CyberWire Daily - Active defense and “hacking back" with Johnathan Braverman from Cymmetria
Episode Date: December 26, 2017Jonathan is Cymmetria's General Counsel. A former trial attorney, Mr. Braverman is an expert in cyber-security law, policy and regulation. He has written policy papers on export controls over cyber te...chnology, active defense and "hacking back." Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Our podcast team is taking a break this week from the daily news.
But don't fret.
You can get your daily dose of cybersecurity news at our website, thecyberwire.com.
In the meantime, we've got interviews for you this week, some interesting people we've talked to throughout the year.
So stay with us.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Most people, when you think about hacking back, they are referring to the digital equivalent of Batman.
That's Jonathan Braverman.
That's Jonathan Braverman. He's general counsel at Symmetria, a company that describes itself as providing deception-based cybersecurity solutions against advanced cyber threats.
Our conversation centers on hacking back and Braverman's belief that today's legal framework for doing so is inadequate. to the digital equivalent of Batman. That's identifying a criminal, chasing him down, and beating him down on the street.
And that's a very narrow view
of what hacking back actually is.
Because if you take the time to consider
a lot of the things that you do
as part of incident response,
if you reframe the action,
or if you rethink it,
it fits into the spectrum of hacking back.
And I'll give you an example.
If the attacker connects to my system and his attacking tool has in plain text his username
and his password, and I try to connect to that service, is that hacking back? Most people would
say yes, and they would say that it's illegal. Most people would be right in saying that that's
illegal because you're gaining access to a system that's not yours, and you're essentially committing
computer trespass. But it's something that absolutely every company that does incident
response has done at some point or another in their history. Or what about engaging the attacker
inside your system by replacing actual files with honeydoc docs or with files that are corrupted at the
source so that when the attacker downloads them to his cnc server or to his drop zone
they are rendered inoperable or unreadable is that hacking back it really does depend on how
you define uh the engagement with your attacker so the way at least we at symmetry look at it
is that hacking back is essentially the forbidden part of incident response.
So does that give the bad guys an unfair advantage?
Definitely. One of the interesting things about computer law and cyber law is that it has a lot in common with international humanitarian law in that respect.
And that is that the bad guys have weaponized the protections of the law.
weaponized the protections of the law. Because if you look at the provisions of the Computer Fraud and Abuse Act, for example, there's a lot of sense behind the prohibition on causing damage
to a computer system, either knowingly or through reckless action. It makes a lot of sense that if
the attacker is using a hospital as a drop zone, I shouldn't be allowed to drop my own malware into
that server. Nobody in their right mind is going to disagree with a prohibition on that.
But that does put the bad guys into an advantageous position, quotation marks, around advantageous,
because they don't have to worry about law enforcement.
And when I, as a cybersecurity practitioner, have to fear the regulator more than I have to fear my attacker, that does bring into mind several questions, and the most important of which is, is it not time to reform the law so that I can get back to actually defending myself?
So are you suggesting that some policy adjustments are needed? I think it would be most beneficial to rethink some of the limitations that are
currently used, or at the very least to allow the practitioners a more liberal interpretation
of the existing laws. Now, again, I don't think I can stress enough, the prohibition on causing
damage intentionally is something that we can definitely get behind. We're not proposing that
it's a good idea to plant your own kind of malware or your own
kind of crypto locker for an attacker to get into your systems, because you never know what the
consequences are going to be. But there needs to be some discussion as to whether or not the intent
of my access to a computer has to matter for something. And if I go back to my original example, if the attacker has given me his credentials in clear text
inside an attacking tool that he has used to connect to my network,
it is simply illogical that I can't connect to a CNC server
to perform triage on the kind of information that has been stolen
or to find out what kind of damage he has caused to my organization
because I'm afraid of
computer trespass. If I'm afraid more of the Department of Justice interpretation than of
my attacker, I think policy needs to change. It's interesting. I mean, the analogy I hear
used quite often is that if my neighbor breaks into my house and steals something from me,
I can't just go back into their house and take it back, that I would
be guilty of trespassing by going into their house. In many ways, it's an apt analogy, but in
other ways, it's an inapt analogy. And I'd like to focus on why it's not necessarily an accurate
comparison. The first point that needs to be considered here is that if your neighbor breaks
into your house and steals your television, your television is gone. If somebody attacks your system and copies your files, your files are still there. So the kind
of damage you're trying to prevent is different. You're trying to prevent the disclosure of
information, not the theft of information, because you still have the original. So in that sense,
I need to do triage to know what he's taken. In the physical world, I know my TV is missing.
It's a different level on the kind of activity that I'm doing.
First, I need to do triage so that I know if I have to do a breach notification
to 143 possible million users like in Equifax,
or if I can limit myself to 3 million users,
which is huge in terms of what a company is supposed to do.
