Join Our Mailing List Here

INsecurity Conference 2018 Schedule Builder

View, browse and sort the list of sessions by pass type, track, and format. Sessions do fill up and seating is first come, first serve, so arrive early to sessions that you would like to attend. Check back as we add more sessions soon.

Non-Lethal Active Defense for Enterprises: A Better Alternative to "Hacking Back"

Shlomo Hershkop (Adjunct Professor, University of Pennsylvania)

Date: Thursday, October 25

Time: 9:45am - 10:45am

Session Type: Hot Topic

Vault Recording: TBD

Audience Level: Advanced

Active defense has long been a staple of government security teams to protect the nation-state, but the use of these methods at the enterprise level is a source of great debate. Many in the security community fear unregulated vigilantism, or harsh punishments for penetration testers and "white hat" hackers simply looking for vulnerabilities. Recent legislation at the federal and state levels have been proposed to allow corporations to "hack back" when under threat of persistent attacks, but it is too vague and lacks a clear definition of what "hack back" is. In this session, Columbia University Computer Science Professor Salvatore Stolfo will examine the differing degrees of active defense methods. There are strategies organizations can use to protect their data without becoming vigilantes, breaking laws, destroying systems or posing a threat to personal or public safety.

One of these active defense strategies for organizations to consider is non-lethal knowledge attacks against the adversary utilizing scalable deception technology. In this scenario, AI-powered decoy documents feed phony, but highly believable data to the adversary. The attacker essentially self-selects the knowledge attack response by the actions of hacking and exfiltrating the decoy documents. This creates a level of uncertainty that the adversary has succeeded in stealing something of value. In a knowledge attack, the intruder's systems and devices are not affected or intentionally harmed. The key challenge is to avoid interference with the target victim's business processes. This strategy changes the asymmetry of the defender/attacker game, in favor of the defender, and is entirely legal with respect current federal and state legislation.

In this session, attendees will learn:
- Understand the varying definitions of active defense, and its potential value in securing data when done carefully.
- Understand how current state, national and international law limits use of active defense strategies.
- How to design real-world strategies for non-lethal active defense to stem corporate data loss data without legal risk or making your organization a target for further retaliatory action.

Key Questions for the audience:
- How have we reached a point where we are considering lethal or destructive hackback as a possible national cybersecurity strategy?
- Can attribution of an attack be accurate, disclosable to and persuasive to others? Especially if "Others" may include a court.
- What do other countries think of lethal hack back? Are we returning to letters of marque and reprisal?
- How do we assess liability, especially internationally?
- What if the matter of attribution could be sidestepped entirely with a non-lethal approach to active defense?
- What would non-destructive active defense look like and what is the technology behind it?
- What are recent advances in deception technology that are redefining what active defense can achieve?