threats.
According to Democratic Senator Ron Wyden of Oregon, changing the rule will have “significant implications for the privacy of Americans.”
“Under the proposed rules, the government could now obtain a single warrant to access and search thousands or millions of computers at once; and the vast majority of affected computers would belong to victims, not cybercriminals,” Wyden said.
A spokesman for the Department of Justice confirmed that the new rules are the authorities’ response to the increased use of “anonymizing” technologies by threat actors.
Time is running out and the US now has a few weeks to prevent the FBI from getting a global license to hack into computers around the world in the name of defense.
Anyway, the US government has been working on proactive defense systems for a long time.
In 2014, Edward Snowden highlighted the risks of using automated attacks in response to an offensive against the US. A popular whistleblower explained that the US government is developing a system codenamed MonsterMind that is capable of automatically responding to cyber attacks against its infrastructure.
Of course, these kinds of systems can fail to attribute attacks with unpredictable diplomatic and technological consequences.
“An NSA whistleblower says the agency is developing a cyber defense system that would instantly and autonomously neutralize foreign cyber attacks against the US and could also be used to launch retaliatory strikes. The program, called MonsterMind, raises new concerns about privacy and government policy regarding offensive digital attacks,” according to an article published by Wired Magazine.
Snowden did not provide information about the capabilities of the MonsterMind platform or specify the nature of the counterstrike. “Hacking” can be done by running malicious code against the attacking system or simply by disabling any malicious tools on the system to render them unusable.
Such a defense program obviously has several disadvantages, an attack by a foreign government would likely be directed through a proxy infrastructure hosted in another state not involved in the conflict. For example, attackers can use a botnet composed of machines located in an innocent country. A counter attack could therefore hit this innocent country with serious consequences.
Imagine if Russia decided to launch a DDoS attack against US systems, but the attacker is able to spoof another country’s original IP address or route malicious traffic through its infrastructure, then a retaliatory automated attack could hit the wrong country instead. than Russian networks.
“These attacks can be spoofed. You could have someone sitting in, say, China to make it look like one of these attacks is coming from Russia. And then we end with a shootout in a Russian hospital. What happens next?” Snowden asked.
The issue of attribution is not unique to the MonsterMind deployment, Snowden added that an automated system like this needs to take in a significant amount of data, including the network traffic of all private communications coming into the US, which poses a threat to the privacy of US citizens. MonsterMind needs this data to effectively distinguish normal network traffic from anomalous or malicious traffic.
“If we analyze all traffic flows, that means we have to capture all traffic flows. That means violating the Fourth Amendment, seizing private communications without a warrant, probable cause, or even suspicion of wrongdoing. For everyone, all the time,” he added.
Cryptographer Matt Blaze, an associate professor of computer science at the University of Pennsylvania, said the algorithm implemented by the automated scanning system Snowden describes is similar to those underlying the Einstein 2 (. pdf) and Einstein 3 (. pdf) programs developed by the government . Both use a network sensor to identify malicious attacks.
From information warfare to cybercrime – the possibility of “Hacking back”.
Active defenses could be adopted against any cyber threat, regardless of the attackers’ motivations.
Take the Mirai botnet, for example, which was recently involved in a massive DDoS attack that targeted the Dyn DNS service and caused an internet outage in the US a few weeks ago.
Its source code was leaked on Hackforum, a popular forum for hacking criminals, by a user with the nickname “Anna-senpai”, giving anyone the opportunity to compile and modify their own version of the threat.
Experts who examined the code discovered a weakness that could be exploited to disable the botnet, preventing it from flooding its targets with HTTP requests, in other words, it is possible to hack the threat back. Invincea experts have discovered three vulnerabilities in the Mirai code, one of which, stack stack overflow, can be exploited to stop a botnet-powered DDoS attack. A buffer overflow vulnerability affects the way Mirai parses responses from HTTP packets.
“Perhaps the most significant finding is a stack overflow vulnerability in the HTTP flooding attack code. Misusing it will cause a segmentation fault (i.e. SIGSEV), crash the process, and therefore terminate the attack from this bot. The vulnerability is related to how Mirai handles the HTTP Location header, which can be part of an HTTP response sent from an HTTP flood request. said an analysis published by security firm Invincea.
This kind of attacks against Mirai bots would not help in a DNS-based DDoS attack against the Dyn provider, but it would stop the layer 7 attack capabilities of the Mirai botnet implemented in the coded leak online.
Invincea researchers successfully tested the proof-of-concept exploit in a virtual environment by setting up a Mirai bot debug instance, a command and control server, and a target computer.
“This simple ‘exploit’ is an example of an active defense against an IoT botnet that any DDoS mitigation service could use to defend against a real-time Mirai-based HTTP flood attack. While it cannot be used to remove a bot from an IoT device, it can be used to stop an attack originating from that particular device. Unfortunately, this is specific to an HTTP Flood attack, so it wouldn’t help mitigate the recent DNS-based DDoS attack that took down many websites.” explained Scott Tenaglia, director of research in the cyber capabilities team at Invincea Labs.
The method designed to stop the attack power of the Mirai botnet is a classic example of active defense, Tenaglia noted that the technique does not clean compromised IoT devices, instead it might only be effective against HTTP flooding.
The method proposed by the researchers is a form of active defense that has important legal implications, because just as one defends their system against an attacking force, it is an attack against the attacker’s infrastructure.
We cannot forget that the practice of reverse hacking is illegal under the Computer Fraud and Abuse Act.