And second of all, if I go into my neighbor's house and use violence
against him, then yes, that's rightly forbidden. And that's exactly my point. I don't want to do
anything outside my system that causes damage to either an intermediary or to my neighbor.
But the second part here is that if my neighbor breaks into my house and steals my television or
my possessions, I can call the police and the
police are the people who are supposed to use force to either arrest my neighbor and get me
my things back or bring him to justice. And this is something that sadly is simply not feasible
in terms of cybersecurity. First of all, because I don't know who broke into my house. I don't
necessarily know who my attacker is. I have difficulty in attribution. And part of the actions that I need to do to better gain attribution or to gain better
attribution more likely is that I need to look at where the files have been taken to, and they need
some forensic data at the CNC level or at the drop zone level, which I currently can't obtain.
So I can't even go to law enforcement and say who I suspect
because I have no idea who to suspect.
We're a bit in the Wild West these days when it comes to these things
where you have to defend yourself, I suppose.
Is this part of the case you're making?
It's not that we're in a state of lawlessness,
as most people think about the Wild West.
It's more that we're in a situation where the law is simply inapt to the situation and it's not applicable to the daily challenges.
My hands are tied in the fact that I don't know what my limitations are.
And no cybersecurity practitioner wants to be the case that is tried as in, okay, that's the limit.
It's not that I'm afraid of breaking the law.
It's that I don't know how to
apply the existing legal norms or regimes. Take, for example, the computer trespass. I don't know
what access means in regards to the CFAA. And there's not sufficient jurisprudence to give me
sufficient comfort when I have to answer an engineer's question as to whether or not I've gained access to a computer
if I plant a beaconing device that whenever a Word file or an Excel file is opened, it sends over
the IP address, the operating system language and version, and the geolocation of where the file was
opened. I don't know if I've gained access to a computer or not in that scenario. And if I've
gained the access, then I've committed a felony. computer or not in that scenario. And if I've gained the access,
then I've committed a felony. That doesn't make any technical sense.
So what do you propose? In an ideal world, what would the scenario that we'd be operating under?
In an ideal world, we'd have some kind of consideration into intent. Currently,
the law is content neutral. So as I've said before, the bad guy has the advantage of being able to weaponize the law against me. If somebody connects Raspberry Pi
inside my network, I can disconnect that device physically, but I can't execute a program that
disconnects it digitally because there's a specific prohibition in the CFAA that causes
damage to the availability of the system. That kind of awkwardness needs to end.
If I can protect my system and I can demonstrate I've been acting within the minimal damage
possible and with the intent of defending my network, I should have some level of comfort
or at least some level of certainty that I'm not going to be prosecuted for my actions.
And if I'm not going to be able to gain that kind of confidence or if nobody's going to be prosecuted for my actions. And if I'm not going to be able to gain that kind of
confidence, or if nobody's going to be willing to give me the assurance that I need, that I can
defend myself, then it's time for the government to step up and take responsibility. But the
situation in which the government blunts all responsibility to the private sector, but doesn't
give any tools for self-defense, is an anomaly that's simply calling the attackers to weaponize and to use
this discrepancy for their advantage. Now, what do you say to, I've heard the argument made that
if people are allowed to hack back, that they could use hacking back to go after their competitors?
It's a definitely good point, and it's a real point, and it's a real danger.
And that's exactly the same reason why you're not allowed to go into your neighbor's house
and stage a breaking into your own house.
But again, the line really is about what are the techniques that you can apply,
not about the physical location of where you're applying them.
If I can run forensics on my system so I can gain attribution
and then pass
on that information to the FBI or pass that information in my case to the Israeli police
so that they can take it from here and prosecute the offender under criminal law, it doesn't make
much sense that I can't run forensic tools in a third-party system or in the attacker's own system
so long as I don't use the forensics to gather competitive intelligence.
So we're discussing the limits of the technique.
We're not discussing the geographical location.
Currently, the law doesn't allow for that.
Currently, the law is more concerned about where I'm running my provisioning system
than what the provisioning system is running.
So I suppose, I mean, what do you say a fair analogy would be that
if I had put a homing beacon on my television
and my neighbor stole my television, and the way cyber law is written,
I wouldn't be allowed to use that homing beacon to figure out which of my neighbors stole my television?
That's a definite possibility, yes.
Oddly enough, that's a definite possibility.
Now, consider a more apt case.
That's the case of banks using dipacks.
The reason banks use dip packs is threefold. First of all, they use it to render the money useless. Second of all, they use it to deter bank robbers. And third, they use it so that if the banker activates a dye pack, nobody's going to entertain a claim for damages from a bank robber that his pants were stained or that he sustained some discoloration of the skin while he was robbing a bank.
Oddly enough, in cybersecurity law, if I install a dye pack and that dye pack causes damages to a system, then I'm liable for damages.
That's a bit strange.
That's Jonathan Braverman from Symmetria.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.