Blog Post Archives

Data Breaches: Uncovering the Known and the Unknown

Imagine trusting a company enough to give them access to your personal information, only to find out it was compromised during a data breach. Do you know where your information goes once it has been breached? Are you educated on how to protect yourself or your organization from cybercriminals? If the answer is no, you’re reading the right article.

We know that data breaches are dangerous, but just how harmful or expensive can they be? Simply put, data breaches have the power to take down an entire organization and its surrounding community. According to the Ponemon Institute, the average total cost of a data breach in the United States in 2020 was $8.64 million. As a result, this means that not only is your sensitive information at stake, but capital, company investments, and budgets are vulnerable as well.

In this article, we will uncover the reality behind data breaches. We will gain a deeper understanding of what happens after a breach occurs, prevention, and the vital role cybersecurity plays in all of this.

The Ripple Effects of a Breach

When a company is breached, it can result in fines, lawsuits, and brand reputation loss with customers, partners, and employees. In 2019, an estimated 15 billion personal records were lost, and by the beginning of Q4 of 2020, an estimated 36 billion were compromised. These breaches include information like first/last name, address, phone number, usernames, passwords, etc. Even answers to many knowledge-based authentication (KBA) questions have been compromised. (e.g., what was the make and model of your first car?). Because so many different companies rely on this type of data to identify their customers, a single breach can have widespread ramifications for companies that were not breached.

While criminals can use this data to perpetrate a variety of crimes at other companies, two of the fastest-growing are account takeover (ATO) and synthetic identity fraud. Because many people use the same password for multiple accounts or recycle passwords, criminals can use stolen usernames and passwords to takeover numerous accounts. Alternately, they can use stolen KBA questions/answers to pose as a consumer, reset their password, and takeover the account. It is estimated that ATO has risen 650% in Q1 alone. While this number may be troubling, criminals are limited by the number of real accounts.

To circumvent the limitations of account takeover, criminals have begun making an account for entirely factious people to commit crimes. Synthetic identity fraud occurs when criminals combine fictitious and factual information to create new identities. They can then use these identities to steal a variety of goods and services. If the identity is ever flagged as fraudulent, the criminal simply abandons it and makes another. As long as breaches continue to occur, synthetic identity fraud is the crime without limit.

Cybersecurity is the Solution

The truth is that data breaches impact both consumers and businesses; however, businesses play the most critical role in prevention. In today’s market, organizations have an increased demand for cybersecurity solutions to reduce IT teams’ capacity concerns and add firmer security layers, making it harder for cybercriminals to breach networks successfully.

A Security Information and Event Management (SIEM) platform is the best possible cybersecurity solution. As the number of data breaches continues to grow, SIEM platforms are evolving to prevent and expose vulnerabilities, attacks, criminals, and other cybersecurity threats. If your business is looking to invest in a cybersecurity solution, this section will provide a deeper understanding of key Next-Gen SIEM features:

User & Entity Behavior Analytics (UEBA): The platform should consist of artificial intelligence and machine learning algorithms, which analyze account-based threats and write your SIEM rules.
Privilege Abuse and Account Takeover Prevention: The platform should use artificial intelligence to detect both known and unknown threats. Make sure it can explicitly look for and determine insider threats, account takeovers, and privilege abuse or misuse.
One-Touch Compliance Reporting: The platform should give you the ability to download compliance reports in seconds or schedule and deliver them to your inbox on a weekly, monthly, or quarterly basis.
Managed Compliance, Detection, and Response (MCDR): Look for a SIEM that includes a 24/7 Security Operations Center (SOC) service. It should offer a managed service for your SIEM platform to quickly enhance your organization’s threat detection and response times.
24/7 Search for Compromised/Leaked Accounts on the Deep and Dark Web: The platform should allow you to extend your defensive capabilities beyond firewalls, endpoints, and security devices into Russian ID theft forums and the criminal underground.
No Data Limits: An ideal SIEM should allow you to ingest as much data as needed and at no extra cost.
Easy Deployment: Getting your platform up and running should be a fast and seamless process. Consider platforms that can deploy in 90 minutes or less.

To combat potential threats, demanding these features out of your cybersecurity solution should be non-negotiable. Cybercriminals are becoming more creative with their attack methods, which means organizations, big and small, need to ensure their security posture is in the best possible shape.

Prevention is the Answer

The key to building a better cybersecurity experience is rooted in the relationship between a Next-Gen platform and its users. As a consumer, when it comes to data breaches, the first thing that should come to mind is prevention. Here are a few recommendations for protecting yourself from cybercriminals who have mastered the art of bypassing the top network defenses:

Use Multi-Factor Authentication: This will provide extra layers of security (e.g., security code texts, security questions, security puzzles, and more).
Don’t Trust Unknown Emails, Links, Images, and Attachments: These create the perfect opportunities for intruders to gain entry and execute their plan of attack. The bottom line is, do not open or click on anything unfamiliar. Phishing emails are a common type of cyberattack used to gain access to your personal information.
Avoid Weak Password Reuse: A weak password is the perfect entry point for cybercriminals. At a minimum, a strong password should contain 8-12 characters long and include numbers, letters, and special characters. Avoid using the same password for all of your accounts to reduce your chances of being breached by malicious intruders.
Monitor Your Accounts Closely: Staying on top of your account activity is essential because you are more likely to catch any suspicious behavior head-on.
Avoid Using Public Wi-Fi: You should only sign-in to your accounts when connected to trusted, private networks only. This will decrease hackers’ chances of gaining access to your personal information/login information.
Combine usability with security: New authentication methods like biometric capture can make authentication as simple as scanning your finger or taking a selfie. Unlike KBA, it is much more difficult for criminals to phish and reuse biometrics. Companies should also exercise caution and work with experienced partners when deploying biometrics since biometrics cannot be reset if they are stolen.

The truth is that businesses and consumers are responsible for protecting their networks, servers, and personal and professional information. By following these few steps and tips, you can help prevent cybercriminals from accessing your personal information and your organization’s network.

Building a Secure Cyberworld Together

The takeaway here is that businesses need consumer cooperation to uphold their cybersecurity posture, and consumers need businesses to ensure their security policies, protocols, and platforms will defend their information. Cultivating a trustworthy relationship is the best way to prevent data breaches. Breaches in data come with extra baggage, which can take business years to unpack. Consequently, there are tremendous potential consequences of a breach involving sensitive personal information, like biometrics, used for identity authentication and account access. It is essential to maintain robust risk-management practices that balance data protection and network defenses with usability.

There is a more substantial chance of combatting data breaches if everyone does their part. Finding the perfect prevention formula is based upon your organization’s prioritization of cybersecurity and improving its posture.

About Adlumin

Adlumin Inc. is the latest advanced security and compliance automation platform built for corporate organizations that demand innovative cybersecurity solutions and easy-to-use, comprehensive reporting tools. The Adlumin team has a passion for technology and solving the most challenging problems through the targeted application of data science and compliance integration. Our mission is to “add luminosity” or visibility to every customer’s enterprise network through real-time threat detection, analysis, and response to ensure sensitive data remains secure.

About Trust Stamp

Trust Stamp is a global provider of AI-powered identity services for use in multiple sectors including banking and finance, regulatory compliance, government, real estate, communications, and humanitarian services. Its technology empowers organisations with biometric identity solutions that reduce fraud, protect personal data privacy, increase operational efficiency and reach a broader base of users worldwide through its unique data transformation and comparison capabilities.

Automated Indicator Sharing (AIS)

April 2, 2021/in Blog Post Dan McQuade/by Adlumin Staff

Threat intelligence has become an essential part of the security landscape. The best solutions, like Adlumin, use machine learning to automate data collection and processing. They integrate with your existing third-party solutions, take in unstructured data from a variety of disparate feeds, and then provide context on indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) of threat actors. Good threat intelligence is actionable – it provides context, is timely, and provides decision-makers with insights about the threat at hand.

Over the past year, the engineering team at Adlumin has been working to strengthen our platform’s threat intelligence capabilities, and we recently launched an exciting new integration with CISA/DHS. Adlumin is now a participating member of CISA’s Automated Indicator Sharing (AIS) program. Threat intelligence feeds from AIS are pulled throughout the day. We are constantly scanning incoming and historical event data for indicators of compromise that we parse out of the feeds.

The AIS ecosystem empowers participants to share cyber threat indicators and defensive measures, such as information about attempted adversary compromises as they are being observed, helping protect other participants of the AIS community and ultimately limit the adversary’s use of an attack method. In the future, we will enable Adlumin customers to flag the IoCs they spot on their networks. Once a flagged indicator has been reviewed and confirmed, it will be submitted to AIS, where it will be shared with the community at large. More information about the AIS program is below.

Automated Indicator Sharing (AIS), a Cybersecurity and Infrastructure Security Agency (CISA) capability, enables the real-time exchange of machine-readable cyber threat indicators and defensive measures to help protect AIS community participants and ultimately reduce the prevalence of cyberattacks. The AIS community includes private sector entities; federal departments and agencies; state, local, tribal, and territorial (SLTT) governments; information sharing and analysis centers (ISACs), and information sharing and analysis organizations (ISAOs); and foreign partners and companies.

AIS is offered as part of CISA’s mission to work with our public and private sector partners to identify and help mitigate cyber threats through information sharing and provide technical assistance, upon request, that helps prevent, detect, and respond to incidents. The AIS ecosystem empowers participants to share cyber threat indicators and defensive measures, such as information about attempted adversary compromises as they are being observed, helping protect other participants of the AIS community and ultimately limit the adversary’s use of an attack method.

Learn more about AIS at https://www.cisa.gov/ais

Closing the Cybersecurity Skills Gap: Together We Can

January 19, 2021/in Blog Post Krystal Rennie/by Adlumin Staff

In our last blog post, we discussed in-demand cybersecurity skills that IT workers should be prioritizing in 2021. This post will lift the magnifying glass and take a deep dive into two questions: why is there a gap in cybersecurity skills? How do we close that gap?

According to Help Net Security, a recent (ISC)² survey explains, “data suggests that employment in the field now needs to grow by approximately 41% in the U.S. and 89% worldwide to fill the talent gap, which remains a top concern of professionals.” Such gaps in employment opportunities and skills are harmful to both job and expert seekers. It is difficult for companies to find IT professionals who have all the skills needed to meet the continually evolving industry demands. For IT professionals, both rookies and vets, this skill gap creates fewer job opportunities and eliminates experience building. But, before we get too carried away with the repercussions, let’s take a look inside the cybersecurity skills gap.

The Ongoing Cybersecurity Skills Gap

The cybersecurity industry is experiencing an extreme talent shortage across the country, which has been explicitly spotlighted by the ongoing pandemic. Some of the many reasons this gap exists include lack of diversity, trouble attracting candidates into the field, and a continuous change in skillset demands. A recent Silicon Republic article explains, “cybersecurity traditionally has appealed only to a very specific set of candidates because it requires experience and knowledge in other areas, such as system admin, networking or application development, and people with a security mindset. Doing security well is not just following the process and going through the motions; it requires people to be able to think critically and creatively.”

Cybersecurity is no longer a niche industry but is simply one of the most critical sectors in our current workforce climate. With an increased presence in businesses, there is an upgrade in skill expectations. As if the job pool was not already hard enough to navigate, the cybersecurity sector is incredibly competitive – basic tech skills are no longer sufficient to stand apart. Both company and IT professionals face a challenge finding the proper training materials and tools to develop those essential, in-demand cybersecurity skills.

From budget shortages to experience shortages, the cybersecurity industry is trying to find the perfect balance. Hopefully, we will see this year that an ideal balance does exist.

Diversifying the Industry is Key

The first step to closing the industry’s skills gap is to address and change the narrative of the stereotypical cybersecurity professional. From gender to race gaps, there is a definite lack of diversity within the cybersecurity industry. According to the IB Times, “in North America, women make up only 14% of the cybersecurity workforce, the highest regional concentration in the world. Black and Hispanic only make up 9% and 7% of STEM workers, respectively.” To broaden the different backgrounds within the industry, companies must consider doing the following:

Partnerships: Companies looking to diversify their IT departments should look into partnering with community organizations that work to create access to resources that offer support for diverse candidates as they enter the cybersecurity field.
Promoting Growth: Companies should encourage growth opportunities to candidates and broaden their expectations for rookies entering the field. Focus more on granting professionals experience and less on expecting the full experience.
Training Programs: Companies should invest in programs that will train cybersecurity professionals on the most-in-demand skills, providing them opportunities to engage in certification programs. This will help bring your employees up to speed and evolve as professionals.

Tackling the lack of diversity within the cybersecurity sector is a big task that will not happen overnight. However, suppose we are going to have a fair chance of shrinking the skills gap. In that case, we must take the steps necessary to expand the top of the funnel and ensure that professionals have the proper tools, training, and employment opportunities needed to succeed in the field.

