Hackers use corporate attacks as staging grounds for other cyber assaults


Hottest products at RSA Conference 2013

Do enterprise security teams want "Big Data Security"?

Juniper's "device fingerprinting" security technology gets mixed reviews

HP unveils 'Big Data Security' strategy

Weatherford outlines 'cyber 9-1-1' plan


"There may be law enforcement watching it," said Charles Shugg, retired Brigadier General of the Air Force who once headed the U.S. Air Force Cyber Command, and spoke yesterday on a panel at the RSA Conference on the topic of how far IT managers can go to "hackback" against network attackers they happen to detect. But you might be stepping into something bigger than you know, because "an undercover agent may witness crimes taking place and not stop them in hopes of getting them," said Shugg.

[RSA: IT security managers skeptical on Big Data Security proposition

It's just another wrinkle in the world of cybercrime that's invaded corporate networks, whether it be suspected Chinese spies stealing important intellectual property, remotely-controlled botnets and cybercooks from everywhere making off with what they can, or hacktivists out to score political points. Increasingly, IT managers want to strike back through electronic means against these invaders when their detection systems spot them. But can they counter-strike? U.S. law doesn't suggest that retaliation is much of an option, the panelists at the RSA Conference said.

For one thing, any counterstrike against what might be thought to be the lair of the attacker may in reality simply be just another corporate network that's been compromised. An IT manager that wants to take steps to definitely stop certain actions is proceeding into an area that's immediately dominated by legal and insurance considerations.

It would be a better world if IT managers could reach out across corporate boundaries and one could tell another about what's perceived to be an attack based on malware coming from the other's network and quickly snuff it out. But that appears to be a rarity today, where warnings from outsiders contacting companies are often ignored. Instead, it's the company lawyers that will be needed to try and resolve serious problems that seem to emanate from other corporate networks.

Serge Jorgensen, CTO at Sylint Group, the Sarasota, Fla., firm that provides incident response and remediation services, pointed out that one legal option would be seeking a temporary restraining order (TRO) from a judge against what is seen as the offending entity where the cyber-attack appears to originate.

"But what does that really allow you to do? Does that mean you have a legal right to go to their server to find the malware? No," said Jergensen. So after the TRO is issued by a judge, there's still no solution to the problem. It's just the legal train leaving the station, and what might ensue are negotiations intended to really solve the problem. But these could be fraught with worries over litigation and insurance concerns in today's world. That's when the meter starts ticking in terms of time and money. Issues of liability will surface, and the two parties could end up going after each other while the attacker makes off.

Attorney Jon Stanley, who also spoke on the panel at RSA, says any company that believes it is under cyberattack faces another consideration the company may need to notify its insurance carrier. Then there may be a decision to call law enforcement or not. The sad and ironic aspect of a company that's a "legal entity" being used as a proxy for an attacker is that a legal discussion will ensue between what are basically two victimized companies now wary of each other. And it's happening in a legal environment where there's "almost no guidance in case law," said Stanley. "You'll quickly find yourself in no man's land." Concepts of aggression and disorder simply haven't been clearly defined, he said.

Shugg noted that in the midst of such a cybercrime episode, there may also be the presence of law enforcement trying to quietly monitor what's going on, especially when the stakes are high. "Law enforcement may be putting a case together," he said, and you may be stepping into something bigger than you think.

Shugg said he thinks that the courts in this country are split on how far anyone can go to push back against an attacker. However, Eric Hibbard, CTO for security and privacy at Hitachi Data Systems, who also spoke on the panel, said he considers attackback to be "very dangerous" as a path to go down. It raises the question, "what's an adequate defense before you move to counter?" and other questions, such as why were you compromised to begin with, have you not patched your systems in a long time?

But it's all pretty murky, and when asked about what the law of trespassing we have today for the physical world might mean in cyberspace in terms of repelling an attacker or striking back. Stanley said anyone who wants to do it and defend that practice will probably end up as the test case for the rest of us. "I'd advise not to strikeback. Somehow we have to stop this in the inside."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags HPU.S. Air Forcesecuritylegalanti-malwareWide Area Networkcybercrime

More about Hitachi AustraliaHitachi DataHitachi Data SystemsHitachi Data SystemsHPIDGJuniperRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts