Your business was hacked, leaving you with a persistent bot; now what? Okay, here it is: when plagued with a persistent bot you can legally use automated code outside of your network, in specific circumstances and via specific means, to eliminate the threat in an act of self-defense or defense of property.
Most cyber security experts agree that getting hacked is no longer a matter of if, but when. One hundred percent security is a myth. So what can you do? Standard responses are slow and, in many cases, not very effective. Nations can legally defend themselves but what about businesses?
A Losing Battle – Defending Against the Botnet
The presumption is that a business cannot reach outside its network in self-defense to block an attacker. I am not advocating vigilantism, but we are losing the war in cyberspace and must rethink our strategy and laws. Too much money and too many secrets are walking out of the door unchecked.
My focus is the botnet since it currently appears to pose the largest threat with millions of infected machines around the world being used to attack networks. Computers and networks are being infected through a variety of methods: phishing attacks, malware on legitimate and fake websites, employees visiting social media sites, and other methods. In 2010 and the first half of 2011, the top four botnets were:
2010-2011 (First half)
RudeWarlockMob (TDL-3) now TDL-4 SpyEye Operator (OneStreetTroop)
Monkif Neosploit Operator
So, let’s assume you found a virus/bot in your network and believed you cleaned it up but, lo and behold, it is back. For whatever reason, law enforcement was not able to assist or, for business reasons, you decide calling law enforcement is not advisable. You have not been able to determine the location of the command and control (CnC) server, which likely belongs to an innocent bystander whose network was infected and is now controlling hundreds or thousands of bots without the owner’s knowledge.
Hacking Back In Self-Defense
Although difficult but clearly feasible, what if you implanted code on the communication function of the bot so that when it communicates with the CnC server for instructions, the communication path is blocked or cut off by the code at the CnC server? Is this hacking?
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (CFAA) was enacted in 1986 and revised in 2001 and again in 2008. A violation of the Act is defined as anyone who “knowingly causes the transmission of a program, information code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; . . . or intentionally accesses a protected computer without authorization, and as a result of such conduct, . . . causes damage and/or loss.”
This definition should raise the following questions: is placing code on the phone-home function of a bot, knowing it will eventually gain access to the CnC server, considered “gaining unauthorized access”, and is blocking the communication path causing “harm, loss or damage”? You could argue there was no intent to cause the transmission, or you could split hairs and claim you did not technically cause the transmission: it was the bot owner via the bot, and you only intended to put the code on the bot, but both arguments may be a little thin.
Your intent was to emplace the code and block the communication path but not to gain unauthorized access to the CnC server. If done correctly, you merely blocked the bot from communicating with the CnC server and not disrupted or impeded the normal function of the server. To be clear, you have not gained unauthorized access to the network or computer if you block the communication path from outside of the CnC server owner’s network (e.g., outside the network perimeter).
Hacking: Is It Legal? Should It Be?
So, what changed to make this legal? In the 1980s and later, when the CFAA was enacted and revised, hacking mostly consisted of a person breaking into and trolling through computers and networks. Today most hacking is automated, especially with the increase use of botnets.
Hackers have taken advantage of automated services and protocols that make the Internet, especially advertising, more personal, such as adware, cookies, etc. If you use automated tools outside of your own network to defend against attacks by innocent but compromised machines, is this gaining unauthorized access or a computer trespass? If it is, how is it different from the adware, spam, cookies, or others that load on your machine without your knowledge, or at least with passive consent?
Cyber Self-Defense/Defense of Property
Now, consider the law of self-defense or defense of property, which provides that you may defend property, similar to the right of self-defense, against an attacker. So why wouldn’t someone have a right to defend their computer or network from a botnet attack, other than the potential impact on innocent bystanders?
Imagine one morning you notice your car has a big dent in the rear. You happen to notice that your neighbor’s car has a similar dent in the front. You are completely dumbfounded since your neighbor is out of the country for a month. The next day you notice another dent in your car and your neighbor’s. You set up a camera to see what happens while you sleep. The video reveals that your neighbor’s car starts automatically, drives across the street, rams your car, and returns. You notify the police, but they determine that your neighbor left the door to the car unlocked, and the keys were in the ignition.
Unfortunately there is nothing the police can do. The next night you decide you are going to employ your right of self-defense or defense of property and do something. You enter your neighbor’s property, obviously trespassing, enter the car, again trespassing, and begin to investigate further. You determine someone wired the car with a remote control device and is operating it from some unknown location. You disable the remote control device thereby preventing the hacker from controlling the car. The car is still in its normal working condition.
In this scenario you trespassed and gained unauthorized access to your neighbor’s property and vehicle. But were you justified? Did a privilege of defense of property apply? It should be pretty clear that it would. You didn’t damage the normal function of your neighbor’s car. Now, answer the same questions with regard to the botnet scenario wherein you blocked or eliminated the communication path between the bot and its CnC server. But, unlike the vehicle scenario where it is clear you trespassed, is trespass clear in our botnet scenario? Not really!
The bottom-line is we are losing the war. Businesses must be able to defend themselves to prevent the loss of money, technology, and secrets. Technology has advanced in leaps and bounds beyond our current laws. As new laws are explored, old ones amended, and solutions sought, let’s think outside the box and give the good guys the advantage, or at least a fighting chance. Until then, let’s stop automatically assuming we are not allowed to defend ourselves. We can and the law allows it. We just need to be very careful and methodical about it and not harm our neighbor or trample on his privacy rights. Not vigilantism, but clear, forward, out-of-the-box thinking, and analysis to put us back in the game.
Excerpted from Hacking Back in Self-Defense: Is It legal? Should It Be?
Free Webinar: Hacking Back In Self-Defense: Is It Legal? Should It Be?