13 November 2021

Hack Back - When A Cyber Attack Victim Turns 'Digital Vigilante'


BERLIN - What with malware able to easily cancel out whatever security measures are in place on a computer, the cyber-crime phenomenon is in full developmental swing.

That's the word from a new report on the dark side of the information technology revolution in the current issue of "Bundeslagebild Cybercrime," published by Germany's Federal Criminal Police Office. Meanwhile, the UK's domestic intelligence service MI-5 says Internet crimes have now reached "industrial-scale" proportions.

What we know is that cyber attacks are aimed at both businesses and governments; they threaten both public and private sector data; and research and academic facilities are hardly spared. "The extent of what is going on is astonishing," says MI-5 head Jonathan Evans.

This, of course, only pertains to the attacks the police know about. Internet security experts estimate cyber crime levels are much higher. Businesses in particular are known to be reluctant to divulge what they may have experienced, in order to protect their image.

But silence is not just a question of image. The fact is that in no other area are the forces of law and order as helpless as they are when dealing with cyber crime. According to most experts, the discrepancy between the technical know-how and equipment of the perps and that of the cops is vast – and the bad guys have the upper hand.

"In what is often called "cyber war" but should be called "cyber crime," the forces of order are not as well equipped as the attackers," says IT expert Max Mühlhäuser, who heads the Telecooperation Lab at Darmstadt's Technical University. "And the growing professionalism of attackers means that action is urgently needed."

In Germany, since it has become publically known that the police couldn't even manage the "Bundestrojaner" – the "federal Trojan" spyware allegedly used by the government to access the computers of suspects in criminal investigations -- without the help of outside service providers, more and more have begun to circumvent the authorities and take on cyber-thieves directly.

Cyberwar researcher Sandro Gaycken, of the Institute for Computer Science at Berlin's Freie Universität, confirms that "digital vigilantism" is the new trend, particularly in sectors strongly affected by efficient cybercriminals such as the financial industry, development companies, and research groups. In those areas, the amount of manipulation and spying is "frightening," he says -- "and absolutely nobody is going to go public when something like that happens to them."

The tendency is to deal with it in-house, says Gaycken. "They don't involve the police. They build up their own unit, or hire outside help. And the new hype with those guys is hitting back. Attacking the attacker."

Data trap

One such "Enterprise Strikes Back" service provider is CrowdStrike, a California company that describes itself as "the stealth-mode security start-up." It provides companies with "hack back" solutions to fight private wars on the web, and minces no words when it comes to criticizing the kinds of security strategies used until now to fight cyber attacks.

"The industry's mistake was to focus on the tools the attackers were using," says Dmitri Alperovitch, co-founder and Chief Technical Officer, who espouses a kind of hand-to-hand combat strategy. "You have to concentrate on the attacker himself, not on the weapon used but on the tactics."

Shawn Henry, a former cybercrime specialist with the FBI and now president of CrowdStrike Services, puts it this way: "We don't only put out the fires, we light them too." Its range of hack-back services is wide, and includes everything from figuring out how to dodge attacks all the way to ruining the attacker financially.

For example, CrowdStrike can set up a data trap that will lure attackers into believing they have hit on something of value although it is actually worthless data that can't be copied. But it will keep the attackers busy for a while, and waste a lot of their time. There are also very clever ways of ascertaining attacker identity and sending disinformation or malware to their computer.

Not surprisingly, no company has thus far publicly admitted to using these or other hack-back tactics – attacking IT systems, even in counter-attack, is after all illegal in most Western countries. In Germany, Paragraph 202 (known as the Hacker Paragraph) of the Criminal Code outlines the acts relating to data espionage and phishing that are punishable with imprisonment or a fine.

According to those familiar with the sector, that doesn't stop many companies from using these methods against cyber attackers, particularly as frustration is growing among enterprises that realize how much is at stake, and that legal methods simply do not work.

"One of the reasons for using illegal means is that the state just isn't efficient. The prosecutors aren't good enough, partly because they have cheap, ineffective tools to work with. Investigators need more means, and more highly qualified people, to be able to work in a more targeted fashion," says computer scientist Gaycken.

Another problem is that states are bound to their own laws and territoriality – a factor that limits their radius of action. "From that perspective, vigilantism could seem justified. It's that way with self-defense: if the state is not there, and I'm attacked, I can hit back." But that's only part of the story, Gaycken believes. Investigations hampered by data protection legislation and national borders often appear cumbersome and indeed unnecessary to companies that have been attacked.

The latest cyberwar developments have only strengthened the aggressive self-help trend. The discovery that worms like Flame, Stuxnet and Duqu had been working away, sometimes for many years, in computer systems - including the uranium enrichment centrifuges of the Iranian nuclear program - was a massive defeat for the computer virus protection industry.

For Mikko Hypponen, the founder of F-Secure, a security firm, Flame malware marks nothing less than the "failure of the antivirus industry," and as such a turning point in IT security.

US and France have more leeway

Neither the German Minister of the Interior nor the Federal Office for Information Security Technology (BSI), which are responsible for security across the web in Germany as well as for government computers, had any comments on these latest developments. Paired with the trend towards vigilantism, however, the issue begs answers, particularly as it touches not only on the law but also civil rights. The bottom line is that the state has a monopoly on the use of force.

Says IT expert Mühlhäuser: "My impression from a number of indicators is that the German federal government sees defending the German economy against cybercrime and cyber-intelligence as far less important a sovereign function than, for example, the United States or France do," he said.

Mühlhäuser notes that both those countries have legitimized state-organized economic espionage in the past in the interests of keeping their own economies in good shape. But in Germany, for lack of effective enforcement, more and more businesses and institutions have no choice but to take matters into their own hands. Time will tell whether this will bring a measured, practical response, or if people will come out with all guns blazing, Wild West style.

No comments: