Cyber security often skirts with a "red line". Honeypots, hack backs, dabblings with the darknet... some ways of responding to computer attacks are often tempting and sometimes useful, but also double-edged swords. Knowing how to use them is the key.
Cybercrime can have impacts at the highest level of business, with considerable economic repercussions. In 2014, for the first time, a computer attack brought down a company boss. Gregg Steinhafel, CEO of the US retail group Target, resigned following the theft of 110 million customer credit card numbers. The first of many…
The temptation to respond
In the face of these increasingly damaging attacks, companies can be sorely tempted to resort to self-defence methods, using the same "weapons" as the attackers. What we're talking about here isn't vigilante chatbots, but "hack backs", a strategy that consists of deploying retaliatory measures against computer attacks.
In the United States, a law that gives private companies the right to cyber self-defence has been in the works since autumn 2017. The idea is to allow companies to make use of networks other than their own to identify or disrupt attacks. Let's just say that if the legislation is adopted, the United States will have radically changed the name of the game at international level.
A high-risk solution
Legalising hack backs is tantamount to opening Pandora's box, many experts warn. By allowing anyone to access the computer systems of others with impunity, it legitimises the creation of a digital "Wild West". Especially as it's never clear where an attack is really coming from, as Paul Fariello, a member of the Security Intelligence team at Stormshield, points out: "It's a high-risk practice: you never really know which machine was actually used to launch an attack." In the words of Pierre-Yves Hentzen, Stormshield's CEO: "The problem with digital self-defence is that, unlike the real world, it doesn't play by the rules. Those rules are simultaneity (on the web, we can't respond instantly), proportionality (we don't know the real impact the attack will have) and response to the attacker (hard to identify on the web)."
The problem with digital self-defence is that, unlike the real world, it doesn't play by the rules: simultaneity, proportionality and response to the attacker.
Pierre-Yves Hentzen, CEO of Stormshield
And there lies the problem: with the use of masking or falsification techniques, and even the creation of a false digital audit trail, any aggressive response brings with it a serious risk of targeting errors. "There's a risk your hack- back will hit an innocent third party if, for example, the hacker has used another PC as a bounceback address. It's easy to imagine the dramatic consequences if the hacker has tunnelled via a hospital computer, for example", explains Paul Fariello. And it's also paving the way for collateral damage: why not "fight back" against a competitor by claiming they attacked you? And so we find ourselves in an infernal spiral of reprisals, or legitimising preventive cyber-attacks.
From passive to active defence
However, companies aren't entirely helpless in the face of cyberattacks. In terms of passive defence, honeypots (hacker traps) have their uses. These are deliberately vulnerable public computer systems that are designed to attract hackers. "Honeypots let us see the malicious acts that threaten a business, and the tools that can be used," notes Paul Fariello.
Be careful, however, to make sure the "honeypot" is isolated, to prevent it from being used as a starting point for hacking attacks on other systems. However, there is a question mark over the legality of such types of action: companies employing such strategies are not immune to related risks. Starting with legal action from third parties, were the hacker to manage to "escape" from the honeypot and use it as a bounceback for mounting fresh attacks against other systems. There is also an insurance risk: setting up a honeypot could, if it introduces risks for the insured operating system, void insurance policy guarantees for IT risks.
On a more offensive level, it's hard to avoid mentioning the INFILTRATE conference. This ultra-technical conference in the United States focuses exclusively on offensive solutions to security problems, and "eschews policy and high-level presentations in favor of just hard-core thought-provoking technical meat" That says it all…
"Attacking a co-hosted VM" 👉🏻 Discover in video the presentation by .@paulfariello and @abu_y0ussef, @Stormshield_ security engineer and researcher at @InfiltrateCon! https://t.co/naAe7PkQ4o w./ @ThisIsSecurity_
— Stormshield (@Stormshield_) 18 mai 2018
Diving into the darknet
For battle-hardened veterans, there is also the adventure of the darknet. "It forms a part of the web environment, so it would be a mistake for a company not to use it for monitoring and protection purposes," says Damien Bancal, a French journalist specialising in cybercrime. But the "deep web" – the part of the internet that is not indexed by search engines – and the "dark web" – made up of many private networks guaranteeing the anonymity of their users' data – are by definition the preferred playground for cybercriminals. "Even though it requires a certain level of expertise, this part of the internet is quite accessible and useful. It can collect information in the background to detect potential "bad buzz", or identify issues with data currently in preparation or already in use," says Matthieu Bonenfant, Marketing Director of Stormshield. Monitoring the darknet makes it possible to identify threats before they materialise. Not just in terms of data theft, disclosure of confidential information or even insider trading, but also in terms of image and reputation.
Inside The #Darknet: The Dark Underbelly Of The Internet Explored. Good podcast from @guardian https://t.co/cTIrIrATTU #DarkWeb #CyberCrime pic.twitter.com/CRSM6t04kg
— Perspective Risk (@PerspectiveRisk) 21 mars 2017
A tailored approach and tools
However, use of the darknet requires some elementary precautions. "The limits are obvious: you cannot cross the red line of engaging in illegal activity. There can only be a handful of authorisations which the government exploits for its own exclusive use - mainly under military programming law (LPM) - to enable it to neutralise an attacking system," warns Pierre-Yves Hentzen.
In terms of tools, there are all kinds of techniques such as "hidden web crawlers", robots which specialise in analysing the content of large numbers of pages on the underground web. "But the best tools for monitoring the darknet are human beings," notes journalist Damien Bancal. "Given all the logins, passwords and authentication systems in use in this area of the web, no software is yet capable of replacing human infiltration. Especially since, on the darknet, you tend to find things you weren't looking for. It's a bit like visiting a flea market ..."
The unlikely prospect of a "cyber-peace"
Is it hopelessly optimistic to imagine the eradication of cybercrime? Some have not given up hope, and dream of a "cyber-peace", an international law to regulate the behaviour of state-based and private participants. The key: clear definition and identification of stakeholders. But therein lies the difficulty.
"A digital non-aggression pact of this kind at the international level is obviously desirable, but it will clearly be difficult to apply," comments Pierre-Yves Hentzen. In cyberspace, it's hard to be sure that members of the pact haven't previously launched attacks on their current so-called "allies". Nor that they won't do so again in future. We would still seem to have a long way to go towards a first "digital Geneva convention"...
In addition to the political dimension, "the development of digital technology outweighs everything else, as evidenced by the increase in the number of Facebook accounts despite the Cambridge Analytica scandal involving millions of personal data records." Now, more than ever, is the time for vigilance and the need for better protection for people and businesses. But what if the best form of attack turned out to be defence?