The FBI’s former cyber security chief was in London last week, looking for UK recruits. He wasn’t hunting for fresh law enforcement personnel, however. He was looking to get British businesses involved in the fight against cyber criminals.
That’s because that man, Shawn Henry, is president at CrowdStrike, one of the more controversial security companies to have hit town in recent times. Its premise is refreshing: it is time to take the fight to cyber criminals. It wants businesses to defend their networks by turning the tables on hackers. There have been suggestions, which the company has not denied, CrowdStrike will even hack back. It’s this offensive approach, however, that has led to claims the one-year-old firm is “nuts”.
CrowdStrike wants to first snare hackers by laying traps, consisting of attractive data, which is tagged so it can be tracked. When hackers fall for the trap, CrowdStrike watches what they do upon exfiltration and what happens afterwards. That way, the firm can acquire plenty of data on the attackers in order to stop them, and other potential enemies, from coming back.
It calls this “denial and deception”, and promises to “identify the adversary and find out what they are after”. It’s also what the US government has been doing for years, notes Henry, who met ~Tec hWeekEurope on a visit to talk about critical infrastructure security at the Oil and Gas Cyber Security conference in London.
This service makes sense. In a world where protracted targeted attacks are a growing problem, many companies remain unaware malicious actors are resident on their networks, and the defensive, reactionary security models of old are a dying breed.
John Yeo, director of Trustwave SpiderLabs, says he knows of a case where a European payment service provider was compromised for 18 months. In that time, they terminated legitimate instances of payment-processing software and restarted the software with a trojanised-debugger attached to snaffle up payment card data from system memory. Hundreds of thousands of payment records were put at risk.
If that company had caught the crooks earlier, the ultimate damage would have been significantly reduced. In such cases as these, CrowdStrike’s Enterprise Adversary Assessment can help, not just locating enemies on the network, but following them and then preventing them from returning.
“We believe there needs to be a paradigm shift in the ways companies protect their data. We have been vulnerability focused, but we need to focus on the adversary,” Henry says. Or as the company’s motto goes, “you don’t have a malware problem, you have an adversary problem”.
But of the company’s currently small stack of offerings, one is even more intriguing than this “seed” concept. CrowdStrike says that it will “disrupt” attackers’ infrastructure. There is little information on what offensive operations CrowdStrike offers. Its website says its “Strike” strategies “limit the number and severity of future attacks”. “We help your enterprise go on the offensive against today’s most advanced adversaries,” it promises.
When quizzed about this, Henry keeps up the opaque vernacular, but does give TechWeekEurope some inkling as to what the firm actually does. “There are certain actions we can take to impact identified adversary infrastructure, such as coordination with service providers, using civil processes to close them, etc., as well as some of our technology. Yes, we use intelligence and analysis of existing exploits, malware in the course of all of our programs.”
But he won’t offer a simple yes or no on whether the company will hack into adversary infrastructure. “I won’t say…. other than to say we won’t break the law.”
Yet earlier this year, CrowdStrike co-founder and CTO Dmitri Alperovitch appeared to offer justification for fighting fire with fire, in this telling analogy from the corporeal world: “If I tackle you on the street, that’s assault and battery. But if a few minutes prior you had taken my wallet, it’s completely legal, I’m defending my property rights.” But he also noted the company has not gone that far in the virtual arena to date.
Unsurprisingly, this bellicose approach to security has led to legal concerns. If CrowdStrike were to break into systems it believed belonged to cyber crooks, it would certainly risk feeling the long arm of the law fingering its collar.
Ross Anderson, professor of security engineering at the University of Cambridge’s Computer Laboratory, says CrowdStrike is crazy if it thinks it can do this in the UK. “They’re nuts. If they do that here, it’s an offence under the Computer Misuse Act,” he tells TechWeekEurope. “In fact, if they attack computers in the UK from their base in Irvine, it’s still a CMA offence, and they could be extradited. The law is as it is, not as they think it should be.”
But Henry is adamant the company won’t be breaking any laws. He shrugs off CrowdStrike’s critics, labelling them histrionic attention seekers. “There’s always pundits who have a stage and are interested in some controversy… they’re trying to be provocative.”
To protect itself in any future legal tussles,CrowdStrike has one of the top lawyers in the business, according to Henry. Indeed, Steven Chabinsky is an FBI legal specialist, brought in this September to be the company’s number one lawyer.
Chabinsky has some interesting views too, recently claiming that hacked businesses could have legal protection if they discover their data on crooks’ systems and delete or encrypt it. That again could indicate CrowdStrike is serious about fighting fire with fire, and believes it has the law on its side.
