Offensive security or “hacking back” has always been seen as either unethical or illegal. But now, we’re seeing a resurgence in offensive security solutions. Are we redefining the term, or are companies now “hacking back?”
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Eric Hussey, CISO, Aptiv.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Varonis
[David Spark] Offensive security or “hacking back” has always been seen as either unethical or illegal. But now, we’re seeing a resurgence in offensive security solutions. Are we redefining the term or are companies now “hacking back”?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series, and joining me for this very episode, it’s Steve Zalewski. Steve, people know you because your voice sounds a lot like what?
[Steve Zalewski] Bugs Bunny.
[David Spark] No. It does not sound like Bugs Bunny. You know, it’s interesting you say that. I have a good friend who’s a voiceover talent and he actually can do a lot of voices of cartoon characters. I called him from the car and my son Jonah was in the car with me, who at the time I think was six years old, and he just started doing all these voices of cartoon characters. And later, he was saying to my wife, he goes, “Why was Daddy talking to Donald Duck and Mickey Mouse?”
[Steve Zalewski] That’s pretty good.
[David Spark] Enough of that though. Our sponsor today is Varonis. They don’t sound anything like any cartoon character that I know if. But you know what about Varonis? They’ve been a phenomenal sponsor and their tagline is, “Your most valuable data shouldn’t be your most vulnerable,” and I couldn’t agree with that more, that is a good tagline. Yeah, don’t make it your most vulnerable, which I would say in many cases is. So, you probably will be interested to know what Varonis has to say. Guess what? They’ll be talking later in the show. But first, Steve, you asked the LinkedIn community – if we’re now starting to accept offensive security or “hacking back,” has the definition changed of offensive security, or are there different ways of looking at this, or can we truly fight back without legal repercussions? What do you think, Steve?
[Steve Zalewski] So, this is going to be a great episode, audience, because the hacking back which was traditional offensive security, many of the responses were within to that. But within a small number, actually we’re responding to what I was asking about which is offensive defense, and the fact that what we’re actually seeing is a new generation of innovation that has to do with how we do offensive defense effectively.
[David Spark] Well, the gentleman who’s going to help us with this very discussion, he is the CISO over at Aptiv, Eric Hussey. Eric, thank you so much for joining us today.
[Eric Hussey] Great. Thanks, David. Great to be here. Steve, great to meet you, great to be here as well.
What needs to be considered?
[David Spark] Ryan Clarque of Levi Strauss & Company, your former employer, Steve, said, “The future repercussions of offensive cyberweapon development and usage by private organizations is a dark path to walk down. I want to punch the baddies in the face as much as the next person, but we (the majority of us) can’t do it today and avoid collateral damage.” And also Yaron Levi, friend of the show and CISO of Dolby, said, “‘Hacking back,’ in my honest opinion, should only be left in the hands of government agencies and military. At least governments follow a code of law of some sort. The other aspect to consider is the fact that governments are better equipped to deal with potential escalating situations on a global level. A company in the private sector? Not so much.” So, I kind of like both of these quotes because it really sets up, like, it’s not just striking back once. There’s a lot of issues you need to consider that you’re just not equipped for as a private organization. Right, Steve?
[Steve Zalewski] Absolutely. And Ryan Clarque was not only one of the guys at Levi’s with me, he worked for me. And when I asked this question to LinkedIn, his comment was, “You blew up my head again, Steve, because this is just not an expressible concept.” And so what I want to say is I agree. Ten years ago, hacking back was a bad idea for a whole lot of reasons, right? Legal, regulatory, ethically. It still is. We cannot hack back. That’s really within the purview of the government.
[David Spark] And then just also Ryan’s comment of [Inaudible 00:04:18], “I want to hit them back really badly too but I can’t.” Like, we all know the desire to do it.
[Steve Zalewski] Yep. And when I worked for a large utility where a nation-state was a real problem, we had government support, right? I mean, to a certain extent, really is within the government purview. So, I want to put that right out front which is, really, hacking back at a commercial level is not possible. But what I found so hopeful and why I really asked this question and some of the respondents started to go down the path is I am seeing, as I’m talking to companies, the use of the word “offense” and “exploitability” now entering the lexicon but not as a “try to hack back.” But much more around understanding how I can make my defenses much more dynamic, and that what I can do is be resilient and contain in a way that thwarts the bad guys in trying to penetrate my defenses. And that is what I want to tease out during the show because that really is the next generation of something that we can actually do.
