Hackers use corporate attacks as staging grounds for other cyber assaults

Fighting a corporate cyber intrusion is fraught with legal, insurance considerations, panelists at RSA Conference say

Attackers have invaded corporate networks to steal sensitive data and use them as staging grounds to attack other corporate networks -- and IT managers detecting these invaders may find yet another surprise: law enforcement lurking in their networks monitoring it all as part of a cyber-sting.

"There may be law enforcement watching it," said Charles Shugg, retired Brigadier General of the Air Force who once headed the U.S. Air Force Cyber Command, and spoke yesterday on a panel at the RSA Conference on the topic of how far IT managers can go to "hackback" against network attackers they happen to detect. But you might be stepping into something bigger than you know, because "an undercover agent may witness crimes taking place and not stop them in hopes of getting them," said Shugg.

[RSA: IT security managers skeptical on Big Data Security proposition]

It's just another wrinkle in the world of cybercrime that's invaded corporate networks, whether it be suspected Chinese spies stealing important intellectual property, remotely-controlled botnets and cybercooks from everywhere making off with what they can, or hacktivists out to score political points. Increasingly, IT managers want to strike back through electronic means against these invaders when their detection systems spot them. But can they counter-strike? U.S. law doesn't suggest that retaliation is much of an option, the panelists at the RSA Conference said.

For one thing, any counterstrike against what might be thought to be the lair of the attacker may in reality simply be just another corporate network that's been compromised. An IT manager that wants to take steps to definitely stop certain actions is proceeding into an area that's immediately dominated by legal and insurance considerations.

It would be a better world if IT managers could reach out across corporate boundaries and one could tell another about what's perceived to be an attack based on malware coming from the other's network and quickly snuff it out. But that appears to be a rarity today, where warnings from outsiders contacting companies are often ignored. Instead, it's the company lawyers that will be needed to try and resolve serious problems that seem to emanate from other corporate networks.

Serge Jorgensen, CTO at Sylint Group, the Sarasota, Fla., firm that provides incident response and remediation services, pointed out that one legal option would be seeking a temporary restraining order (TRO) from a judge against what is seen as the offending entity where the cyber-attack appears to originate.

"But what does that really allow you to do? Does that mean you have a legal right to go to their server to find the malware? No," said Jergensen. So after the TRO is issued by a judge, there's still no solution to the problem. It's just the legal train leaving the station, and what might ensue are negotiations intended to really solve the problem. But these could be fraught with worries over litigation and insurance concerns in today's world. That's when the meter starts ticking in terms of time and money. Issues of liability will surface, and the two parties could end up going after each other while the attacker makes off.

Attorney Jon Stanley, who also spoke on the panel at RSA, says any company that believes it is under cyberattack faces another consideration the company may need to notify its insurance carrier. Then there may be a decision to call law enforcement or not.

The sad and ironic aspect of a company that's a "legal entity" being used as a proxy for an attacker is that a legal discussion will ensue between what are basically two victimized companies now wary of each other. And it's happening in a legal environment where there's "almost no guidance in case law," said Stanley. "You'll quickly find yourself in no man's land." Concepts of aggression and disorder simply haven't been clearly defined, he said.

Shugg noted that in the midst of such a cybercrime episode, there may also be the presence of law enforcement trying to quietly monitor what's going on, especially when the stakes are high. "Law enforcement may be putting a case together," he said, and you may be stepping into something bigger than you think.

Shugg said he thinks that the courts in this country are split on how far anyone can go to push back against an attacker. However, Eric Hibbard, CTO for security and privacy at Hitachi Data Systems, who also spoke on the panel, said he considers attackback to be "very dangerous" as a path to go down. It raises the question, "what's an adequate defense before you move to counter?" and other questions, such as why were you compromised to begin with, have you not patched your systems in a long time?

But it's all pretty murky, and when asked about what the law of trespassing we have today for the physical world might mean in cyberspace in terms of repelling an attacker or striking back. Stanley said anyone who wants to do it and defend that practice will probably end up as the test case for the rest of us. "I'd advise not to strikeback. Somehow we have to stop this in the inside."

Ellen Messmer is a senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.

Copyright © 2013 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations