Kip Boyle: Welcome to the Cyber Risk Management podcast. Our mission is to help executives become better cyber risk managers. We are your hosts. I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: I'm Jake Bernstein, cyber security counsel at the law firm of Newman DuWors.

Kip Boyle: This is the show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman DuWors, LLP. If you have questions about your cyber security related legal responsibilities.

Kip Boyle: And if you want to manage your cyber risks, just as thoughtfully as you manage risks in other areas of your business such as sales, accounts receivable, and order fulfillment, then you should become a member of our cyber risk managed program. Which you can do for a fraction of the cost of hiring a single cyber security expert.you can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Jake, today we're going to talk about active defense.

Jake Bernstein: Well, I guess the first question then is what is active defense?

Kip Boyle: Right. Most people probably have not heard of active defense, but it's an up and coming strategy. The hope is that it's going to add new tools for cyber risk management.

Jake Bernstein: What kind of tools? Can you give some examples?

Kip Boyle: Absolutely. It turns out there's a whole range of activities inside of this idea of active defense. Everything from somewhat more passive things like inserting beacons inside digital data in case they're stolen all the way to conducting rescue missions to recover stolen data. So if you've got a beacon in your data, and it's letting you know what IP address your data is sitting on, then you could go out and you could get it back.

Jake Bernstein: Oh that sounds a lot like hacking back.

Kip Boyle: You know, it's often confused for the idea of hacking back, but if you want a way to think about it, hacking back is probably more like conducting a destructive activity, right? So if somebody's attacking me, the idea is that I could just knock their server offline and stop the attack, or I could even go so far as to break into their server and to leak their files so that the machine can't even be booted up anymore. But you know, that's hacking back.

Kip Boyle: Active defense is actually somewhere just short of a destructive activity, and where it fits into the continuum is if you think about hacking back as one extreme, and then on the other extreme if you think about what we've been doing traditionally. Setting up firewalls, patching software, being more passive in our defense, well now what we're saying is there's a whole middle ground between those two extremes where we're not going to be destructive, but we're not just going to sit around and wait for people to come and get us.

Jake Bernstein: Okay. So, why would we want to do active defense?

Kip Boyle: Well, so anybody who's in the game right now knows that the passive defense strategies just aren't working as well as they used to. The ideas of perimeter defenses. Thinking of my network as a castle, and if I could just build nice, thick, tall walls with single points of control where people can only come in and go out through one, or two, or maybe three very tightly managed egress points. That's just not working anymore. There's two reasons why that's not working so well anymore. The first reason is because we've got online criminals, and foreign countries out there that are really stepping up their game in terms of attacking us. So, what's that all about? Well criminals are pretty easy to understand.

Kip Boyle: They want money. You think about ransomware and it makes sense. Okay, yeah. Ransomware, take my files. Charge me money to get my files back, but it's so much bigger than that. I think of it as Al Capone, instead of holding a machine gun and running around town terrorizing people, now he's holding the internet in his hands and he's running around the globe stealing billions of dollars from individuals, businesses of all sizes, including banks, hospitals, county governments. I mean really nobody is safe from these online criminals. So that's one dimension here about how things are getting more difficult for our passive defenses. The other thing that's going on in terms of increased threats is foreign governments see the internet as a new battleground. Even the United States sees the internet as a battleground.

Kip Boyle: You know, it reminds me when I was in the Air Force, just going into the Air Force, we studied the rise of air power in the early 1900's, and how that absolutely transformed the way wars were fought. We're going through a similar revolution now where cyber space is becoming a battleground, and it's changing the way that countries fight each other. So, these countries are spending a lot of money learning how to dominate it, and we can see this actually today. Russia's been attacking the Ukraine, and two particular attacks that I think are pretty well covered in the main stream press. In December of 2015, they caused a major blackout. Just using cyber weapons they turned off the power in vast swaths of that country and left people in the dark and freezing.

Kip Boyle: In June of 2017, they released a worm called NotPetya, and that worm is so virulent that it ran, not only throughout the Ukrainian economy, but all over Europe and caused well over a billion dollars of damages. Then you also have these interesting hybrids, like North Korea. So North Korea is a government that's trying to establish some dominance in cyber space for military purposes, but it also turns out that because they're under such economic sanctions, such severe sanctions, they're hacking for money as well. So interesting hybrid there. Anyway, so what does this all boil up to? Passive defenses aren't working as well as they used to because the threat's just so severe.

Jake Bernstein: Okay. I guess one of the questions that I think this raises is, is it that passive defenses aren't working because they just don't work, or is it they're not working because people aren't using them properly? In other words, is this a situation that we're seeing where passive defenses have been used, executed to near perfection, and they just don't work, or is it that passive defenses just aren't used properly?

Kip Boyle: I think it's arguable that it could be a little bit of both. I've certainly seen it that passive defenses such as filtering email, filtering inbound network traffic, properly configuring access controls. I mean, that stuff's kind of difficult to get right all the time, every time, everywhere. So, there's always this issue of are my controls fully installed, and are they working fully effectively? To the extent that they don't, I mean a defender has to be right in terms of being attacked, right? If you think about their entire attack surface, a defender has to be right all the time, every time? An attacker only has to be right one time, and then it kind of seems like you're living in a house of cards as far as being a defender goes, but that's not the only reason.

Kip Boyle: Actually, the other thing that's going on, Jake, is that the passive defenses just simply aren't working well against certain types of attacks, and Phishing is probably the best example of an attack that our technological defenses are actually really terrible at dealing with because the point of a phishing attack is to attack the emotions of the people who receive those messages.

Jake Bernstein: Maybe another way to think about this then is that it's not, when we're talking about passive versus active defense, we're not necessarily thinking in the same way as we do when we talk about legal, reasonable security. Because as we've talked about in the past, you know reasonable security is not perfect security, right? So maybe what we're saying here is that, maybe the argument in favor of active defense is that it's one thing to be reasonable under the law. So maybe I'm not going to be held liable or something, but what if I just really don't want to be attacked effectively? What if I don't really care, necessarily that, let me rephrase that. What if my legal liability is not anywhere near the top of my list of priorities in terms of not being attacked.

Jake Bernstein: For example, you know, if you run a hospital, whether or not you have reasonable cyber security in place, you simply cannot an attacker to turn off your life support machines.

Kip Boyle: Right.

Jake Bernstein: I mean, you just can't let that happen.

Kip Boyle: Or remote control your gamma knife.

Jake Bernstein: Yeah. So there's a lot of situations where I can see that the liability aspect is obviously important, but there are justifications and reasons that rise even above your liability. Life and death, for example.

Kip Boyle: Yeah, life safety.

Jake Bernstein: Where it's just not acceptable.

Kip Boyle: Right.

Jake Bernstein: At that point you're probably thinking about active defense is starting to look like a more important component. Really what we're looking at here is just expanding the toolbox. Is that a fair way of saying it?

Kip Boyle: You know, I think a lot of people look at it that way is we want some more choices between completely passive things and entirely offensive, destructive things. There's got to be something in the middle, right? Because another factor in play here is if you think about armed gun men robbing bank branches, or thugs knocking people over the head and stealing their wallets. I mean in the United States, we really don't see this sort of activity anymore, and a big reason for that is because the government has spent a lot of time trying to figure out how to protect citizens from these types of crimes. So we just don't see that stuff anymore. We can count pretty highly on the idea that when we go to work every day, we're not going to have our wallets stolen from us, or that our bank branches aren't going to get robbed.

Kip Boyle: But in contrast, all this cyber attacking, our government has really very little idea what to do to effectively stem the tide of these attacks. Both in terms of the military attacks that we're seeing, as well as the attempts to steal digital assets. Money and intellectual property, and so I think organizations are saying, "We need more tools because nobody's going to help us. We have to help ourselves somehow." Just having the binary, am I passive or am I destructive, that's just not enough.

Jake Bernstein: You know, I guess why aren't we seeing more organizations using active defense, or is it just too new? Is it new? What is this concept? I mean how old is this concept?

