by Dr. Sven Herpig and Max Heinemeyer
Active Cyber Defense is coming to the European Union. The EU is currently working on an update of its Network and Information Security Directive (NIS Directive) which, inter alia, includes a provision on active cyber defense. In other places, such as the United States, the United Kingdom and even member states of the European Union, such as Germany, debates about active cyber defense have been conducted for several years with varying degrees of maturity. For European member states that have not done so already, it is now time to better understand active cyber defense, its implications, and develop a position regarding whether (and to what extent) they want to adapt a corresponding framework.
Active cyber defense is understood by the authors as one or more technical measures implemented by an individual state or collectively, carried out or mandated by a government entity with the goal to technically neutralize and/or mitigate the impact of and/or attribute technically a specific ongoing malicious cyber operation or campaign.
While the advantages and disadvantages of such operations are often viewed controversially, it has become evident that active cyber operations are increasingly being conducted as part of states’ strategic vision in cyberspace. This represents a paradigm shift for many countries on how they attempt to counter cyber operations. This article presents a set of criteria to help evaluate active cyber defense operations in pre-and post-operation. Subsequently, the criteria are applied to the case study of the FBI web shell removal in wake of the Hafnium Microsoft Exchange operation in early 2021. The FBI was able to prevent some immediate damage to US companies and institutions by deploying active cyber defense measures, but they remained vulnerable even after – it was not a one-time fix.
Digitization and the evolving threat landscape drive governments to look for new approaches
Governments feel that their current approaches are not working in keeping the country safe and that new methods, such as active cyber defense operations, need to be explored further. Countries are looking at active cyber defense operations as an option to better deal with the escalating threat landscape of recent years. The threat landscape has changed significantly and digitization across the globe has accelerated, including critical infrastructures such as hospitals or energy systems.
In the last five years, cyber operations took place that were unprecedented in terms of scale, professionalization, speed, sophistication, and damage done. The paradigm shift in response to malicious cyber activities is a reaction to the paradigm shift experienced in the threat landscape.
Current key trends in the threat landscape include:
- Professionalization of ransomware (Conti, BlackMatter, Revil, Maze, Ryuk, Gandcrab)
- Broader-scale software supply chain operations, partially with direct impact on business continuity (Solarwinds, Kaseya, Nobelium). The Kaseya attack was a rare example of cyber-crime leveraging the supply chain, compared to mainly political Advanced Persistent Threats (APTs) doing so in the past (e.g. Cloud Hopper)
- The use of 0-Day vulnerabilities against broad ranges of infrastructure instead of using them for targeted-access only (Hafnium Exchange Proxy Shell attack)
- Large-scale state-sponsored espionage campaigns (Hafnium, Nobelium)
- Malicious cyber activities having a large-scale physical impact (Colonial Pipeline operation, Black Energy 3, Italian COVID Schedule Website, Electronic School Register operation)
- Disruptive malicious cyber activities not only impacting big and highly-visibly organisations, but increasingly small- and medium businesses that usually lack the resources to implement sufficient IT security controls
- Utilizing malicious cyber activities for the subversion of democratic processes
- Destructive worming malware that acts indiscriminately (WannaCry, NotPetya)
The trends in the threat landscape are partially enabled by the growing digitization of businesses. Digitization, in this context, covers areas such as the increase in the use of digital infrastructure, shifts to cloud computing, Bring-Your-Own-Device (BYOD) policies, or the dynamic workforce, IT, and Operational Technology (OT) convergence, and the use of digital supply chains. Growing digitization is generally positive for business growth and for innovation, but it comes at the cost of often increasing complexity in IT landscapes and more dependency and reliance on the cyber security of those IT systems.
As many governments feel that their current approaches to cyber security do not address the new threat landscape sufficiently, they are looking at new ways to bolster their national security. One of those instruments is active cyber defense. The FBI web shell removal is one of the most significant cases of such an operation in terms of intrusiveness into non-governmental IT systems, scale, speed of response, and supposed success.
Was the FBI active cyber defense operation ‘acceptable’?
The removal of web shells by the FBI is an interesting case study for the assessment of active cyber defense operations. So what happened? On March 2, 2021, Microsoft disclosed that a “state-sponsored threat actor [… (Hafnium) operating from China has …] engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software.” This and other malicious campaigns were able to intrude into and install web shells on the servers via ProxyLogon vulnerabilities. Despite the availability of the patches and the advisory, “hundreds of vulnerable computers in the United States” were not patched, and the respective companies did not remove the web shells. The FBI requested a search-and-seizure warrant that would enable the agency to remotely remove the web shells because the agency believed “that the owners of the still-compromised web servers did not have the technical ability to remove them on their own and that the shells posed a significant risk to the victim” and more generally, “threaten[ed] the national security and public safety of the American people and our international partners.” The FBI then employed remote access methods to search and access previously identified file paths on servers in the United States based on known, detected, and commonly used passwords by the operators of the malicious cyber campaign. In the process, the agency created copies of the web shells for evidence and then “executed a command to uninstall the web shell from the compromised server.”
An active cyber defense operation can be assessed against different criteria. The following assessment helps to answer the question of whether an operation is ‘acceptable’. ‘Acceptable’ in this context means how far a (proposed) active cyber defense operation will (likely) ultimately do more good than harm without overstepping legal, geopolitical, and technical boundaries while taking only appropriate risks where necessary. The exact limits of these parameters depend on the implementing country and the context of the operation. Additionally, the exact outcomes and (potentially unintended) impact of an operation can only fully be understood after the operation has concluded.
Ultimately, would a decision-maker, who has to approve the operation and can be held accountable for its outcomes, find the parameters of the active cyber defense operation ‘acceptable’?
An assessment regarding the acceptability of this operation can be done by evaluating it against a framework published by one of the authors. Based on that framework, the removal of the Hafnium web shells checks many of the right boxes. The law enforcement operation took place with a clear scope in the jurisdiction of the implementing agency (‘blue space’) and with previous judicial authorization to mitigate further damage stemming from an ongoing malicious cyber campaign—and, therefore, was likely in the public interest. Although the FBI deployed (in an at least semi-autonomous way) intrusive measures that may have also affected critical infrastructure, the agency consulted with an independent technical expert before implementing the operation. From the risk and risk-mitigation point of view, the only complaint is the ex-post notifications, which denied the targets, especially potential critical infrastructure, an opt-out or other precautions. How effective the operation was is more difficult to determine, but it was likely a tactical success. Because the operation removed only the web shells and did not patch the vulnerability (which would technically have been possible), it left the companies vulnerable to re-exploitation. However, the operation increased the threshold for that to happen. At the same time, the tools provided by the vendor were circulated by the government, and the targets of the web shell removal were informed; thus, they were aware and could patch their systems and infrastructure themselves. Weighing the risks, risk mitigation and effectiveness of the operation based on public information, it seems that the removal of the Hafnium web shell was an acceptable active cyber operation.
Active Cyber Defense: No panacea
The threat landscape is constantly changing. However, this is more true in terms of geopolitics and attack surfaces than in terms of technical underpinnings. Geopolitically, the focus has changed from state-sponsored espionage campaigns to ransomware-driven cybercrime, although the former has not slowed down at all. As more and more services get digitized and new technologies such as machine learning make it to the core of our everyday life, securing their attack surfaces and supply chain becomes crucial. The way malicious cyber activities are conducted, though getting more professional every year, have not fundamentally changed – but they are happening at a faster pace and are impacting significantly more organisations than in previous years.
It is not true that all of a sudden companies and other organisations are less equipped to withstand crime, espionage, and other malicious activities by putting their mind to it and focussing on IT security and resilience. Facing the current threat landscape, governments are increasingly toying with the idea or even implementing active cyber defense operations to address the increased impact and breadth of malicious activities, knowing full well that it will not serve as panacea.
However, there may be occasions where a well-planned and executed active cyber defense operation will neutralize or mitigate the effects of malicious cyber activity and/or help attribute it and therefore bolster national security as an addition to IT security and resilience measures. For those cases, governments need to have a sound framework with strong safeguards to enable the safe deployment of limited active cyber defense measures. We recently published a study on how the framework and safeguards could look and hope that it will contribute to the active cyber defense policy debates around the globe.
Sven Herpig is the Director for International Cyber Security Policy at Stiftung Neue Verantwortung e.V. (SnV Berlin).
Max Heinemeyer is Director of Threat Hunting at Darktrace.