The FBI’s former cyber security chief was in London last week, looking for UK recruits. He wasn’t hunting for fresh law enforcement personnel, however. He was looking to get British businesses involved in the fight against cyber criminals.
That’s because that man, Shawn Henry, is president at CrowdStrike, one of the more controversial security companies to have hit town in recent times. Its premise is refreshing: it is time to take the fight to cyber criminals. It wants businesses to defend their networks by turning the tables on hackers. There have been suggestions, which the company has not denied, CrowdStrike will even hack back. It’s this offensive approach, however, that has led to claims the one-year-old firm is “nuts”.
CrowdStrike wants to first snare hackers by laying traps, consisting of attractive data, which is tagged so it can be tracked. When hackers fall for the trap, CrowdStrike watches what they do upon exfiltration and what happens afterwards. That way, the firm can acquire plenty of data on the attackers in order to stop them, and other potential enemies, from coming back.
It calls this “denial and deception”, and promises to “identify the adversary and find out what they are after”. It’s also what the US government has been doing for years, notes Henry, who met ~Tec hWeekEurope on a visit to talk about critical infrastructure security at the Oil and Gas Cyber Security conference in London.
This service makes sense. In a world where protracted targeted attacks are a growing problem, many companies remain unaware malicious actors are resident on their networks, and the defensive, reactionary security models of old are a dying breed.
John Yeo, director of Trustwave SpiderLabs, says he knows of a case where a European payment service provider was compromised for 18 months. In that time, they terminated legitimate instances of payment-processing software and restarted the software with a trojanised-debugger attached to snaffle up payment card data from system memory. Hundreds of thousands of payment records were put at risk.
If that company had caught the crooks earlier, the ultimate damage would have been significantly reduced. In such cases as these, CrowdStrike’s Enterprise Adversary Assessment can help, not just locating enemies on the network, but following them and then preventing them from returning.
“We believe there needs to be a paradigm shift in the ways companies protect their data. We have been vulnerability focused, but we need to focus on the adversary,” Henry says. Or as the company’s motto goes, “you don’t have a malware problem, you have an adversary problem”.
But of the company’s currently small stack of offerings, one is even more intriguing than this “seed” concept. CrowdStrike says that it will “disrupt” attackers’ infrastructure. There is little information on what offensive operations CrowdStrike offers. Its website says its “Strike” strategies “limit the number and severity of future attacks”. “We help your enterprise go on the offensive against today’s most advanced adversaries,” it promises.
When quizzed about this, Henry keeps up the opaque vernacular, but does give TechWeekEurope some inkling as to what the firm actually does. “There are certain actions we can take to impact identified adversary infrastructure, such as coordination with service providers, using civil processes to close them, etc., as well as some of our technology. Yes, we use intelligence and analysis of existing exploits, malware in the course of all of our programs.”
But he won’t offer a simple yes or no on whether the company will hack into adversary infrastructure. “I won’t say…. other than to say we won’t break the law.”
Yet earlier this year, CrowdStrike co-founder and CTO Dmitri Alperovitch appeared to offer justification for fighting fire with fire, in this telling analogy from the corporeal world: “If I tackle you on the street, that’s assault and battery. But if a few minutes prior you had taken my wallet, it’s completely legal, I’m defending my property rights.” But he also noted the company has not gone that far in the virtual arena to date.
Unsurprisingly, this bellicose approach to security has led to legal concerns. If CrowdStrike were to break into systems it believed belonged to cyber crooks, it would certainly risk feeling the long arm of the law fingering its collar.
Ross Anderson, professor of security engineering at the University of Cambridge’s Computer Laboratory, says CrowdStrike is crazy if it thinks it can do this in the UK. “They’re nuts. If they do that here, it’s an offence under the Computer Misuse Act,” he tells TechWeekEurope. “In fact, if they attack computers in the UK from their base in Irvine, it’s still a CMA offence, and they could be extradited. The law is as it is, not as they think it should be.”
But Henry is adamant the company won’t be breaking any laws. He shrugs off CrowdStrike’s critics, labelling them histrionic attention seekers. “There’s always pundits who have a stage and are interested in some controversy… they’re trying to be provocative.”
To protect itself in any future legal tussles,CrowdStrike has one of the top lawyers in the business, according to Henry. Indeed, Steven Chabinsky is an FBI legal specialist, brought in this September to be the company’s number one lawyer.
Chabinsky has some interesting views too, recently claiming that hacked businesses could have legal protection if they discover their data on crooks’ systems and delete or encrypt it. That again could indicate CrowdStrike is serious about fighting fire with fire, and believes it has the law on its side.
To bolster its Strike division, the company has certainly brought in the right people. Last month, the company brought retired Air Force colonel Mike Convertino on board to run offensive operations. Convertino was commander of the US Air Force’s 318th Information Operations Group, known as the army’s “premier information warfare group.” He was also a senior security researcher at Microsoft.
George Kurtz, another co-founder and CEO, is the former chief technology officer of McAfee. Alperovitch is McAfee’s former lead threat researcher too.
The firm is now looking to bring out its first technology on top of the services it already offers. It will be out in the first quarter of 2013 and “has to do with Big Data and the ways data is analysed and shared”, Henry says, reluctant to reveal more.
On a more ideological, political level, Henry thinks businesses can and should take more responsibility for responding to attacks, even if they emanate from a nation state. The company says it already counts a Fortune 500 company, which was attacked by a nation state and had “critical” intellectual property pilfered, as a customer.
“Companies have been very willing to let the government handle response,” he adds. “Companies are really beginning to understand [the threats affecting them] are not being addressed by governments. Businesses have to play a more substantial role in protecting their data.
“They don’t want to just sit and block attacks.”
UK too scared?
Is that true of UK firms though? How aggressive do businesses on these shores really want to get? The honeytrap concept is likely to gain at least a modest amount of interest, largely because it doesn’t pose any legal risk, but also because it is something refreshing, something other than firewalls and anti-virus. CrowdStrike is also different from more advanced, Big Data-led systems, which are still based on a defensive mindset, or look to predict attacks rather than tracking the actual hackers.
“I think the idea of some form of honeypot trap is excellent and if what they are proposing is a way of making that available to those who would not necessarily have the wherewithal to mount such an exercise then it should make a good business.”
But risk-averse UK firms will take some convincing on more offensive operations. Many simply don’t want to talk about aggressive tactics. One IT director at a top Formula One team said he did not want to offer his opinion on CrowdStrike, “in the current climate”.
Another IT security chief at a prominent UK public sector organisation did not want to be named either, but had this to say: “Computer misuse is computer misuse whether it is done for theft, notoriety, disruption, revenge or profit. In this light, two wrongs do not make a right.”
Woodward pointed to other risks of the CrowdStrike approach. “What happens if you get the wrong group? What happens if you suspect some other firm (a competitor, for example) of intending to attack you, and you act on that erroneously? Haven’t you just become as bad as the would-be attackers?
“Whilst governments can talk about offensive cyber security, I’m not sure commerce can as there is a real danger that it could cross over into vigilantism.”
There is also the question of retaliation from hackers themselves. HBGary was torn to shreds by Anonymouswhen it claimed it could name members of the hacktivist collective. CrowdStrike will need to be on guard too.
There’s no doubting CrowdStrike is a breath of fresh air in an industry focused on the negative side of security. But for UK firms, CrowdStrike may also be too hot to handle.