A Bright Future

Although cybersecurity is facing a few challenges, there is light at the end of the tunnel. Closing the skills gap must be a combined effort by companies and professionals. A mutually beneficial relationship will shrink this hole in the industry’s talent pool. It will also propel the movement forward and create endless possibilities for advancing security and compliance technologies. The overarching theme here is that as cybersecurity’s popularity increases, the need for a skilled, well-rounded, and diverse professional will also increase. It is up to us to do our part in making sure that the industry’s future shines bright through times of uncertainty and success.

In-Demand: Top Cybersecurity Skills in 2021

January 6, 2021/in Blog Post Krystal Rennie/by Adlumin Staff

Hello, 2021! What a relief it is that we can all start fresh in the new year. For many companies, that fresh start includes new budgets, new department goals, and most importantly, new hiring priorities. According to Cybercrime Magazine, “the world will have 3.5 million unfilled cybersecurity jobs by the end of 2021. Every IT position is also a cybersecurity position now. Every IT worker, every technology worker, needs to be involved with protecting and defending apps, data, devices, infrastructure, and people.”

As companies move beyond the basics of various artificial intelligence (AI) and machine learning (ML), IT experts are looking to become more innovative with their department’s projects. Consequently, companies enter the new year with open job listings looking to diversify their teams and skillsets. If your company is looking to hire new IT employees, a potential first step should be to identify what skill sets your team is currently missing or lacking.

New Year, New Skill Requirements

While we may start the new year off with a clean slate, it does not mean that cybercriminals or attacks will no longer be an issue. If we have learned anything from 2020, it is that cybercriminals are sneakier, smarter, and more sophisticated with their attacks. For that very reason, IT teams must have employees with both basic and advanced cybersecurity skills. Below are some of the most in-demand cybersecurity and tech skills to master in 2021:

Cloud-Native Architecture Skills: Companies seek to do less of the heavy lifting when it comes to projects and building products and services in a cloud-native architecture. As a direct result, employees with expertise in cloud foundations and containers will be in high demand for companies seeking IT professionals.
Artificial Intelligence and Automation Skills: According to the TechRepublic, “artificial intelligence is moving out of the early adopter phase and into more mainstream use.” Some Security Information and Event Management (SIEM) companies use AI and ML to determine User and Entity Behavior Analytics (UEBA) and malicious behavior from anomalous behavior in the network. This means that companies need employees who can follow the AI trail to find bad actors in the network. As AI’s popularity grows in the industry, basic knowledge of its processes will no longer be enough. Employers need to see that professionals have a deep understanding of accessing data sets using AI and automation tools.
Risk Management Skills: More companies prioritize IT experts who have a deep understanding of which threats pose the most significant risk and can identify those threats. This is a requirement so that tools and training materials are accurately allocated within the department and result in innovative processes and protection.
Data Management Skills: As claimed by a CSO Magazine article, “the security department is one of the biggest generators of data within the enterprise, and in many organizations, it’s becoming one of the biggest consumers of data, too, as it seeks to use the information to drive more effective and efficient protection strategies.” Data management plays an integral role within the IT department as more experienced engineers must handle massive amounts of data to prevent and protect against threats.
Technical Fundamentals: Most IT experts are looking for employees who understand technology at the most fundamental levels. Financial institution IT personnel specifically need to understand technical tools and platforms. Hiring managers are looking to build teams that consist of employees who understand technical fundamentals—the IT components that make up the digital world’s infrastructure. Expertise in programming, system administration, and network skills are among the fundamental necessities.
Interpersonal Skills: It is an undeniable fact that teamwork requires many interpersonal skills. As also stated in the CSO article, “the cybersecurity function has become not only more critical with the rise of the digital economy, it has become more prominent as well. That puts security professionals in front of the C-suite, board members, and employees with greater frequency. So, they must be able to collaborate, communicate, and consult with these various stakeholders.”

In order to build a robust cybersecurity department, the ideal candidate must balance interpersonal and technical skills specific to the profession. Ensuring you are looking for the right mix of skills plays a crucial role in the hiring process and can ultimately make or break your department’s success.

Cybersecurity Expectations in 2021 and Beyond

This year, it is essential that companies realize that cybersecurity solutions are no longer a luxury but simply a requirement. As mentioned in Cybercrime Magazine, “global spending on cybersecurity products and services are predicted to exceed $1 trillion (cumulatively) over five years.” As companies invest more money, resources, and technologies into their IT departments, picking the most qualified IT experts who can meet industry demands will be crucial.

