Hacked companies fight back with controversial steps

Sun Jun 17, 2012 8:08am EDT

Related Topics

(Reuters) - Frustrated by their inability to stop sophisticated hacking attacks or use the law to punish their assailants, an increasing number of U.S. companies are taking retaliatory action.

Known in the cyber security industry as "active defense" or "strike-back" technology, the reprisals range from modest steps to distract and delay a hacker to more controversial measures. Security experts say they even know of some cases where companies have taken action that could violate laws in the United States or other countries, such as hiring contractors to hack the assailant's own systems.

In the past, companies that have been attacked have mostly focused on repairing the damage to their computer networks and shoring them up to prevent future breaches.

But as prevention is increasingly difficult in an era when malicious software is widely available on the Internet for anyone wanting to cause mischief, security experts say companies are growing more aggressive in going after cyber criminals.

"Not only do we put out the fire, but we also look for the arsonist," said Shawn Henry, the former head of cybercrime investigations at the FBI who in April joined new cyber security company CrowdStrike, which aims to provide clients with a menu of active responses.

Once a company detects a network breach, rather than expel the intruder immediately, it can waste the hacker's time and resources by appearing to grant access to tempting material that proves impossible to extract. Companies can also allow intruders to make off with bogus files or "beacons" that reveal information about the thieves' own machines, experts say.

Henry and CrowdStrike co-founder Dmitri Alperovich do not recommend that companies try to breach their opponent's computers, but they say the private sector does need to fight back more boldly against cyber espionage.

It is commonplace for law firms to have their emails read during negotiations for ventures in China, Alperovich told the Reuters Global Media and Technology Summit. That has given the other side tremendous leverage because they know the Western client company's strategy, including the most they would be willing to pay for a certain stake.

But if a company knows its lawyers will be hacked, it can plant false information and get the upper hand.

"Deception plays an enormous role," Alperovich said.

FIGHTING BACK

Other security experts say a more aggressive posture is unlikely to have a significant impact in the near term in the overall fight against cybercriminals and Internet espionage. Veteran government and private officials warn that much of the activity is too risky to make sense, citing the chances for escalation and collateral damage.

"There is no business case for it and no possible positive outcome," said John Pescatore, a National Security Agency and Secret Service veteran who leads research firm Gartner's Internet security practice.

Nevertheless, the movement shows the deep anger and sense of futility among security professionals, many of whom feel that a bad situation is getting worse, endangering not only their companies but the national economy.

"There's nothing you can do" to keep determined and well-financed hackers out, said Rodney Joffe, senior technologist at Internet infrastructure company Neustar Inc and an advisor to the White House on cyber security.

Joffe recently looked at 168 of the largest 500 U.S. companies by revenue and found evidence in Neustar forensic logs that 162 of them owned machines that at some point had been transmitting data out to hackers.

Frustration by security professionals is not new. Some privately admitted to rooting for Lulz Security last year during that hacking group's unprecedented spree of public crimes, when it broke into and embarrassed Sony Corp, an FBI affiliate and others with routine hacking techniques [ID:nL2E8E6EDO]. They said the resulting media coverage finally caught the attention of CEOs and legislators, although tougher cyber security laws have yet to pass Congress.

Although some strike-backs have occurred quietly in the past, Facebook popularized going on offense, said Jeff Moss, founder of the influential Black Hat security conferences and an advisor to the Department of Homeland Security.

In January, Facebook Inc named some of the Russian players behind the malicious "Koobface" software that spread through spam on various social networks, earning the gang an estimated $2 million.

INDUSTRY FAILURES

The security industry's shortcomings were underscored most recently by the discovery of the Flame spying virus in the Middle East.

Mikko Hypponen, the well-regarded chief research officer at Finland's F-Secure Oyj, told the Reuters Summit his company had a sample of Flame in 2010 and classified it as clean and later missed another virus called Duqu that was suspected of being backed by Western governments.

"These are examples how we are failing" as an industry, Hypponen said. "Consumer-grade antivirus you buy from the store does not work too well trying to detect stuff created by the nation-states with nation-state budgets."

Because some national governments are suspected in attacks on private Western companies, it is natural that some of the victims want to join their own governments to fight back.

"It's time to have the debate about what the actions would be for the private sector," former NSA director Kenneth Minihan said at the RSA security conference held earlier this year in San Francisco.

In April, Department of Homeland Security Secretary Janet Napolitano told the San Jose Mercury News that officials had been contemplating authorizing even "proactive" private-entity attacks, although there has been little follow-up comment.

Many large security providers no longer preach that keeping the enemy out is paramount. Instead, they adopt the more recent line taken by the Pentagon, which is to assume that hackers have gotten inside and will again.

The mainstream advice now is to focus on trying to detect suspicious activity as quickly as possible in order to shut it down.

Hitting back with force is only the most colorful of possible responses after that. More common alternatives include deep analysis of what data has been sent out and attempts to learn whether the recipients were competitors, criminals who might try to resell it, or national governments, who might be inclined to share it with local industry.

Some experts also say executives should identify their most prized intellectual property and keep it off of networked computers and consider evasive action - such as having 100 versions of a critical digitized blueprint and only one that is genuine, with the right one never identified in emails.

"There is a reason that people fly halfway around the world to have a one-hour meeting," Joffe said of intelligence agencies.

(Reporting by Joseph Menn in San Francisco, Editing by Tiffany Wu)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (17)
Miguel526 wrote:
This ‘game” could slowly begin to get tougher, wherein hackers could end up with government gunmen crashing into their homes or those of their associates with the most violent results. This could occasionally become world-wide, bringing lethal ends to some of these hacker operatives in lands far, far, away, or right around the corner. Mercenaries could even get into the act. Who’d notice if some guy in Russia, Africa, Milan, London, or Chicago just up and died?

Or, some entities could begin responding with tremendous computer tough-guy stuff meant to crash back into and wreck intruding hacker systems. But maybe just leaving bad info out there may seem like the cheapest defense. Sending high company or government officials across the world for the one hour meeting mentioned at the end of the story may actually be the cheapest and most effective defense.

But, still, even those contemplated private meeting efforts would be no defense against Obama-administration-style leaks from the top with which Obama’s people assaulted the world’s stage of mutual respect at the intra-governmental level.

Jun 17, 2012 11:27am EDT  --  Report as abuse
DJS_TX wrote:
We live in a whacked out, evil world. Some of us practice breaking into computers – breaking down their security. Governments practice this as a form of cold war style warfare. Companies practice deception to fool people into: a) buying products; b) violating privacy. Wouldn’t it be fascinating to see what Google, Yahoo, Microsoft, or the US government has compiled about you? We thought the East German Stasi was an effective gathering agency for information about citizens. They had incredible files on people that on display to this day. Google has re-invented all that with massively improved collation of data. Big Brother is here. Every email you send, every ad you post, every forum message you write – it’s all part of your permanent record. And they will use it against us. Not to help us, because big government and big business are paranoid to the extreme.

Jun 17, 2012 11:37am EDT  --  Report as abuse
InfowarsCom wrote:
Notice how we’ve been seeing lots of these articles as the govt lobbies for CISPA passage but no mention of Lulz connections to the CIA.

LulzSec’s FBI Informant Leader Hinted at CIA Connection

infowars.com/lulzsecs-fbi-informant-leader-hinted-at-cia-connection

The govt demands back doors be built in so it can spy, so if it is true nothing can be done to keep the well financed from spying, well there you go.

Jun 17, 2012 11:47am EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.