[David Spark] So, Eric, I’m going to assume that you agree that this “hacking back” mentality, as much as we all really want to do it, just there’s too many variables that are just that we can’t.
[Eric Hussey] Yeah. The reality of the situation is, and Steve touched on some of these things, not only do we have regulatory constraints in doing so, but let’s be honest. A lot of the threat actor activity out there today is a lot of it’s nation-state driven with far more sophisticated capabilities, tools, techniques, and procedures that we have internally developed in our organizations as well, right? So, the ramifications can be severe, right? So, as we look to what offensive security really means, I mean, I grew up in online banking for most of my career, then went into SaaS, really mission-critical services hanging out there on the internet. I’ve always looked at offensive security from the lens of it’s not about hacking back, it’s about developing those capabilities – we all call them red team capabilities today – that map to our organization. In a way, we’re always testing ourselves from a threat actor perspective, right? So, that’s what I’ve really seen offensive security for for quite a while and have built organizations with those offensive team capabilities that complement our blue team capabilities, which are our defenders. So, I agree with Steve completely on this.
Why is this so darn hard?
[David Spark] Jon Medina of Protiviti said, “Attackers often use compromised systems, source masking, or ‘innocent’ bystanders to execute their attacks. Any sort of retaliation could adversely affect environments that are not the actual source of the problem.” Very good point. Again, other things to consider when hacking back. And then Allen Westley of L3Harris Technologies said, “Hackers are becoming ensnared by their own malware creations. Hacking back could have reciprocating consequences.” So, I’m going to throw this one to you, Eric, first. It’s you could have a single success hacking back but, oh, the trickle down would just be so monstrous.
[Eric Hussey] Yeah, it certainly would be, right? So, why is this so darn hard, right? I’ve been in cyber for a little over 20 years, and what I’ve seen throughout my career in cyber is is we’ve tried to peanut butter spread, I would say, safeguards across an entire organization. And the reality of the situation is is we have more CISOs today than we ever have been. We have more breaches than we ever have seen, and they’re usually more severe than we’ve seen. So, what does our success really look like today from a CISO perspective or a security organization perspective? It doesn’t paint a very positive picture in our success, right?
So, I think that around 10 years ago, you started to see things pivot a little bit from a strategy perspective and start to hear about CISOs really having a seat at the table, knowing the business, what is critical to the business. And I think a lot of us have taken the approach where you’ve had a lot of these framework-driven maturity, I would say, assessments done time over time. And they’re great for measuring success, but I think a lot of us have taken that and pivoted it on its side to say, “Listen. We know we’re going to have problems along the way but where we can’t have problems are those areas that are most critical to the business.” And that’s where we start to really get into bolstering our controls in those areas, putting together defense in depth strategies. And part of that strategy is a good defense has good offensive strategies and controls, and that’s where you get into really focusing on attacking those assets and those weak points that could have the biggest impact to your business, and really understanding where your weak spots are so you can defend against that adequately, right? And that’s the whole nature of where I see really proactive cybersecurity going, and good offensive capabilities is really understanding, in this dynamic and ever-changing environment, where are your weak spots on a continuous basis and what are you doing to keep those insulated from threat actors.
[David Spark] Proactive security – I’m starting to hear that term a lot more – and we’re going to get even more into that. But I just want to address the comments that were made by both Jon and Allen in that, again, there’s complications in hacking back where attacks are never linear, they go in multiple directions, and a lot of innocent and collateral damage can happen.
[Steve Zalewski] Right. So, let me break it down, right, which is Eric did a great job, he talked about it, right, “This is historically why.” If you bring it right to the core, okay, there’s three reasons why we can never, ever do it. One – it’s morally wrong. People just feel bad, it doesn’t feel right to attack, right? It’s not what we’re supposed to do. We’re defenders not attackers so it feels wrong morally for a whole set, okay. Ethically – I can’t do it. Because many of the certifications are written right in – do no harm. Attacking is harm. And so therefore, depending upon how you read that language, I am ethically unable to do it. And then finally, legally. Only countries can declare war on other countries. And when I leave my boundary, okay, that’s an attack outside of my commercial boundary into, if it’s a nation-state attack or even if it’s by organized crime, I’m moving into purviews that are outside of mine and there are legal and moral dilemmas there that really are the purviews of the government. For those three reasons, that’s why we just will never be able to do it. That’s why I said we’ve given up.
[David Spark] I just want to mention is your three reasons aren’t even the four reasons that just came up previously from these four quotes. So, your three reasons should be enough.
[Steve Zalewski] Yeah.
[David Spark] And then here are four more on top of it.
[Steve Zalewski] Right. And that’s what I mean, which was people kind of look at second and third order, but when you take it to the top those three things are why we will never, ever do it.
[Eric Hussey] Yeah. And Steve, just to chime in there, I agree with you 100% on that and I thought you brought up an excellent point in previous comments. Depending on the sector you’re in, we have a lot of help from the government, right, and other agencies. There is help there and they actually welcome that collaboration, right? So, yeah, Steve, I just wanted to touch on that point because in many times in my career, I’ve actually partnered with the government to get that help, and they welcome it and they’re a very great resource.
[Steve Zalewski] Yep. Now let me riff on that and take the other side of that. No, they’re not.
[Eric Hussey] Mm-hmm.
[Steve Zalewski] And here’s why. Everybody wants your data…
[Eric Hussey] Absolutely.
[Steve Zalewski] …so they can figure out what to do with it, and the government’s no different. And what we want isn’t a sharing of data. I need to understand what you know so that I can set my defenses to the highest level and do the best I can, but you want my data because you have a larger play. And that’s why it doesn’t work, okay? And so I’ve often said what I want from the government is not their data, but what I want to be able to do is have them set triggers. If you identify certain things and you tell me trigger my highest defenses, I will tell you what my highest defenses are. That’s the language we’ve got to get to and stop this, “You tell me what I’ve got, I’ll tell you what you got, and we’ll share.” It doesn’t work and it just will not.
[Eric Hussey] Yeah.
[Steve Zalewski] And we can’t get there yet. So, that’s why I say, “Yes, it’s there,” and the government oftentimes will help, but in many cases it puts us commercially at risk.
Sponsor – Varonis
[Steve Prentice] The idea of ransomware and extortion is nothing new to CISOs and their clients. Sadly, we hear about them every day. But something that is not always considered when discussing how best to defend against these types of attacks is a company’s blast radius. Here is Brian Vecci, Field CTO at Varonis.
[Brian Vecci] Most CISOs, if they’re not worried about the blast radius of the users and application accounts in their environment, probably should be. We’re at a point now where at least once a month we’re hearing stories about major ransomware attacks, often driven by advanced cybercriminal groups.
[Steve Prentice] He points out that the blast radius for any given employee is surprisingly large and dangerous.
[Brian Vecci] So, blast radius comes back to what your users and your applications and your systems account actually have access to. And one of the things we know here at Varonis because we’ve been doing this for so long is that on average, a given user in an organization will have access to, on day one, 17 million files and more than 20% of the data in the organization. So, imagine you’re a CISO. What are you worried most about when it comes to ransomware? You want to make sure that you can prevent it from happening and the best way to do that is to minimize the blast radius, to minimize the amount of files, the amount of data that any given account has access to.
[Steve Prentice] But he cautions.
[Brian Vecci] That’s easier said than done when 20% of your data’s open to everybody.
[Steve Prentice] For more information, visit varonis.com/CISOseries.
What are they looking for?
[David Spark] Russell Gower-Leech of Select Technology said, “We should look at the business the way the ‘bad guys’ do. What information can we find and how could we exploit this? It’s amazing what you can tell from the outside and that this info gives you a list of targets and pretext for social engineering and other attacks/scams.” This is proactive cybersecurity, exactly what you’re describing. And also want to mention what Rich Mason, Critical Infrastructure, said, “Offensive TTPs used against authorized targets (red teaming) without excessive scoping is the right way to truly understand your attack surface and the effectiveness of existing controls.” So, this really is the definition of red teaming, yes, Eric?