We will continue to see cybersecurity solutions expand in their capabilities and impact requirements (or standards) across other industries, resulting in an increased demand for new IT roles. The bottom line is that IT professionals and departments cannot reach their full potential without developing both the foundational and advanced cybersecurity skills necessary to remain victorious against threats in the cyberworld.

Be on the Lookout: Top Cybersecurity Trends in 2021

November 30, 2020/in Blog Post Krystal Rennie/by Adlumin Staff

As we begin reflecting on this unpredictable year, it is safe to say that 2020 was one for the record books. While many industries experienced priority shifts, the cybersecurity industry faced a complete revamp. Considering this year’s challenges and routine changes – from lockdowns to remote work – we must continue evolving our cybersecurity strategies as we continue to encounter future obstacles and threats.

As the world’s workforce moved from company buildings to in-home offices, the need for data security is at an all-time high. Gartner Forecast Analysis stated, “the worldwide information security market is forecast to reach $170.4 billion in 2022.” There are many reasons for this projection, but at its core, it comes down to the heightened need for cybersecurity solutions and tools on a global scale.

This blog post will discuss several promising trends that will guide network security efforts across the industry in 2021.

Cybersecurity in 2021

To say that navigating this year’s changes within the cybersecurity industry was challenging is an understatement. Whether you enjoy planning ahead or not, now is the best time to explore what the future of cybersecurity looks like for IT professionals and your organization. Below are a few of the top industry trends to be on the lookout for in 2021, according to Analytics Insight:

Cloud Breaches: Due to the COVID-19 pandemic, there has been an increase in support for public, private, and hybrid data cloud usage as more businesses have adapted to the cloud. New potential cyber threats will allow for an increase in the demand for infrastructure security.
Artificial Intelligence Integration: Security professionals across the country are experiencing intense pressure to do more with less. As a result, automation and integration have become essential everywhere. By incorporating AI into processes like ModelOps and DevOps, companies will manage and reduce risk while upholding development quality.
BYOD and Mobile Security: With remote work on the rise, more businesses call for employees to use their own devices. Bring-you-own-device (BYOD) is a trend likely to continue because it minimizes costs and increases overall productivity. An expectation is that employees’ schedules will continue to be more flexible now that remote work is the new norm.
Internet of Thing (IoT) Threat: This has been an ongoing trend for the last 10 years as sensors’ data continue to make IoT more rewarding. According to the Analytics Insight article, “Things will get more and more serious over the years. Expect more of hardcoded passwords, non-encrypted personal data, updates of software and firmware form unverified sources, issues related to wireless communication security and more. All of these are actual threats connected with IoT devices placed at home, public place, or enterprise.”
Insider Targeted Attacks/Error: Human error is a massive threat to cybersecurity. With no sign of remote work ending, we may see an uptick in data breaches and insider attacks. Businesses must embrace all data storage options that will safely transfer information from one source to another. Keeping sensitive and employee accessed data safe should remain a top priority.
Investments in Security: The expectation is that cybersecurity will have a big 2021. Developing a solid plan for defending against malicious attacks should be a top goal for your IT department. You may even consider making a significant yet critical investment in a security and compliance platform to secure your network.

With all the uncertainty this year has caused, it is not surprising that these trends help define the future of cybersecurity. As we enter the new year, it is refreshing to know that protection and prevention hold a crucial spot on IT teams’ priority list.

New Year, New Expectations, New Themes

If your organization is anything like other financial institutions, trying to navigate the cyberworld, you have high hopes and expectations for cybersecurity advancements in upcoming years. The trends stated above are only a few examples of what businesses must know to navigate the future cyber world. Gartner’s Top Strategic Technology Trends for 2021 claims that cybersecurity in the new year will also focus on these three themes:

People Centricity: Businesses will center around the people they serve. People will need to be motivated by digital tools to interact and stay connected.
Location Independence: Technology will continue to shift to accommodate and support remote work.
Resilience: Cybersecurity will withstand whatever global challenges and risks come its way through smarter technology, proper preparation, and execution.

It is safe to say that quite a few cybersecurity solutions have a bright future, and growth is happening within the industry. Between 2021 trends and themes, we should be encouraged by the focus on community building, which is an essential pillar of the cybersecurity industry. Regardless of how your organization decides to incorporate these predictions into your IT roadmap, remember that the key to a happy customer is a secure one.

Active Defense and "Hacking Back": A Primer

May 28, 2018/in Blog Post Scott Berinato/by Adlumin Staff

In the lead piece in this package, Idaho National Lab’s Andy Bochman puts forth a provocative idea: that no amount of spending on technology defenses can secure your critical systems or help you keep pace with hackers. To protect your most valuable information, he argues, you need to move beyond so-called cyber hygiene, the necessary but insufficient deployment of security software and network-monitoring processes.

Bochman lays out a framework that requires switching your focus from the benefits of efficiency to the costs. Ideas that were once anathema — unplug some systems from the internet, de-automate in some places, insert trusted humans back into the process — are now the smart play.

But they’re not the only play. Another that’s gaining attention is “active defense.” That might sound like Orwellian doublespeak, but it’s a real strategy. It involves going beyond passive monitoring and taking proactive measures to deal with the constant attacks on your network.

There’s just one problem: As active defense tactics gain popularity, the term’s definition and tenets have become a muddy mess. Most notably, active defense has been conflated with “hacking back” — attacking your attackers. The approaches are not synonymous; there are important differences with respect to ethics, legality, and effectiveness.

Active defense has a place in every company’s critical infrastructure-protection scheme. But to effectively deploy it, you need a proper understanding of what it is — and that’s tougher to come by than you might expect.

We enlisted two of the foremost experts on the topic to help us proffer an authoritative definition of active defense and give you a fundamental understanding of how to deploy it.

Dorothy Denning was an inaugural inductee into the National Cyber Security Hall of Fame. A fellow of the Association for Computing Machinery and a professor at the Naval Postgraduate School, she has written several books on cybersecurity, including Information Warfare and Security. She also coauthored a landmark paper on active defense, which states, “When properly understood, [active defense] is neither offensive nor necessarily dangerous.”

Robert M. Lee is a cofounder of Dragos, an industrial security firm. He conducted cyber operations for the NSA and U.S. Cyber Command from 2011 to 2015. In October 2017 his firm identified the first known malware written specifically to target industrial safety systems — in other words, its sole purpose was to damage or destroy systems meant to protect people. (The malware had been deployed that August against a petrochemical plant in Saudi Arabia, but the attack failed.) When asked about active defense, Lee sighs and asks flatly, “How are you defining it?” You can tell he’s had this conversation before. The number of people co-opting the term seems to have wearied him, and he’s happy to help bring clarity to the idea.

The following FAQ primer draws on interviews with Denning and Lee.

What exactly is active defense, also known as active cyber defense?

It depends on whom you ask. The term has almost as many definitions as it does citations. NATO defines active defense this way: “A proactive measure for detecting or obtaining information as to a cyber intrusion, cyber attack, or impending cyber operation or for determining the origin of an operation that involves launching a preemptive, preventive, or cyber counter-operation against the source.”
A solid working definition can be found in Denning’s paper with Bradley J. Strawser, “Active Cyber Defense: Applying Air Defense to the Cyber Domain”: Active cyber defense is a direct defensive action taken to destroy, nullify, or reduce the effectiveness of cyber threats against friendly forces and assets.

That sounds like offense, but Lee and Denning note that it describes a strictly defensive action — one taken in reaction to a detected infiltration. Lee argues that there’s a border distinction: Active defense happens when someone crosses into your space, be it over a political boundary or a network boundary. But Denning says that’s probably too simple, and below we’ll see a case in which the line is blurred. Lee says, “Most experts understand this, but it’s important to point out, especially for a general audience. You are prepared to actively deal with malicious actors who have crossed into your space. Sending missiles into someone else’s space is offense. Monitoring for missiles coming at you is passive defense. Shooting them down when they cross into your airspace is active defense.”

Can you give some other examples?

Denning says, “One example of active cyber defense is a system that monitors for intrusions, detects one, and responds by blocking further network connections from the source and alerting the system administrator. Another example is taking steps to identify and shut down a botnet used to conduct distributed denial-of-service (DDoS) attacks.” It’s the verbs “responds” and “shut down” that make these instances of active defense. An example of passive defense, in contrast, is an encryption system that renders communications or stored data useless to spies and thieves.

Is active defense only an information security concept?

Not at all. Some argue that it dates back to The Art of War, in which Sun Tzu wrote, “Security against defeat implies defensive tactics; ability to defeat the enemy means taking the offensive.” Centuries later Mao Zedong said, “The only real defense is active defense,” equating it to the destruction of an enemy’s ability to attack — much as aggressive tactics in active cyber defense aim to do. The term was applied in the Cold War and, as Denning and Strawser’s paper makes clear, is a core concept in air missile defense. Tactics are tactics; all that changes is where they’re employed.