Kip Boyle: Yeah, so some parts of active defense are actually not that new. If you think about active defenses as a continuum of options, right, again running to a more passive kind of an activity on one side, versus a more aggressive activity on the other side. Well we've had things called honeypots for years. A honeypot is like a fake server, and you put fake assets, right? So fake documents, and things like that. Fake credentials. You put these things in a honeypot, and the idea is that when an attacker shows up, they're going to go for the honeypot first. Since you know that that server is never used for anything legitimate, if you get any alerts at all from that honeypot, well then you know you've got an intruder around because just the very nature of it.

Kip Boyle: So that's something that we've been doing for years. It's just a matter there of getting our technology to be more and more effective, so that it becomes difficult for attackers to know that they've actually stumbled on a honeypot. A really amateurish one, some of these nation states will see it for what it is very quickly and just go right by it without sounding the alarm. But some of the things that are more active, you know have higher impact, but also greater risk is like Botnet take downs. So if there's a Botnet that's attacking you, right? A collection of computers on the internet, and they were directing a denial of service attack against you, and you don't have denial of service attack protections, what choices do you have except to sit around and twiddle your thumbs, and wait for this attack to subside on its own.

Kip Boyle: Well, it would be really nice if you could find the source, you know like the controller of this Botnet, or maybe even the individual bots themselves, and start to take them out. Typically, the government has been doing things like that, or has been doing Botnet take downs by cooperating with private industry to do it. So that's another example of active defense, but in a more aggressive way. Then as I mentioned before, probably one of the most aggressive things that you can do in active defense is actually find out who stole your data, go to wherever it's being stored, and then actually retrieve it, or delete it, and in the process of doing that you could actually take down an innocent person's computer services. So, there's quite a bit of risk there.

Jake Bernstein: Yeah. For sure. I mean it sounds like there's legal questions then involved in using active defenses.

Kip Boyle: Yeah, that's right. So that's where we need an attorney. You know, what if I go and do some kind of a rescue mission on my data. Let's say that I find out that my data has been stored away on the computer system of a giant pharmaceutical company? So in other words, that the person who stole my data didn't store it on their own servers, but just stashed it on the server of a third party that's uninvolved. You know, am I legally allowed to do that?

Jake Bernstein: Well, I mean before I answer that question I think let's just say that, let's point out that that would not be an unusual or strange circumstance. You know, a Botnet in and of itself is someone using other people's computer resources to cause damage, right?

Kip Boyle: Right. Yup.

Jake Bernstein: If it was hypothetically possible to send a command back to computers that were attacking you, and physically cause them to blow their capacitors and explore, you would ultimately be causing damage. Not so much to the bad guy, but to all of the victims of the bad guy who just were in earlier stage in his attack.

Kip Boyle: Right.

Jake Bernstein: Similarly, if I'm going to do, if I'm going to engage in an industrial espionage attack, or some kind of exfiltration of data, it actually makes sense for me to compromise someone else's computers, gain control, and then ship everything I steal over to them. So in a lot of ways, the practical effect of this rescue mission concept is that you will end up violating the computer fraud and abuse act, and quite possibly state equivalence like Washington Cyber Crime Act. Because what's going to happen is ultimately you are going to end up accessing someone else's computer system without authorization.

Kip Boyle: Not the criminal's.

Jake Bernstein: And not the criminal's. Technically speaking, even if it was the criminals, there's no defense to unauthorized access because he did it to me first. I mean, the law could evolve in that direction. You certainly are unlikely to get sued by the victim if the victim is in fact the criminal, but if the victim isn't the criminal.

Kip Boyle: If the victim is this pharmaceutical company that I was imagining.

Jake Bernstein: If this hypothetical pharmaceutical company. We'll call it kind of like victim zero, then not only are you hacking someone else's computer whose not even a bad guy, but if you cause damage, you're going to be liable under civil actions, because the CFAA has a civil component which allows anyone whose hurt under it to file a lawsuit. So it's important to realize that it's not just the risk of criminal prosecution, it's also a defensive technique if you can capture the hacker.