To bolster its Strike division, the company has certainly brought in the right people. Last month, the company brought retired Air Force colonel Mike Convertino on board to run offensive operations. Convertino was commander of the US Air Force’s 318th Information Operations Group, known as the army’s “premier information warfare group.” He was also a senior security researcher at Microsoft.
George Kurtz, another co-founder and CEO, is the former chief technology officer of McAfee. Alperovitch is McAfee’s former lead threat researcher too.
The firm is now looking to bring out its first technology on top of the services it already offers. It will be out in the first quarter of 2013 and “has to do with Big Data and the ways data is analysed and shared”, Henry says, reluctant to reveal more.
On a more ideological, political level, Henry thinks businesses can and should take more responsibility for responding to attacks, even if they emanate from a nation state. The company says it already counts a Fortune 500 company, which was attacked by a nation state and had “critical” intellectual property pilfered, as a customer.
“Companies have been very willing to let the government handle response,” he adds. “Companies are really beginning to understand [the threats affecting them] are not being addressed by governments. Businesses have to play a more substantial role in protecting their data.
“They don’t want to just sit and block attacks.”
UK too scared?
Is that true of UK firms though? How aggressive do businesses on these shores really want to get? The honeytrap concept is likely to gain at least a modest amount of interest, largely because it doesn’t pose any legal risk, but also because it is something refreshing, something other than firewalls and anti-virus. CrowdStrike is also different from more advanced, Big Data-led systems, which are still based on a defensive mindset, or look to predict attacks rather than tracking the actual hackers.
“I think the idea of some form of honeypot trap is excellent and if what they are proposing is a way of making that available to those who would not necessarily have the wherewithal to mount such an exercise then it should make a good business.”
But risk-averse UK firms will take some convincing on more offensive operations. Many simply don’t want to talk about aggressive tactics. One IT director at a top Formula One team said he did not want to offer his opinion on CrowdStrike, “in the current climate”.
Another IT security chief at a prominent UK public sector organisation did not want to be named either, but had this to say: “Computer misuse is computer misuse whether it is done for theft, notoriety, disruption, revenge or profit. In this light, two wrongs do not make a right.”
Woodward pointed to other risks of the CrowdStrike approach. “What happens if you get the wrong group? What happens if you suspect some other firm (a competitor, for example) of intending to attack you, and you act on that erroneously? Haven’t you just become as bad as the would-be attackers?
“Whilst governments can talk about offensive cyber security, I’m not sure commerce can as there is a real danger that it could cross over into vigilantism.”
There is also the question of retaliation from hackers themselves. HBGary was torn to shreds by Anonymouswhen it claimed it could name members of the hacktivist collective. CrowdStrike will need to be on guard too.
There’s no doubting CrowdStrike is a breath of fresh air in an industry focused on the negative side of security. But for UK firms, CrowdStrike may also be too hot to handle.
If you thought that America’s Stop Online Piracy Act (SOPA) was a backward, draconian step for free speech and the development of global digital economies, the Republic of Belarus intends to go one better.
From 6 January 2012, a law will come into effect making it illegal for citizens of Belarus to visit or use foreign websites; anyone breaking the law will be found to have committed a misdemeanour, and fined up to $125 USD (to put this into perspective, the average monthly wage in Belarus is approximately $208, as of December 2011). Companies and individuals will be forbidden from accessing websites, using email or webmail services, payment and transaction services, and other online activities, unless they are provided through domestic domains on homeland servers.
The Belarusian Government has made clear that its legislation isn’t just a technicality that will exist on paper alone. If a friend uses your computer, or if a neighbour piggy-backs on your home network, to access a foreign website via your connection, you will be held accountable and liable to prosecution. Internet cafés that fail to properly limit access to foreign websites will be subject to fines; if owners of internet cafés find users accessing foreign sites, but fail to report those users to the authorities, their businesses will be subject to closure.
According to the United States Library of Congress, the Government of Belarus has authorised its national police force, secret police agencies and tax authorities “to initiate, investigate and prosecute” any violations by individuals and organisations both domestic and foreign. If an international company such as Amazon makes a sale to a Belarusian citizen, the Attorney General of Belarus reserves the right to hold the company in contempt of the State, and may choose to sue the company. For this reason, many observers believe that multinational websites will simply block access to Belarus entirely, in order to avoid any such hassle or litigation, effectively shutting off Belarus from the digital world.
Speaking with the Computer Business Review, the Belarusian Embassy in London stated that the new legislation aims “to protect the rights of Belarusian citizens… to improve the quality of internet services and make them cheaper, and to encourage further growth of the national segment of the internet network.”
There’s nothing quite like protecting someone’s rights by taking their rights away. But perhaps it was inevitable in a country that constitutionally forbids censorship, but at the same punishes citizens with up to five years in prison for insulting its President, or up to two years in jail for speaking badly of Belarus abroad.