The sprawling reach of the SolarWinds malware attack that hit government agencies and businesses in December reignited the debate about appropriate response from private sector organizations to cyberattacks from nation states.
Many enterprises, particularly those in tech and security, have tremendous insight into the workings of their own systems and the intrusions that might occur, which some believe puts them in a particularly unique position to hack back at attackers. Doing so, however, could bring a host of problems.
“Hacking back is still up to legal interpretations, but for the most part it’s not legal under international law,” said Joseph Neumann, director of offensive security at Coalfire. “It is the equivalent of me or you deciding to go punch a bear in the face that just stole your picnic basket. At the end of the day the bear is going to win.”
Chris Roberts, virtual chief information officer and advisor to a number of companies and agencies as part of the HillBilly Hit Squad, warned during a recent SC webinar panel: “We think we have problems now. It’s nothing compared to what would happen” if companies went into attack mode.
He noted that sophisticated bad actors playing a long game likely have numerous avenues of attack. An organization could find itself victim to an endless string of assaults.
“As an attacker, I’m not just going to just leave one way in,” Roberts said. “Congratulations, you found one of my ways in. I’ve got six or seven others, so if you are going to come after me, I’m going to go back after you four or five other ways and keep taking you down.”
So then, what options are available to target companies? SC Media asked security experts, who pointed to both community coordination and proactive cyber measures to better deter attackers.
The coordinated response alternative
Unlike many private sector companies, federal agencies have the intelligence, fluency in geopolitical matters and, maybe most importantly, the jurisdiction to take punitive action against nation states – whether through countermeasures or sanctions. At the end of his last term, former President Barack Obama imposed additional sanctions on Russia for interfering in the 2016 presidential election, for example, and in the wake of SolarWinds, President Joe Biden has hinted at potential response against Russia.
But intent factors into even government’s options. Most experts surmise that the SolarWinds attack, for example, was a spy operation – similar to ones that the U.S. engages in surreptitiously – versus an attack aimed at destruction, like taking down the power grid. The later could potentially be deemed an act of war, even triggering Article 5 among NATO members. That’s not necessarily true for the former.
“Nation-state hacking has been going on for a long time by all sides,” said Mark Kedgley, chief technology officer at New Net Technologies. “It is just the newest frontier for the on-going silent wars of international espionage and disruption,”
A more effective means of response to nation-state actors would involve coordination with government agencies and industry. That means overcoming a certain wariness that has long existed between the private and public sector.
“There’s a perception that needs to be broken,” said Bryan Hurd, vice president at Aon Cyber Solutions, who recounted a prominent senator asking about the feasibility of “blowing up computers” as a kinetic action against attackers only to be quickly shut down. “People from the private sector think government has all the answers. And government thinks the same thing about the private sector.”
A good place to start in improving public-private collaboration against foreign attackers is with realistic requests and expectations. Instead of asking for the whole server after an incident, for example, government investigators should narrow that ask. “No general counsel is going to give them the whole server,”said Hurd, who is also a member of CyberRisk Alliance’s Cybersecurity Collaborative, a forum of CISOs.
Responsibilities for responding to and mitigating attacks should be broken down between private and public based on capabilities and strengths. Companies should “leave the offensive stuff to the people who know what they’re doing,” Roberts said.
“That’s our role. Our role is to very quickly bring a huge amount of brain trust to a problem, then figure out how to get it out to everybody else.”
That said, there are subtleties to what companies may be authorized to do. Microsoft, for example, has “legal means” to fend off attackers, said Hurd, referring to takedown operations the tech giant has executed, including an October court order to dismantle notorious botnet Trickbot. “There’s a difference between offensive and proactive.”
Establish tech boundaries
Beyond legal recourse, companies need to establish technology boundaries to lessen the impact of nation-state maneuvers. Those boundaries “not only offer additional protection, they may also help expose the presence of APTs in your network,” said Chris Grove, technology evangelist at Nozomi Networks. “Technology can be used to create more layers, even layers within layers, without additional infrastructure.”
Hitting a technological boundary, forces attackers “to adjust their tactics accordingly,” he said.
And boundaries offer “choke points, where monitoring and signaling can occur,” said Grove. “Each technology boundary put in front of the attacker serves as an opportunity to better defend your network. Best of all, they can be used to limit an incident’s blast radius, containing the scope of the attack.”
An example of where tech boundaries could save the day, he said, would be at a manufacturer running mostly Microsoft Windows infrastructure.
“If SolarWinds is a key part of its cybersecurity, asset inventory, monitoring and patching infrastructure, it would be susceptible to an attack targeting Windows systems, because it uses the same OS as other monitored assets,” he said. “Say a virus or worm runs rampant on the organization’s Windows network. If the system used to control the company’s environment is also running a vulnerable OS, it may become infected and unavailable during the forensic investigation or recovery processes. A major tool that’s typically used in the recovery efforts would also need its own recovery, at the worst possible time… when trying to recover a production network.”
But if the manufacturer had used a technological boundary, like running SolarWinds on Linux, recovery would be much easier. “The worm or virus would have run its course across Windows systems, but be stopped in its tracks when it hit the Linux system,” Grove said. “On Linux, SolarWinds could have operated safely within the sea of infected Windows machines, and provided a secure foundation from which to operate.”
Similarly, environments containing a single operating system can create barriers by putting remote access and virtual private network technologies on different technological platforms. If vendor one provides remote access, vendor two should monitor it, Grove explained. That way, if an incident occurs on one or the other platform, the blast radius is limited to a single business function. “One product picks up on the failure of another.”
Those tactics can also open avenues for organizations to discover attempted malicious activities. “When an attacker attempts to bypass multiple challenges, it makes it difficult to mount an end-to-end attack,” he said. “During execution, the attacker will invariably conduct reconnaissance activities, and probe the boundaries they’re confined within.”
Deception technology, too, can give security teams insight into attackers and their techniques, providing what Roberts described as “that camouflaged environment that someone spends their time in.”
He added: “The downside is you can piss off your opponents.”
The post Does SolarWinds change the rules in offensive cyber? Experts say no, but offer alternatives appeared first on SC Media.