CybersecurityMore companies adopt active defense to thwart hackers

Published 14 November 2014

Some U.S. companies are beginningto counter-hack cybercriminals by using intelligence shared within industry circles. Federal officials have not openly endorsed active defense, but measures like tricking hackers into stealing fake sensitive data, then tracking its movements through the Web, are gaining support. Some firms have gone as far as hacking alleged criminals’ servers. “The government is giving ground silently and bit by bit on this [active defense] by being more open,” said former National Security Agencygeneral counsel Stewart Baker. “I have a strong sense from everything I’ve heard. . . that they’re much more willing to help companies that want to do this.”

A growing number of cyberattacks on U.S. companies now come in the form of spear phishing, an e-mail that appears to be from a familiar individual or business, but is instead from cyber criminals who seek employees’ credentials to access classified documents and accounts. The 2013 cyberattack on Target, which exposed credit cards of more than 110 million customers, began with a spear phishing e-mail sent to employees at Fazio Mechanical, a heating, air conditioning, and refrigeration firm in Sharpsburg, Pennsylvania often contracted by Target. As a Target contractor, Fazio had online access to an external billing system called Ariba, as well as a Target project management and contract submissions portal called Partners Online. Target has not released official details on how hackers might have used Fazio to infiltrate its systems, but cybersecurity experts say the scenario is all too common.

Last month, data firm Recorded Future released a report claiming that between January and October 2014, 44 percent of Fortune 500 companies had employee credentials exposed, including 51 percent of top financial firms, 62 percent of technology firms, and 49 percent of public utilities. A significant portion of stolen credentials are obtained via spear phishing, and once employee credentials are stolen, other online services with which the same credentials are used for will become vulnerable. “The presence of these credentials on the open web leaves these Fortune 500 companies vulnerable to corporate espionage, socially engineered cyberattacks and tailored spear-phishing attacks,” the report said.

To make matters worse, an increasing number of sophisticated attacks aimed at large U.S. corporations are initiated by state-sponsored hackers. “This is something that must be addressed because our competitiveness as a country is diminishing,” said Dmitri Alperovitch, chief technology officer of Crowdstrike, a security research firm. Earlier this year, JPMorgan Chase acknowledged that hackers with ties to Russia were responsible for the attack that exposed eighty-three million customers’ accounts. The Justice Department rang the alarm on state-sponsored cyberattacks when it indicted five members of the Chinese military for stealing data from U.S. companies: Westinghouse Electric, U.S. subsidiaries of SolarWorld AG, U.S. Steel, Allegheny Technologies, and Alcoa. “This is a case alleging economic espionage by members of the Chinese military and represents the first-ever charges against a state actor for this type of hacking,” Attorney General Eric Holder said.

Some U.S. companies are beginning to counter-hack cybercriminals by using intelligence shared within industry circles. “Active defense” comes at a time when many feel federal laws are limited in deterring overseas hackers. “Active defense is happening. It’s not mainstream. It’s very selective,” said Tom Kellermann, chief cybersecurity officer for Trend Micro and a former member of President Barack Obama’s commission on cybersecurity.

NBC News reports that federal officials have not openly endorsed active defense, but measures like tricking hackers into stealing fake sensitive data, then tracking its movements through the Web, are gaining support. “The government is giving ground silently and bit by bit on this by being more open,” said former National Security Agency general counsel Stewart Baker, now a partner at Steptoe & Johnson. “I have a strong sense from everything I’ve heard. . . that they’re much more willing to help companies that want to do this,” Baker said.

Some firms have gone as far as hacking alleged criminals’ servers, but White House cybersecurity coordinator Michael Daniel warns that “Attribution is very difficult to do.” “The bad guys don’t tend to use things labeled ‘bad guy server.’ They tend to corrupt and use innocent third-party infrastructure. So we have always said you need to be really cautious abouttaking activities that are ‘hacking back’ or even what some people try to call ‘active defense.’”