RSA 2013: Get The Lawyers, Offensive Security Is Go

“This isn’t hacking back,” George Kurtz, president and CEO of CrowdStrike, one of the most talked-about security firms at RSA 2013, tells TechWeekEurope. “No sensationalist headlines please.”

The company has been one of the bigger voices this week, turning heads with a live takedown of thousands of nodes of the Kelihos botnet, at one point having to do so using a laptop tethered to a 4G phone. The botnet is still active, and will be until more concerted action is taken against it, but CrowdStrike at least showed what it could do.

It has drawn plenty of controversy in its brief life, however. Hence Kurtz’s headline advice. Its big sell is “offensive security”. It is looking at all possible legal methods of getting stolen information back from hackers, or deleting it so the information cannot be used.

Why? Because the defensive model has failed. Massive companies like Facebook and Google have been compromised, trade secrets of major corporations pilfered, governments breached, but there has been little in the way of fighting back. It is time for a turning of the tide, says CrowdStrike.

CrowdStrike officially launched

And this week, a year after CrowdStrike was unveiled, the company went into full commercial mode, launching its Falcon platform. It’s designed to use Big Data to carry out a number of “active defense” operations, including “real-time detection of adversary activities, attribution of the threat actors, flexibility of response actions, and intelligence dissemination”.

“It’s all cloud-based, taking information from sensors, which we designed. In real-time it can identify targeted attacks and take an action,” Kurtz says.

The “action” is what has sparked intrigue around CrowdStrike. Everyone wants to know how far it is willing to go to stop attackers using stolen data. But even the company doesn’t know. That’s why it is betting on former top FBI lawyer Steven Chabinsky to look into where the solid ground lies. And following the launch of the Falcon platform, CrowdStrike will be testing the water on how far offensive security can go.

“It’s an emerging science… if Comment Crew [a Chinese hacking group alleged to have links with China’s government] got our data, what can we do about it? Can we go and get it? Can we delete it? Encrypt it? There isn’t a good answer for that,” Kurtz adds.

Earlier, Chabinsky outlined various ways in which it would be legally justifiable to get information back from attackers. One of the biggest challenges facing CrowdStrike is dealing with different legal frameworks, not just internationally, but also where, like in the US, local laws don’t match up with federal laws. “The law is never settled,” Chabinsky says.

Ambiguity of law is the other main challenge. In the US, federal law will not punish those who break into systems and don’t do anything. Then there is a real gray area about what subsequent damage is caused. If there is no intent to cause damage, then the accused is more likely to escape punishment, Chabinsky says.

But it is around necessity of an attack that is the key question in the cyber world right now, he claims. If the action can be proven to be necessary and proportionate, going into hackers’ servers to take back data could be allowed, even though it’s illegal.

Chabinsky gives the example of a terrorist attack on a plane. Most would tackle that terrorist to the ground if they were heading for the cockpit, he says, before handing them over to the FBI upon landing, rather than carrying out their own version of justice. The question is, how do you equate that to the cyber world? That’s what CrowdStrike are trying to answer.

It is sternly against revenge. “There is no room for vigilantism. It is stability, you are stabilising the situation,” he says. That’s in the no-go, “red zone”, according to CrowdStrike. It is now exploring those legally dubious grounds in the yellow area.

How does it define the green zone? “Taking actions that interact with the adversary inside and outside of your network – with proper consent, without causing harm, and without escalating the problem.” CrowdStrike likes dealing in ambiguity too, it seems.

RSA: Can’t rule out offensive approach

Some have suggested CrowdStrike is “nuts”. Yet other larger firms are at least interested in the idea, RSA being one of them. Whilst the company isn’t openly working on any products, the firm’s CISO Eddie Schwartz (pictured) tells TechWeekEurope there have been internal discussions about offensive security.

“We haven’t ruled out the idea of offensive approaches… if it became the right sort of approach, I don’t know why we wouldn’t support it,” he says. “Right now, we couldn’t condone anything officially because it is too undefined at this point.”

When companies do start to strike back on a greater scale, thanks to vendors like CrowdStrike testing the water on behalf of others, things are going to get murky in the legal sense. Prior to CrowdStrike’s presentation, RSA conference held a charming yet fascinating mock trial, in which a retail company was hacked.

A competitor’s machines had been used to compromise that company, but a group called the Enraged Dilletantes Opposed to Ruthless Employees (EDDORE) was to blame. Not knowing this, the retail firm hacked into its competitor’s machines to shut down the C&C server run by EDDORE, resulting in a crash of the competitor’s vital systems and the loss of $200 million. The retail firm claimed its competitor’s systems were not protected effectively enough, and that it didn’t respond to cries for help, so the company was within its rights to strike back. They sued each other.

The question of who was to blame for the damage was a sticky one. Is it fair that a compromised company is taken to court because of illicit activity that it was unaware of on its network? How should businesses respond when they are being attacked, causing them to lose substantial sums of money, and have no other alternative but to strike back?

Regardless of the complexities, offensive security, and maybe some more aggressive hacking back, is coming. However it happens, both the suppliers and the lawyers involved are going to make bucket loads of money once we’ve crossed the Rubicon.

As Kurtz says, “always consult your lawyer”.

Are you a security expert? Try our quiz!