[Eric Hussey] Yeah, I would agree, and I really like Rich’s quote there. And it kind of goes back on what I talked about before around really understanding your business, right? We can’t cover all of the ground that we need to ensure the business is 100% secure. The reality is is that’s never going to be a possibility, right? So, really scoping those red team capabilities and those areas that are most critical to the business, right? Large-scale manufacturing, some of the risks there might be ransomware – large target, highly disruptive – versus maybe a small software company that does a lot of work for the DoD. They might not necessarily be interested in the software company, they’re more interested in the government clients that they’re serving, right? So, I think really understanding your business and really laser-focusing your capabilities in from a defensive and offensive perspective to really get a good grapple on where your weak spots are and how you’re going to defend them is really critical to success in this current environment.
[David Spark] You know, Steve, one of the things I used to always say in situations like this is it’s hard to do this because of what I call the curse of knowledge. When you know your system so darn well, it’s hard to generate a good outsider perspective and this is why outside red teams are hired, for this reason. How can you sort of combat this curse of knowledge, of getting a sort of a clean perspective, if you will?
[Steve Zalewski] Yeah. And what I’m going to say, David, is you can’t. As long as you look at red teaming, and that is the state of the art, that is still primarily static defensive probing. Done once, see something, 15 minutes later your perimeter has changed, and all that work is for nothing. And that’s what I get at. Red teaming is the best we got, the more you do the better, but it’s only good as a point in time, right? Offensive defense to me is an interesting concept because what it really translates to and what I’m seeing in the industry and some of the technology that’s coming out is the move from static authentication to continuous authorization. It’s a realization that everything is an identity and we don’t trust it, and we are continuously validating what we know about that identity against what it’s doing. Okay? That’s offense, right? We’re moving, we’re now getting to a polymorphic defense or perimeter where the ways the bad guy gets in, it’s never the same twice, because we’re watching.
The other thing is data’s the new identity. So, we’re moving it from a user in an application down to data. Look at all the new technologies that are coming out that are looking at the data, and assigning identity and really doing continuous authorization. And the last area that I’m seeing in true innovation is what I call the move from vulnerability management to exploitability resiliency. Which is there’s a whole set of technologies now that are understanding it’s not what’s vulnerable in your environment, because you can’t patch it all. It’s what is exploitable at this point in time and watching the exploitability paths, right, and using the MITRE ATT&CK sequence in order to be able to understand when you’re under attack. So, it’s not what happened, it’s what’s happening and how do I disrupt it. So, you’re seeing this conversation towards resiliency rather than protect, detect, respond, recover. And now it’s identify, protect, contain, right? That’s what I am seeing as really why offensive defense is now going to work. Polymorphic defensive perimeters really are coming online, it’s state of the art, but we are finally getting to being able to offer a defensive perimeter that matches the offensive technologies that are being used against us.
[Eric Hussey] Yeah. And I would agree with that, Steve. That’s a great point, right? I think it also boils down to we’re starting to work smarter not harder, right? That strategy we’ve tried for a long time and working really hard to try to do a lot of things in a lot of different places has failed, right? Let’s call it what it is, right? So, really what you said, Steve, absolutely fully agree, but I think it boils down to smarter not harder. And a lot of these technologies have been in place for a while now. It’s using them in the appropriate way, having the internal capabilities and the mindset to think about the business, think about threat actor motivations, and figuring out how can we get hurt and insulating against that.
[Steve Zalewski] Spot on.
Where does the solution fall short?
[David Spark] Jason Dance of Greenwich Associates said, “I have no question what would it be worth to the business to ‘hack back’? Not only can it have serious legal consequences, the business would need to pay to retain skilled staff and maintain the readiness to deploy such measures against another organization.” It would require a lot more staffing, if you could accept all the things of being not ethical, immoral, and not legal. And then Jay Jay Davey of CyberClan said, “Why provoke when the majority of businesses can barely manage technical risk? Let’s stick to the essence of cybersecurity – management of technical risk through various technical controls and protect the value of the organization – rather than paint an even bigger target on its back.”
