Active defense and “hacking back" with Johnathan Braverman from Cymmetria
Dave Bittner: [00:00:00:17] Thanks again to all of our supporters on Patreon, the support we receive there helps us provide the daily news that you come to rely on. We hope you'll check it out at Patreon.com/thecyberwire
Dave Bittner: [00:00:14:19] Our podcast team is taking a break this week from the daily news but don't fret you can get your daily dose of cyber security news at our website thecyberwire.com. In the meantime we've got interviews for you this week, some interesting people we've talked to through the year so stay with us.
Dave Bittner: [00:00:36:04] And now a holiday message from our sponsor Nehemiah Security. Twas the night before the board meeting when all through HQ not a sea level was stirring, even finance was a snooze. Reports were all stacked in the boardroom with care in hopes that the members would not pull out their hair. But CISO however was pacing the ground mostly because he had no biometrics to sound and the head of IT in front of long log reviews had just settled his brain after full backup number two. When our of the seam alarms started to fly, they looked at each other and did not know why. A way to the reports they flew like a flash to see which malware showed up as a hash. If only they knew where exploitables lay it could sort them and treat them in an intelligent way. Showing true business impact and real dollars lost, could cyber finally be a justifiable cost? With Nehemiah Security so ready to assist converting cyber into dollars is impossible to resist. More rapid than eagles, the RQ dashboard it came instantly upping their cyber risk game. Now dollars, now cents, now recommendations, on threats, on exploits, financial justifications. To the top of the budget with CISO's report flew, smart cyber investments, now everyone knew. To hear the rest of the story visit nehemiahsecurity.com
Jonathan Braverman: [00:02:10:02] Most people when you think of a hacking back they are referring to the digital equivalent of Batman.
Dave Bittner: [00:02:15:05] That's Jonathan Braverman, he's general council at Cymmetria a company that describes itself as providing deception based cyber security solutions against advanced cyber threats. Our conversation centers on hacking back and Braverman's belief that today's legal framework for doing so is inadequate.
Jonathan Braverman: [00:02:34:12] They are referring to the digital equivalent of Batman. That's identifying a criminal, chasing him down and beating him down on the street and that's a very narrow view of what hacking back actually is because if you take the time to consider a lot of things that you do as part of instant response, if you re-frame the action or if you rethink it it fits into the spectrum of hacking back and I'll give you an example.
Jonathan Braverman: [00:03:00:04] If the hacker connects to my system and his attacking tool has in plain text his user name and his password and I try to connect to that service, is that hacking back? Most people would say yes and they would say that it's illegal. Most people would be right in saying that that's illegal because you're gaining access to a system that's not yours and you're essentially committing computer trespass. But it's something that absolutely every company that does instant response has done at some point or another in their history or what about engaging the attacker into your system by replacing actual files with honey docs or with files that are corrupted at the source so that when the attacker downloads them to his C&C server or to his drop zone they are either inoperable or unreadable. Is that hacking back? It really does depend on how you define the engagement with your attacker. So the way, at least we at Cymmetria look at is that hacking back is essentially the forbidden part of instant response.
Dave Bittner: [00:04:02:06] So does that give the bad guys an unfair advantage?
Jonathan Braverman: [00:04:05:08] Definitely. One of the interesting things about computer law and cyber law is that it has a lot in common with international humanitarian law in that respect. And that is that the bad guys have weaponized the protections of the law because if you look at the provisions of the Computer Fraud and Abuse Act for example, there's a lot of sense behind a prohibition on causing damage to a computer system either knowingly or through reckless action. It makes a lot of sense that if the attacker is using a hospital as a drop zone I shouldn't be allowed to drop my own malware into that server. Nobody in their right mind is going to disagree with a prohibition on that. But that does put the bad guys into an advantageous position, quotation marks around advantageous because they don't have to worry about law enforcement and when I as a server security practitioner have to fear the regulator more than I have to fear my attacker, that does bring into mind several questions and the most important of which is is it not time to reform the law so that I can get back to actually defending myself.
Dave Bittner: [00:05:11:04] So are you suggesting that some policy adjustments are needed?
Jonathan Braverman: [00:05:16:02] I think it would be most beneficial to rethink some of the limitations that are currently used or at the very least to allow the practitioner some more liberal interpretation of the existing laws. Now again I don't think I can stress enough the prohibition causing damage intentionally is something that we can definitely get behind. We're not proposing that it's a good idea to plant your own kind of malware or your own kind of crypto locker for an attacker to get into your systems because you never know what the consequences are going to be. But there needs to be some discussion as to whether or not the intent of my access to a computer has to matter for something. And if I go back to my original example, if the attacker has given me his credentials in clear text inside an attacking tool that he has used to connect to my network, it is simply illogical that I can't connect to a C&C server to perform triage on the kind of information that has been stolen or to find out what kind of damage he has caused to my organization because I'm afraid of computer trespass. If I'm afraid more of the Department of Justice interpretation than of my attacker I think policy needs to change.
Dave Bittner: [00:06:29:14] That's interesting, I mean the analogy I hear used quite often is that if, you know, my neighbor breaks into my house and steals something from me I can't just go back into their house and take it back. That I would be guilty of trespassing by going into their house.
Jonathan Braverman: [00:06:43:08] In many ways this is an apt analogy but in other ways it's an inapt analogy and I'd like to focus on why it's not necessarily an accurate comparison. The first point that needs to be considered here is that if your neighbor breaks into your house and steals your television, your television is gone. If somebody attacks your system and copies your files, your files are still there. So the kind of damage you're trying to prevent is different. You're trying to prevent the disclosure of information, not the theft of information because you still have the original. So in that sense I need to do triage to know what he has taken. In the physical world I know my TV is missing. It's a different level on the kind of activity that I'm doing. First I need to do triage so that I know if I have to do a breach notification to a hundred and forty-three possible million users like in Equifax or if I can limit myself to three million users which is huge in terms of what a company is supposed to do. And second of all, if I go into my neighbor's house and use violence against him then yes, that's rightly forbidden and that's exactly my point. I don't want to do anything outside my system that causes damage to either an intermediary or to my neighbor. But the second part here is that if my neighbor breaks into my house and steals my television or my possessions I can call the police and the police are the people who are supposed to use force to either arrest my neighbor and get me my things back or bring him to justice. And this is something that sadly is simply not feasible in terms of cyber security. First of all because I don't know who broke into my house. I don't necessarily know who my attacker is. I have difficulty in attribution and part of the actions that I need to do to better gain attribution or to gain better attribution more likely is that I need to look at where the files have been taken to and I need some forensic data at the C&C level or in the drop zone level which I currently can't obtain so I can't even go to law enforcement and say who I suspect because I have no idea who to suspect.
Dave Bittner: [00:08:42:12] We're a bit in the wild west these days when it comes to these things where you have to defend yourself I suppose. Is this part of the case you're making?
Jonathan Braverman: [00:08:50:17] It's not that we're in a state of lawlessness as most people thing with the wild west, it's more that we're in a situation where the law is simply inept to the situation and it's not applicable to the daily challenges. My hands are tied in the fact that I don't know what my limitations are and no cyber security practitioner wants to be the case that is tried as in OK that's the limit. It's to that I'm afraid of breaking the law it's that I don't know how to apply existing legal norms or regimes. Take for example the computer trespass. I don't know what access means in regards to the CFAA and there's not sufficient jurisprudence to give me sufficient comfort when I have to answer an engineer's question as to whether or not I've gained access to a computer if I plant a beaconing device that whenever a word file or an excel file is opened it sends over the IP address, the operating system language and version and the GEO location of where the file is opened. I don't know if I've gained access to a computer or not in that scenario. And if I've gained the access then I've committed a felony. That doesn't make any technical sense.
Dave Bittner: [00:10:04:02] So what do you propose in an ideal world what's the scenario that we'd be operating under?
Jonathan Braverman: [00:10:10:16] In an ideal world we'd have some kind of consideration to intent. Currently the law is content neutral so as I've said before the bad guy has the advantage of being able to weaponize the law against me. If somebody connects a Raspberry Pi inside my network I can disconnect that device physically but I can't execute a program that disconnects it digitally because there's a specific prohibition in the CFIA that causes damage to the availability of the system. That kind of awkwardness needs to end. If I can protect my system and I can demonstrate I have been acting within the minimal damage possible with the intent of defending my network I should have some level of comfort or at least some level of certainty that I'm not going to be prosecuted for my actions. And if I'm not going to be able to gain that kind of confidence or if nobody is going to be willing to give me the assurance that I need, that I can defend myself then it's time for the government to step up and take responsibility. But they situation in which the government blunts all responsibility to the private sector but doesn't give any tools for self-defense is an anomaly that's simply calling the attackers to weaponize and to use this discrepancy for their advantage.
Dave Bittner: [00:11:25:11] Now what do you say to, I've heard the argument made that if people are allowed to hack back that they could use hacking back to go after their competitors.
Jonathan Braverman: [00:11:37:14] It's a definitely good point and it's a real point and it's a real danger and that's exactly the same reason why you're not allowed to go into your neighbors house and stage a breaking into your own house. But again, the line really is about whether the techniques that you can apply, not about the physical location of where you're applying them. If I can run forensics on my system so I can gain attribution and then pass on that information to the FBI or pass that information in my case to the Israeli police so that they can take it from here and prosecute the offender under criminal law, it doesn't make much sense that I can't run forensic tools in a third party system or in the attacker's own system so long as I don't use the forensics to gather competitive intelligence. So we're discussing the limits of the technique, we're not discussing the geographical location. Currently the law doesn't allow for that. Currently the law is more concerned about they way I'm running my provisioning system than what the provisioning system is running.
Dave Bittner: [00:12:33:19] So I suppose would you say a fair analogy would be that if I had put a homing beacon on my television and my neighbor stole my television the way cyber law is written I wouldn't be allowed to use that homing beacon to figure out which of my neighbors stole my television?
Jonathan Braverman: [00:12:49:05] That's a definite possibility yes. Oddly enough that's a fair possibility. Now consider a more apt case, that's the case of banks using dye packs. The reason banks use dye packs is threefold. First of all they use it to render the money useless. Second of all, they use it to deter bank robbers and third they use it so that if the banker activates the dye pack he gets stained and is identifiable. So as long as you're not using dynamite to detonate a dye pack nobody is going to entertain a claim for damages from a bank robber that his hands were stained or that he sustained some discoloration of the skin while he was robbing a bank. Oddly enough in cyber security law if I install a dye pack and that dye pack causes damages to a system then I'm liable for damages. That's a bit strange.
Dave Bittner: [00:13:37:01] That's Jonathan Braverman from Cymmetria.
Dave Bittner: [00:13:43:03] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining partner Cylance. To find out how Cylance can help protect you using artificial intelligence check out cylance.com. They CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where they're co-building the next generation of cyber security teams and technology.
Dave Bittner: [00:14:04:23] Our show is produced by Pratt Street Media, our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.