Kip Boyle: Isn't that ironic, right?

Jake Bernstein: You can sue them for money.

Kip Boyle: So I get attacked. I use an active defense technique to either stop the hack, or to retrieve my stolen assets, and then I get charged with a crime.

Jake Bernstein: Or you get sued for damages. Yeah. I mean, and that's part of why this is not fully adopted. Obviously we are talking about a continuum. You know, rescue missions, white hat ransomware, anything where you're actually executing objectively malicious code, whether you're using if maliciously or not on someone else's computer. Really, the law doesn't care about malicious code. It really tends to care about access, and whether or not that access was authorized. So you can pretty much see that in all situations that are relevant, a rescue mission is practically going to, it must involve unauthorized access, right? So I don't see rescue missions seeing legally tenable at this time.

Kip Boyle: Unless somebody comes up with a really clever way to do a rescue mission without somehow violating the unauthorized access prohibition. I mean, I haven't seen anything yet, but technical people can be really clever in devising ways to get this done. In some ways I'm really looking forward to seeing what some people come up with as to how to do this.

Jake Bernstein: You know it's interesting too, I mean I think technical people can also get themselves in trouble by trying to be overly clever, and not understanding that the law is not a binary computer code that is just run on a machine and it always done the same thing. I've seen this frustration, particularly in kind of penetration test for clients of mine who they're so used to thinking in code, and computers, and things being black and white. One or zero. Binary. That when you hit the law, and you need to understand that if something smells like a duck, and talks like a duck, and walks like a duck, even if I can make an argument that is not a duck, a judge, or jury can still say, "It's close enough. It's a duck." That kind of imprecision literally can't happen on, at least current, modern computers, right?

Jake Bernstein: Software can be buggy, and things can happen that shouldn't happen, but ultimately isn't it said that the problem with computers is that they do exactly what you tell them to do.

Kip Boyle: Yeah.

Jake Bernstein: Right? The great thing about computers is they do exactly what you tell them to do. That's the same thing. So the way that access and authorization is defined is it can change with the times. It can be modified when something doesn't seem right, even if you might have gamed it. It can be very challenging. Now, having said that, I think that there's a lot of other choices in the active defense category. A Botnet take down you might think could be construed as doing something damaging, but in fact, most of the time a Botnet take down is a combination of intelligence gathering plus a lawsuit. You will see, for example, that Microsoft's cyber crime division has actually taken down some pretty big Botnet's in conjunction with law enforcement, and they do that without violating these laws.

Jake Bernstein: Beacons, denial and deception, sandboxes, honeypots, information sharing, any kind of intel gathering even if you go on to the dark web, deep web or dark net to do it, isn't ever really going to involve the CFAA.

Kip Boyle: Right, right.

Jake Bernstein: Coordinated sanctions, criminal indictments, trade remedies at the government level. These are all active defenses that are perfectly legal right now.

Kip Boyle: Yeah, and hunting through your own network to see if there's any intruders. I mean, that's no different than going down to your warehouse to see if somebody's hiding in there.

Jake Bernstein: Right. It's totally not. I think if you take active defense to, if you analogize to the physical world. Active defense as a concept, of course, originated in the military before the concept of cyber ever came up, right? So, an example would be imagine a private party thinking that it was justified in conducting a rescue mission with armed guys, with guns who go in and potentially kill other people, to rescue someone or something that was taken.

Kip Boyle: Yeah, like maybe their executive was taken hostage.

Jake Bernstein: Right. I mean even when the military does things like that, there's a relatively fine line between a military crime, and a valid mission. So, I think that the law right now recognizes your right to self defense in the moment. You know, a private party can deploy lethal force in defense of himself, others, and even in some cases, property. Although that gets kind of squishy, but if a burglar comes into my house and they take my TV. I have this little system that has shot a little tracking device on to his pant leg as he leaves. Then I go out the next night and I hunt him, and I confront him in his house, and if it were to become violent I mean murder is murder.