That seems pretty straightforward. So why the uncertainty around the definition?

As noted earlier, hacking back — also not a new term — has confused matters. Properly used, it refers to efforts to attack your attackers on their turf. But because people often fuse it with active defense, difficult and sometimes frustrating disputes over the merits of active defense have ensued. One research paper went so far as to equate the two terms, starting its definition, “Hack back — sometimes termed ‘active defense’…”

The confusion multiplied in October 2017, when Representatives Tom Graves (R-GA) and Kyrsten Sinema (D-AZ) introduced the Active Cyber Defense Certainty (ACDC) bill, which would allow companies to gain unauthorized access to computers in some situations in order to disrupt attacks. The lawmakers called this active defense. The media called it the “hack back bill.” What it would and would not allow became the subject of hot debate. The idea that companies could go into other people’s infected computers wasn’t welcomed. Some savaged the bill. The technology blog network Engadget called it “smarmy and conceited” and observed, “When you try to make laws about hacking based on a child’s concept of ‘getting someone back,’ you’re getting very far and away from making yourself secure. It’s like trying to make gang warfare productive.” The bill went through two iterations and is currently stalled.

But is hacking back part of active defense?

Probably not. Lee says unequivocally, “Hacking back is absolutely not active defense. It’s probably illegal, and it’s probably not effective. We don’t have evidence that attacking attackers works.” Denning has a somewhat different take. “Hacking back is just one form of active defense,” she says. “It might be used to gather intelligence about the source of an intrusion to determine attribution or what data might have been stolen. If the attacker is identified, law enforcement might bring charges. If stolen data is found on the intruder’s system, it might be deleted. Hacking back might also involve neutralizing or shutting down an attacking system so that it cannot cause further damage.”

But Lee and Denning are defining the term differently. And Denning’s version refers to actions undertaken with proper authority by government entities. When it comes to hacking back on the part of businesses, the two experts are in total agreement: Don’t do it. Denning says, “Companies should not hack back. The Department of Justice has advised victims of cyberattacks to refrain from any ‘attempt to access, damage, or impair another system that may appear to be involved in the intrusion or attack.’ The advice contends that ‘doing so is likely illegal, under U.S. and some foreign laws, and could result in civil and/or criminal liability.’”

What’s an example of an aggressive form of active defense that some might consider hacking back?

Denning says, “One of my favorite examples of active defense led to the exposure of a Russian hacker who had gotten malicious code onto government computers in the country of Georgia. The malware searched for documents using keywords such as “USA” and “NATO,” which it then uploaded to a drop server used by the hacker. The Georgian government responded by planting spyware in a file named “Georgian-NATO Agreement” on one of its compromised machines. The hacker’s malware dutifully found and uploaded the file to the drop server, which the hacker then downloaded to his own machine. The spyware turned on the hacker’s webcam and sent incriminating files along with a snapshot of his face back to the Georgian government.

Is that hacking back? I don’t think so. It was really through the hacker’s own code and actions that he ended up with spyware on his computer.”

Note that the actions were taken by a government and occurred within its “borders”; Georgia put the spyware on its own computer. It did not traverse a network to hit another system. It was the hacker’s action of illegally taking the file that triggered the surveillance.

If it’s probably illegal and ineffective, why is hacking back getting so much press?

Companies are weary. “They are under constant attack and working so hard and spending so much just to keep up, and they can’t keep up,” Lee says. “This is a moment when we’re looking for new ideas. That’s why Bochman’s concept of unplugging systems and not always going right to the most efficient solution is starting to be heard. Hacking back feels like another way to turn the tide. Cybersecurity loves a silver bullet, and this feels like one. CEOs are probably thinking, ‘Nothing else has worked; let’s fight.’” Lee has heard many business leaders express these sentiments, especially if their companies have suffered damaging attacks. “This is an emotional issue,” he says. “You feel violated, and you want to do something about it.”