I think those two kind of really sum it up nicely. It’s like, “Well, let’s just look at the economics of this. We’re having a hard time just doing the defending side. You want to take a whole ‘nother division into this?” Steve?
[Steve Zalewski] Absolutely right. This episode is so interesting because Defense in Depth is complex problems and we try to break them down to do something. And what we’re realizing is this show and this episode is actually looking at the future and you’re seeing how we are now moving to a new set of capabilities and a new way of thinking that is not one of simply secure my company, but more of a risk-based approach to protect my company, okay? And what you see then is automation is not the solution, we’re not saying, “Oh, automate,” okay? What we’re saying is marry the problem. The problem is the bad guys are polymorphic, they attack everywhere, and we have got to get a lot more resilient in letting all of this context and all this detection move from telling me about problems to the, “So what. Now what?” Which is, “And what can we do about it at this point in time?” in a way that we can understand the business impact and that the business works with us, because getting in is inevitable now and that’s why we’re moving many CISOs to this resiliency and risk-based conversation as opposed to purely a technical static control.
[Eric Hussey] Yeah, I completely agree, Steve. I started moving this way about 10 years ago and I was kind of the outlier from a CISO perspective, right, because everything was so framework-based, so control-based, applied broad strokes across your enterprise, and I really started off early on starting to pivot here. You don’t need to score very high maturity from a NIS perspective, but you can actually have a lot of substance in protecting what’s critical to your business, right? And I think that that has been the challenge that we’ve had in the industry for a while, right? The industry went so heavy framework, saw a lot of compliance controls based mindset around things. And somewhere along the way while we’re trying to improve that maturity score, we forgot about what’s important to the business and why our position’s actually there at that company. Our job is a defender of the business, and in some cases it’s an enabler, right? So, I’ve really looked at this.
And Steve, you brought up automation. Automation is great, SOAR is great, just another tool in the toolbox to help us move a heck of a lot quicker. Because as you said, Steve, before, I’ve come on a lot of the software shops in my career, and I think one of the challenges that we’re having in a business and why we see the rate of breaches increase is because the way we’re working is different. It’s DevOps, Agile, cloud, right? We’re moving so much faster for innovation, right? Which means that we’re failing faster which is what a lot of these principles want you to do but security gets caught up in that. So, we’re seeing digital take over the world right now. We’re seeing security move just as quickly from a failure perspective. So, we need to work smarter, leverage these automation capabilities, bring in real context to ensure that our business is protected, not only from a defensive perspective but also an offensive perspective. So, again, it’s working smarter not harder in the context of protecting why we actually have a seat at the table of the business.
[Steve Zalewski] Absolutely.
[Eric Hussey] We need to protect it.
[Steve Zalewski] Yep. And Eric, to your point, 5% of the people are doing what we’re talking about right now.
[Eric Hussey] Absolutely.
[Steve Zalewski] Because it’s always been hard and it’s been counter to the traditional ways security has put themselves at the table.
[Eric Hussey] Yeah.
[Steve Zalewski] And that’s why I said I wanted to thank our audience and you because what we are doing are allowing people to look at some of these technologies and some of these emerging concepts in new light to understand that these are the things you’re going to be doing in three to five years. And so these companies are now laying the groundwork for you to look at your strategies and understand how you are going to migrate there and where the efficiencies and the effectiveness of doing this will impact your business in a positive way.
[Eric Hussey] Yeah, and Steve, one drop, right, as a new CISO that just entered into a new company, right, one of the things I always look for and explain to executive management – what are the top three business risks that can’t be realized and impacted by cyber? Right? We should be able to get to that level. And unfortunately, a lot of security leaders can’t get there, right? But I think that, that’s where we’re going to need to get in the future to be a heck of a lot more effective, and perceived to be effective.
[David Spark] All right. We are now at the end of our show but it’s not truly the end because I ask, first you Eric, what your favorite quote is and why. Which is your favorite quote?
[Eric Hussey] I really like the quote from Rich Mason around the scoping of red team capabilities, right?
[David Spark] Mm-hmm.