Jake Bernstein: So I think you have to be really careful with how [inaudible 00:25:22].

Kip Boyle: I think that's really the big risk. If you look at all the different, you know the range of options defined inside of active defense, and as you said, some of that stuff's very low impact. Not very risky. Honeypots and that sort of thing, but it seems to me that once you start dabbling in these things, right? These beacons, and threat hunting, you've got to have a lot of self control to not take what you discover and then say, "Well I'm just going to keep following up on this until I get this guy to leave us alone." In your enthusiasm, you could actually start breaking into other people's computers, and then next thing you know you're doing stuff that's just plainly illegal according to our current paradigm.

Jake Bernstein: You can. You know, people often use the term Wild Wild West when describing the internet as a marketplace, right? I think it's starting to mature now, but what we're really looking at here is how much do we want to let the internet become the actual wild west, which historically was defined as a lawless frontier. Right? Might made right in parts of the old west, it wasn't until you got civilization there where you start to impose the rule of law.

Kip Boyle: Right.

Jake Bernstein: I don't think that people are prepared for that on the cyber realm. I don't think that it is particularly safe to start doing that. I think if you open Pandora's box of rescue missions, I have a feeling that there would be a lot of damage caused to innocent parties in the process.

Kip Boyle: Yeah. Absolutely. Well I think this is a good example of how it's frustrating right now for organizations to wish that the government, the police forces, the FBI, that they would be able to do for us in the cyber realm what they already do for us in the physical world. They just, none of this has really been sorted out yet, so I think active defense is going to become a more and more talked about idea as time goes on. I think we're going to see company start ups arise to try to provide active defenses for organizations that are willing to try to push the envelope a little bit. So, I just think it's going to be really exciting to watch the evolution of law, and technology in this space. I really hope we come up with some good answers, because right now I just feel like a sitting duck.

Jake Bernstein: Yeah. I think that the future will be, I mean I think a lot of this stuff is going to become regularly used. I think as much as we can kind of discuss the shades of gray, and maybe even going pretty far into the black on some of these things, a lot of this stuff I think is pretty clearly not that risky legally. Anything you want to do on your own network. There's a question of, it's not even clear to me, let me just as a hypothetical, I could potentially put mines in my data network, right? Like literal infected pieces of malware data that I leave in there as traps for the unwary. You talk about, and I'm going to do what I just said was difficult or was tricky, which is to make an argument that I'm not ever accessing your computer system with a piece of malware.

Jake Bernstein: If you stumble upon it and steal it, sorry. It ran on your machine, but I didn't do it. You came on to my property ...

Kip Boyle: And then you transferred it over to your computer.

Jake Bernstein: You took it. You transferred it. I didn't access your computer.

Kip Boyle: Right. Or to the computer of this pharmaceutical company that I've broken into and used as a launching pad.

Jake Bernstein: Yeah, well hopefully that company has its own system set up to defend itself. I do think that there are, that is a really interesting gray area.

Kip Boyle: Yeah.

Jake Bernstein: I mean because I can put a "beware of dog" sign in my yard, and I can put three attack German Shepherds in there. If you climb that fence, and you get mauled, I'm not really liable under the law. I mean you violated my property. You ignored a clear warning.

Kip Boyle: You got what you deserved.

Jake Bernstein: Sorry. You got what you deserve. So you could take it that far in the cyber realm.

Kip Boyle: I think that's what people are trying to do with active defense. They're just saying, "Let's take some of these common sense kind of ensconced into law ways of protecting ourselves, and let's extend those into the digital realm."

Jake Bernstein: Yeah. I think how far you take that is going to be interesting.

Kip Boyle: Yeah. Well thanks for joining us today on the Cyber Risk Management podcast. Today we talked about active defense and how that may help you better manage your cyber risks.

Kip Boyle: Thanks everybody for joining us today on the Cyber Risk Management podcast.

Jake Bernstein: Remember that Cyber Risk Management is a team sport and needs to incorporate management, your legal department, HR and IT for full effectiveness.

Kip Boyle: Management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks, and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.

Jake Bernstein: You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.