Hacking BackBrian Toevs
As an information security professional and digital forensic investigator, I’m often asked why I don’t pursue the people who are hacking us. There is a lot of political and journalistic attention being given to the concept of going after the bad guys who have been attacking our critical infrastructure, our voting systems, our banking wire systems, and even our personal information. The recent WikiLeaks Vault 7 releases of US government-created hacking tools, and their resulting malware (WannaCry, Petya, CherryBlossom, etc.) has only exacerbated the arguments that we should be more aggressive in pursuing attribution to the perpetrators and striking back. It has even garnered Congressional support in the form of a bill being sponsored by Representative Tom Graves (R-GA) called the Active Cyber Defense Certainty Act. So it may not even be (somewhat) illegal for us to hack back in the future. This would personally be very gratifying.
So why am I (and my colleagues in the private sector) not fully engaged in identifying the bad guys and making them pay for their nefarious activities? Well number one, I don’t have the time. I’m the VP/CISO for a regional bank. This takes up a great deal of my time. Like you, I’m fully engaged all day in the mundane and repetitive tasks of keeping my bank’s corporate and customer data secure and protected from just this kind of activity. That means I’m constantly looking for vulnerabilities in our network and getting them closed. I’m also spending a lot of time now checking up on my third party providers to make sure they’re doing the same (have you seen the recent updates to Schedule J of the FFIEC IT Handbook?). Second, the Board of Directors isn’t likely (full disclosure – I haven’t really asked them though) to approve of me raising the visibility of our Bank to the hackers by drawing attention with counter-attacks against the very persons who have the means, capability, and motivation to dramatically increase my workload. Third, I’m not a police officer. I’ve worked for them at the federal, state, local, and military levels enough to know the difference between my job and their job. There is a clear delineation that it’s ‘their’ job to identify and apprehend criminals. Then it falls upon the Department of Justice to prosecute them. That’s way outside my scope of work.
But Brian, why is it that law enforcement simply doesn’t seem interested? Former FBI Director James Comey notoriously once remarked that he would recommend paying ransomware hackers if you were compromised. Of course, he quickly recanted that statement. It was still very revealing regarding the perception of cybercrime at the federal law enforcement level. The fortunate truth is that this perception is not true. There is great interest within federal law enforcement for attribution and prosecution of cybercrime. In the financial services sector, one only needs to look at the number of suspicious activity reports (SARs) that each FS provider must submit each month (we do several hundred each month ourselves). Did you know that the FBI has a dedicated Unit, the Cyber Initiative & Resource Fusion Unit (CIRFU) for fighting cybercrime? I’ve worked closely with the agents and analysts assigned to this unit and can unequivocally state that they are committed to this effort. As well the Department of Homeland Security Investigations, the Secret Service, Customs and Border Protection, and even the US Postal Service. Every branch of the military now has a cyberwarfare arm. So don’t think that there isn’t a great deal of activity already happening to address cybercrime.
Still, how would one approach hacking back if they were so inclined? In order to attribute a piece of malware, especially malware like ransomware or a DDoS attack, one must understand how the hackers instruct these malware systems to do what they want them to do. This is typically managed through a Remote Administration Tool (RAT). The RAT is distributed first to create a bot infrastructure. Just like every other piece of software that you’ve ever encountered, RATs have bugs in them too. Since most hackers are lazy and recycle others’ code, it’s possible to reverse engineer the distributed RAT and make changes in it to hack back against the attacker and perhaps gain access to the hackers command and control (C2) server(s). Then it’s simply a matter of traditional hacking techniques fired back at the C2 to gain elevated privileges and recon. Slap a packet monitor on it and watch where the traffic is going.
In conclusion, I’ll be watching to see where Rep. Graves is headed with his bill. Taking one of the impediments away will be helpful. It will open the door for private security firms to take a more active role in helping to identify who the hackers are. Then perhaps organizations like InfraGard can take an even more proactive role in assisting law enforcement with putting additional pressure on the hackers to find other things to do with their time.
Brian Toevs, PhD. MBA
Sector Chief – Financial Services
InfraGard Indiana Members Alliance
Work: (812) 238-2165
iPhone: (540) 815-3465