[Eric Hussey] It’s kind of how I conduct my day-to-day business, right, that not everything is important. It’s just not that critical to the business. In fact, there’s probably a smaller amount of things that are critical to the business. So, when we go about our daily activities as a CISO and we make decisions and we change the culture of our teams to really look at what are we doing on a daily basis, and making sure that that’s scoped with our guiding light of, “Here’s what’s critical to the business.” Things are about scope now, right, and applying those controls. Offensive security capabilities are just another set of controls. Let’s make sure we scope them to the areas that are going to hurt us most, and once we feel good about that, we can broaden that out if that’s what makes sense for the business, right, it requires further investment. So, I really like that quote from Rich Mason. I think he really touches on the heart of offensive security and scoping that to the business need and protecting the business.
[David Spark] All right. Steve, your favorite quote and why?
[Steve Zalewski] I am going to go with Ryan Clarque from Levi Strauss & Company.
[David Spark] Ah. A little nepotism here.
[Steve Zalewski] A little nepotism, but here’s why. What Ryan says is what we all feel. We can’t do it but we want to punch them in the face.
[David Spark] Yeah. That’s the thing I appreciate. Come on, let’s all just admit it. We all want to be Clint Eastwood here, don’t we?
[Steve Zalewski] We do. And what I think we’ve done with this episode and why I felt it was so important to do this is is we are now giving you a way to punch them in the face and do it in a way that protects your company and accomplishes that feeling that we have some offensive defense, that we really are making it harder for the bad guys, not just constantly pushing them back. And so what I say to Ryan and what he’s usually said when he’s like, “Steve, you just blew my head up again because you’ve taken something that seemed impossible and you’re finding a way to do it.” We are finding a way to do it in this next generation of capabilities and that is what’s so exciting.
[David Spark] Awesome. Well, let me bring this show to a final close and I want to thank our guest and you, Steve. Eric, I’m going to let you have a final word if you want to plug Aptiv, and also the question I ask all our guests – are you hiring? Wait. Don’t answer yet, I’ll ask you to answer that in a second. I do want to mention our sponsor Varonis whose tagline is, “Your most valuable data shouldn’t be your most vulnerable,” and I couldn’t agree more. As kind of a little bit of the theme of this show too, even though we weren’t talking specifically about data but, heck, that’s what we’re all protecting, isn’t it? All right. Eric, any final words? Want to pitch Aptiv and are you hiring?
[Eric Hussey] Yeah, absolutely. So, those of you that don’t know Aptiv, it’s roughly a $24 billion company with roughly 200,000 employees across the globe. Aptiv’s main mission is really bringing technology to new heights within our cars, right? Our public transportation, right? All the way from advanced safety to autonomous driving, right? So, if you think about the car today, we make decisions about cars we drive, a lot of our decision making is now going into tech, right? And that’s what Aptiv’s all about to a large extent.
And I am hiring, right? Four months into my job as the CISO at Aptiv, Aptiv has a lot of roots back in manufacturing and we’ve transformed it into a leading edge tech company for that sector, right? And so as we talk about IoT and connected vehicles and things of that nature, we need a lot of great capabilities to make sure that those safety-critical elements are always protecting our consumer, right? So, we are hiring. Anywhere from OT cybersecurity to BISO roles to offensive security engineers, right, so those are some of the first jobs I posted coming in.
[David Spark] If they want to get in contact with you and mention they’ve heard you on this show, how do they reach you specifically?
[Eric Hussey] You can hit me on LinkedIn any time, any day, happy to connect with anybody that wants to have a conversation and join the team.
[David Spark] Awesome. Great to hear. Thank you very much, Steve. Thank you very much, Eric. And most importantly, thank you to the audience for all your amazing contributions. We greatly appreciate it. Also if you see a great conversation online, or you were the one who created great conversation online, send that link to me. You can do it through the CISO Series site or ping me through LinkedIn as well. We greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website CISOseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and Cyber Security Headlines – Week in Review. We’re always looking for fascinating discussions for Defense in Depth. If you’ve seen one or started one yourself, send us the link. We’d love to see it. And when any of our hosts posts a discussion on LinkedIn, participate. Your comment could be heard in a future episode. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to Defense in Depth.