return
Periodically new attacks emerge on companies trying to collect sensitive information, or some important data. What any cyber-attacker is looking for is to take something that is linked to their target, be it a document, photo, or file. It is true that it is important to always be prepared for the worst when it happens, and with active cyber defense we can be one step ahead to counter attacks, rather than waiting for it to just happen. This method, whether using it or in conjunction with honeypots, can give us a good picture in terms of results.
In Active Cyber Defense we have 3 groups of techniques depending on their scope of action: networks, software and processes. The first group includes: honeypots, beaconing and sinkholing. The second group is based on the concept of moving target, and is applied in techniques such as: proactive obfuscation, diversified variants, and space randomization. The third group is represented in Cyber Threat Intelligence (CTI) and Threat Hunting.
Beaconing is a technique for demonstrating knowledge that certain protected information has left an authorized network or trusted zone, and can potentially identify the location of files in case they are stolen. It is considered an active technique, while watermarking complements it as a passive technique. It can also be combined with the canary technique, which involves associating a piece of information to a person based on the generation of a specific identifying element.
This technique allows a defender to place camouflaged fragments of code, files or artifacts in their storage and application systems. Once stolen, this code can be activated on the attackers' computers to record identifying information, assess the victim of the theft, the location of their proprietary data, and more.
There are more aggressive cyber defense actions, sometimes called "hack backs." Some time ago the Washington Post published an article entitled "Cyber attacks trigger talk of 'hacking back'" in which it is pointed out that despite being a prohibited activity, some banks install so-called "beacons" which can potentially be attached to sensitive data, making it easier to both track the path of the stolen data and determine the path it took through the Internet. The authors further state that the mere fact of talking about it within cybersecurity circles may spark conversation about the risks involved, starting with the fact that most forms of reverse hacking (hack back) are illegal and ending with warnings of retaliation that could provoke full-scale cyber warfare, with collateral damage across the Internet.
In the US, the 'Active Cyber Defense Certainty Act' (ACDC)Bill, aims to allow duly authorized private actors to "go outside their own networks to 1) establish attribution of an attack, 2) disrupt the cyberattack without damaging third-party equipment, 3) recover or destroy stolen files, 4) monitor the attacker's behavior, and 5) use beaconing technologies", behaviors that could currently violate the existing 'Computer Fraud and Abuse Act' (CFAA).
Some countries seem to be following this path, such as the United Kingdom, whose Estrategia de Ciberseguridad Nacional 2016-2021calls for "developing and implementing active defense measures that will significantly improve levels of cybersecurity across UK networks", although the scope of freedom that will be given to companies to implement such measures, as well as their specific characteristics, remains to be specified. The leadership in this area is currently assumed by Singapore, which already in 2014 amended its legislation to allow private actors, through a mechanism of prior authorizations and criminal immunities, to carry out active defense measures against attacks against critical infrastructures, even on a preventive basis.
In Spain, the National Cybersecurity Strategy seeks a "transition from a cybersecurity model of a preventive and defensive nature towards a scheme that incorporates elements of greater deterrent force", as well as "a more proactive approach to cyberintelligence", although it does not expressly attribute powers for this to private actors, beyond recognizing them "a relevant role as one of the managers and owners of Spain's digital assets". In addition, the strategy expressly refers to active cyber defense ("The defense of citizens, freelancers and companies must go beyond the self-protection measures that they can take, so it is advisable to implement measures for their active cyber defense"), It also includes it among its lines of action ("measures for the active cyber defense of citizens and SMEs will be implemented"), although it does not specify what type of active measures may be adopted, or whether this active defense only includes a reinforced exchange of information between the different actors or leaves the door open to other more aggressive measures.
On the Latin American side, Peru has a law that gives rise to cyber defense, No.30999 in Chapter II (Use of force in and through cyberspace) refers to this in two articles: : Article 10. On self-defense: "Any threat or attack in and through cyberspace that endangers sovereignty, national interests, critical national assets and key resources to maintain national capabilities, gives rise to the exercise of the right of self-defense. " and Article 11. Requirements for the exercise of the use of force: "The exercise of the right of self-defense in the context of cyber defense operations is subject to the principles of legality, necessity and opportunity. In the case of conducting a response operation in and through cyberspace containing a deliberate attack, it must be conducted in accordance with law." That said, we can assimilate that enable the way to conduct a counterattack in case of being attacked would be contemplated by law to execute actions of "hack back".
It is true that today it is considered illegal in companies to "hack back" to recover the files that were stolen, in theory so as not to unleash a large-scale cyber war, but it makes no sense to stand idly by waiting to know what they will do with our information, where it will be, who will have it, how they did it, and spend large amounts of money to recover what was stolen or lose the trust of our customers. For this reason, an invitation to reflect and give our opinion on the subject makes sense, and to form new points of view with respect to the possibility of being able to recover stolen data and information.