In a paper titled “Ethics of Hacking Back,” Cal Poly’s Patrick Lin captures the sense of utter vulnerability that could lead some to desire vigilante justice:

In cybersecurity, there’s a certain sense of helplessness — you are mostly on your own. You are often the first and last line of defense for your information and communications technologies; there is no equivalent of state-protected borders, neighborhood police patrols, and other public protections in cyberspace. For instance, if your computer were hit by “ransomware” — malware that locks up your system until you pay a fee to extortionists — law enforcement would likely be unable to help you. The U.S. Federal Bureau of Investigation (FBI) offers this guidance: “To be honest, we often advise people to just pay the ransom,” according to Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program. Do not expect a digital cavalry to come to your rescue in time. As online life moves at digital speeds, law enforcement and state responses are often too slow to protect, prosecute, or deter cyberattackers. To be sure, some prosecutions are happening but inconsistently and slowly. The major cases that make headlines are conspicuously unresolved, even if authorities confidently say they know who did them.

What are the ethics of hacking back?

For the most part, experts say that hacking back without legal authorization or government cooperation is unethical. And whenever activities leave your boundaries, it’s hard to condone them. The targets are too evasive, and the networks are too complex, traversing innocent systems and affecting the people working with them. In addition, Lee points out that government entities might be tracking and dealing with malicious actors, and hacking back could compromise their operations. “Leave it to the pros,” he says.

Denning stresses that unintended consequences are not just possible but likely. She says, “The biggest risks come when you start messing with someone else’s computers. Many cyberattacks are launched through intermediary machines that were previously compromised by the attacker. Those computers could be anywhere, even in a hospital or power plant. So you don’t want to shut them down or cause them to malfunction.”

What kind of work is under way with regard to ethics?

According to Denning, researchers began wrestling with these issues as early as 2006. Speaking about a workshop she participated in, she says, “I recall discussions about measures that involved tracing back through a series of compromised machines to find the origin of an attack. Such tracebacks would involve hacking into the compromised machines to get their logs if the owners were not willing or could not be trusted to help out.”

A decade later Denning collaborated with Strawser to examine the morality of active defense writ large, using the ethics of air defense and general war doctrine as a guide. They wrote that harm to “non-combatants” — especially and most obviously physical harm — disqualifies an active defense strategy. But they say that “temporary harm to the property of non-combatants” is sometimes morally permissible. (It should be noted Denning is primarily focused on the government use of active cyber defense strategies). Denning cites the takedown of Coreflood — malware that infected millions of computers and was used as a botnet. The Justice Department won approval to seize the botnet by taking over its command-and-control servers. Then, when the bots contacted the servers for instructions, the response was essentially, “Stop operating.” In the instance of Coreflood, as in some similar cases, a judge decided that the actions could proceed because they could shut down major malicious code without damaging the infected systems or accessing any information on them.

“The effect was simply to stop the bot code from running. No other functions were affected, and the infected computers continued to operate normally,” Denning says. “There was virtually no risk of causing any harm whatsoever, let alone serious harm.”

Still, the case may have set a precedent for at least the suggestion of more-aggressive measures, such as the ACDC bill. If the government can take control of command-and-control servers, it can, in theory, do more than just tell the bots to shut down. Why not grab some log files at the same time? Or turn on the webcam, as in the Georgian-NATO case? Oversight is needed in all active defense strategies.

How can I deploy an ethical and effective active defense strategy?

If you have or subscribe to services that can thwart DDoS attacks and create logs, you’ve already started. Denning says that many companies are doing more active defense than they realize. “They might not call it active defense, but what they call it matters less than what they do.”
Cooperating with law enforcement and the international network of companies and organizations combating hacking is also part of an active defense strategy. The more companies and agencies that work together, the more likely it is that active defense strategies like the one that took out Coreflood can be executed without harm. Several such operations have taken place without reports of problems.

Denning recommends A Data-Driven Computer Security Defense: THE Computer Security Defense You Should Be Using, by Roger A. Grimes. (Full disclosure: Denning wrote the foreword. “But the book really is good!” she says.)

As for more-aggressive tactics, like the ones proposed in the ACDC bill, proceed with caution. Work with law enforcement and other government agencies, and understand the risks. Denning says, “It’s all about risk. Companies need to understand the threats and vulnerabilities and how security incidents will impact their company, customers, and partners. Then they need to select cost-effective security defenses, both passive and active. “There are limits, she cautions. “Security is a bottomless pit; you can only do so much. But it’s important to do the right things — the things that will make a difference.”

Originally published on Harvard Business Review / May 21, 2018

Scott Berinato is a senior editor at Harvard Business Review and the author of “Good Charts: The HBR Guide to Making Smarter, More Persuasive Data Visualizations”.