Hacking a bot means unauthorized access to a computer system and such operations must be authorized by a court order.
A reverse hack could be a good choice against cyber threats like the Mirai botnet or any other attack supported by state-sponsored hackers.
One of the most interesting examples offers events related to the presidential election and the alleged interference of Russian state-sponsored hackers.
The numerous attacks seen in recent months are triggering a US response.
A member of the US presidential staff has hit another country for the first time in response to a cyber attack on hacking campaigns that have been targeting US politicians for months.
The Office of the Director of National Intelligence and the Department of Homeland Security issued a joint security statement accusing the Russian government of a series of hacks into the networks of US organizations and state election commissions involved in the presidential election.
“U.S. The Intelligence Community (USIC) believes the Russian government directed recent compromises of emails from US individuals and institutions, including US political organizations. Recent revelations of alleged hacked emails by sites such as DCLeaks.com and WikiLeaks and by the online persona Guccifer 2.0 are consistent with the methods and motivations of a Russian-led effort. These thefts and disclosures are intended to interfere with the US election process,” the statement said.
“We will take measures to protect our interests, including in cyberspace, and we will do so at a time and place of our choosing,” a senior administration official told AFP.
“The public should not assume that they will necessarily know what actions have been taken or what actions we will take.”
Two weeks ago, US Vice President Joe Biden explained during an interview with NBC that a “message” would be sent to Russian President Vladimir Putin over alleged hacking.
It is a historic declaration, the first time in a diplomatic context that a member of the government has invoked a cyber attack as a deterrent.
NBC News revealed that the CIA was preparing a retaliatory cyber attack “designed to harass and ’embarrass’ the Kremlin leadership.” According to a senior intelligence official and top-secret documents obtained by NBC News, US hackers have already penetrated Russia’s power grid, telecommunications networks, as well as Russian command systems.
“U.S. military hackers penetrated Russia’s power grid, telecommunications networks and the Kremlin’s command systems, making them more vulnerable to attack by covert U.S. cyber weapons should the U.S. deem it necessary, according to a senior intelligence official and top-secret documents reviewed by NBC News. . NBC News reported.
The documents confirm that the US government is capable of striking back at Russia in response to the latest wave of attacks against the presidential election.
U.S. intelligence agencies do not believe that Russian hackers will target critical national infrastructure, instead fearing that Russia could disrupt the presidential election by releasing fake documents or spreading disinformation using PSYops campaigns.
NBC News has confirmed that the US government is establishing a special response team to prevent and repel any attack on the presidential election. In what experts say is an unprecedented effort, the US cyber military is ready to use its cyber weapons against any adversary that seeks to interfere with political appointments.
“U.S. military officials often say in general terms that the U.S. has the most advanced cyber capabilities in the world, but will not discuss the details of highly classified cyber weapons,” NBC News wrote.
“James Lewis, a cyber expert at the Center for Strategic and International Studies, says the U.S. hacking into the computer infrastructure of hostile countries like China, Russia, Iran and North Korea — something he says he has anticipated for years — is akin to a kind of military an exploration that is as old as human conflict.”
“This is just a cyber version of that,” he said.
On the other hand, the NSA justifies its approach to active defense by saying that its hackers regularly break into foreign networks to obtain intelligence.
“You’d get access to the network, you’d create your presence on the network, and then you’re ready to do whatever you want with the network,” said Gary Brown, a retired colonel and former legal adviser to the U.S. Cyber Command, told NBC News. “Most of the time you can use it to gather information, but the same approach can be used for more aggressive activities.”
A senior US intelligence official has confirmed that the US could take steps to shut down some Russian systems in the event of Russian cyberattacks.
“I think there are three things we should do if we see a significant cyber attack,” he said. “The former is clearly fighting back against it. The second is disclosure: We should disclose what happened so that any kind of cyber fraud can be exposed. And third, we should respond. Our response should be proportionate,” retired Admiral James Stavridis told NBC News.
Active defense is one possible approach by governments and private organizations in response to growing cyber threats.
However, we cannot forget that cyberspace has no physical boundaries, such defensive behavior could have serious implications for any entity in this new domain.
Despite the ethical and legal issues, governments are certainly one step ahead of private industry in dealing with active defense.
I consider the choice to adopt reverse hacking measures as part of an active defense model to be very dangerous despite the obvious failure of the traditional defensive approach.
One of the main obstacles to the offensive defense culture is the evasion of a broad consensus on what “hacking back” means, offensive security is a relatively young concept that is not yet regulated by a globally recognized legal platform.
I do not rule out adopting an offensive approach in some contexts, but I fear an indiscriminate spread in the private sector.
Let me close with a view from Zulfikar Ramzan, CTO, RSA:
“It’s important to note that active defense and hack back are not synonymous, although the two terms are often intertwined. Hack back is only one tactic in the active defense list. He’s treading on a slippery slope. Legal considerations aside, it’s easy to make a mistake when you hack back and accidentally go after the wrong source. You can also effectively poke the bear in the process and risk facing serious retaliation. Ultimately, hacking back takes your eyes off of understanding how attackers got in and what else you can do moving forward.
Organizations would do well to consider active deception techniques instead. Not only do these techniques significantly slow down attackers, they also allow you to see first-hand how attackers can exploit weaknesses in your IT infrastructure, allowing you to make intelligent decisions to address the issues at hand. We live in a world where we can’t just work hard to stop bad guys; instead, we have to work smart.”