The sprawling reach of a malware campaign that hit government agencies and businesses using SolarWinds, and potentially other attack vectors according to recent reports, inspires new questions about appropriate response from private sector organizations.
Many enterprises, particularly those in tech and security, have tremendous insight into the workings of their own systems and the intrusions that might occur, which some believe puts them in a particularly unique position to hack back at attackers. Doing so, however, could bring a host of problems.
“Hacking back is still up to legal interpretations, but for the most part it's not legal under international law," said Joseph Neumann, director of offensive security at Coalfire. "It is the equivalent of me or you deciding to go punch a bear in the face that just stole your picnic basket. At the end of the day the bear is going to win.”
Indeed, Chris Roberts, virtual chief information officer and advisor to a number of companies and agencies as part of the HillBilly Hit Squad, warned during a recent SC webinar panel discussion: “We think we have problems now. It’s nothing compared to what would happen” if companies went into attack mode.
He noted that sophisticated bad actors playing a long game likely have numerous avenues of attack. An organization could find itself victim to an endless string of assaults.
“As an attacker, I’m not going to just leave one way in,” Roberts said. “Congratulations, you found one of my ways in. I’ve got six or seven others, so if you are going to come after me, I’m going to go back after you four or five other ways and keep taking you down.”
So then, what options are available to targeted companies? SC Media asked security experts, who pointed to both community coordination and proactive cyber measures to better deter attackers.
The coordinated response alternative
Unlike many private sector companies, federal agencies have the intelligence, fluency in geopolitical matters and, maybe most importantly, the jurisdiction to take punitive action against nation states – whether through countermeasures or sanctions. At the end of his last term, former President Barack Obama imposed additional sanctions on Russia for interfering in the 2016 presidential election, for example, and in the wake of SolarWinds, President Joe Biden has hinted at potential response against Russia.
But intent factors into even government's options. Most experts surmise that the SolarWinds attack, for example, was a spy operation – similar to ones that the U.S. engages in surreptitiously – versus an attack aimed at destruction, like taking down the power grid. The later could potentially be deemed an act of war, even triggering Article 5 among NATO members. That's not necessarily true for the former.
“Nation-state hacking has been going on for a long time by all sides," said Mark Kedgley, chief technology officer at New Net Technologies. "It is just the newest frontier for the on-going silent wars of international espionage and disruption.”
Looking beyond the United States, some have suggested a Geneva Convention for cybersecurity, which would establish the standards of international law for digital conflict. But such an agreement would "likely amount to a promise with very little actual effect," said Christoph Hebeisen, director of security intelligence research at Lookout.
“Agreements work well if compliance is verifiable and there is a high price to pay for non-compliance," he said. In cyber, “the lines between state-run attacks, patriotic hacker activity, and outright crime can be very blurry. This gives state actors plausible deniability.”
A more effective means of response to nation-state actors would instead involve coordination with government agencies and industry, sharing intelligence in real or near-real time. Often held up as a gold standard, such public-private coordination is stilted by a wariness that has long existed between both parties.
“There’s a perception that needs to be broken" to enable better coordination, said Bryan Hurd, vice president at Aon Cyber Solutions, who recounted a prominent senator asking about the feasibility of “blowing up computers” as a kinetic action against attackers only to be quickly shut down. "People from the private sector think government has all the answers," but keeps them close to the vest. Government thinks the same about the private sector, he continued, and tends to over-ask.
Responsibilities for responding to and mitigating attacks should be broken down between private and public based on capabilities and strengths. Companies should “leave the offensive stuff to the people who know what they’re doing," Roberts said.
“That’s our role. Our role is to very quickly bring a huge amount of brain trust to a problem, then figure out how to get it out to everybody else."
That said, there are subtleties to what companies may be authorized to do, said Hurd, who is also a member of CyberRisk Alliance’s Cybersecurity Collaborative, a forum of CISOs. He pointed to Microsoft as an example of a company with “legal means” to fend off attackers, referring to a number of actions over the years by the tech giant, including the October court order that the tech giant obtained to dismantle notorious botnet Trickbot. “There’s a difference between offensive and proactive.”
Establish tech boundaries
Beyond legal recourse, companies need to establish technology boundaries to lessen the impact of nation-state maneuvers. Those boundaries “not only offer additional protection, they may also help expose the presence of APTs in your network,” said Chris Grove, technology evangelist at Nozomi Networks. “Technology can be used to create more layers, even layers within layers, without additional infrastructure.”
Hitting a technological boundary forces attackers “to adjust their tactics accordingly,” he said. Boundaries also offer “choke points, where monitoring and signaling can occur. Each technology boundary put in front of the attacker serves as an opportunity to better defend your network. Best of all, they can be used to limit an incident’s blast radius, containing the scope of the attack.”
An example of where tech boundaries could save the day, he said, would be at a manufacturer running mostly Microsoft Windows infrastructure. Consider, for example, a scenario where SolarWinds is a key part of its cybersecurity, asset inventory, monitoring and patching infrastructure.
"It would be susceptible to an attack targeting Windows systems, because it uses the same OS as other monitored assets,” Grove said. But if the manufacturer had used a technological boundary, like running SolarWinds on Linux, recovery would be much easier. “On Linux, SolarWinds could have operated safely within the sea of infected Windows machines, and provided a secure foundation from which to operate.”
Similarly, environments containing a single operating system can create barriers by putting remote access and virtual private network technologies on different technological platforms. If vendor one provides remote access, vendor two should monitor it, Grove explained. That way, if an incident occurs on one or the other platform, the blast radius is limited to a single business function. "One product picks up on the failure of another.”
Deception technology, too, can give security teams insight into attackers and their techniques, providing what Roberts described as "that camouflaged environment that someone spends their time in."
He added: "The downside is you can piss off your opponents.”
The introduction to this article was edited on Feb. 1 to note reports that SolarWinds was not the only intrusion vector used by attackers.