论执法打击网络犯罪中的作用

温馨提示:全文约3336字,阅读全文大约需要4分钟

美国联邦调查局上月被授权从运行微软Exchange服务器内部版本的机器上移除恶意网络外壳,此举引起了网络安全专业人士的注意,并引发了一场关于政府应对这些攻击中所扮演角色的对话

. 官员们说,他们正试图联系被感染机器的所有者和操作者;他们没有提前通知. 这种感觉与执法部门拆除僵尸网络不同,后者通常涉及跟踪机器人与之通信的命令和控制服务器,中断通信,并获得对其的控制权.

政府打击犯罪方面的作用往往集中威慑上。

美国联邦调查局(FBI)上月被授权从运行微软Exchange服务器内部版本的机器上移除恶意网络外壳,此举引起了网络安全专业人士的注意,并引发了一场关于政府应对这些攻击中所扮演角色的对话

这次行动 特别授权 这项针对美国电子邮件服务器的活动是微软披露了严重的Exchange服务器漏洞后6周宣布的 已被使用 以全球数千个网络为目标。攻击者可以将这些缺陷链接一起,以危害已公开的服务器并窃取数据等操作

这些感染通常从部署一个webshell开始,敌方可以使用它与目标机器进行通信,并分发文件,使其感染其他恶意软件。虽然许多目标系统的管理员能够成功地从数千台设备上删除这些Web shell,但其他人却没有。Web shell一些目标服务器上保持不变,没有被削弱

他们很快就成为联邦调查局(FBI)行动的目标,该行动清除了一个早期黑客组织的剩余网络外壳。美国司法部写道,这些网络外壳可能被用来“维护和升级对美国网络的持续、未经授权的访问” 语句中。官员们通过向服务器发出一个命令来进行删除,该命令的目的是使服务器只删除由其唯一文件路径标识的webshell

需要注意的是,虽然FBI复制并删除了网络外壳,但它没有修补任何漏洞,也没有搜索或删除目标服务器上可能存的其他恶意软件或黑客工具。官员们说,他们正试图联系被感染机器的所有者和操作者;他们没有提前通知

联邦调查局 已经参与 几次行动中 打击网络犯罪。最近,官员们与全球执法机构联手打倒了这起案件 表情 僵尸网络

但这次行动吸引了许多人的目光,FBI企业服务器上不知情。这种感觉与执法部门拆除僵尸网络不同,后者通常涉及跟踪机器人与之通信的命令和控制服务器,中断通信,并获得对其的控制权

“这是一个细微的差别,但它有点不同于联邦调查局明确知道端点的妥协,远程进入,并删除一个网络外壳,”凯蒂尼克尔斯说,威胁情报主任红金丝雀,谁觉得“相当分裂”的行动

对于Nickels和许多防御者来说,3月初很难看到许多组织Exchange服务器攻击中受损。她解释说,安全从业人员知道,有些团队并不了解最新的安全新闻,也不知道如何修补或检测Web shell。作为一名辩护人,知道所有这些业务都将受到损害而不知道这一点是令人沮丧的

她说:“作为一名捍卫者,我很高兴有人试图帮助这些组织移除一个网络外壳。”当然,还有另一面:这开了什么样的先例,允许执法人员进入电脑……这为未来开了什么样的先例?这些行动未来什么时候能采取行动,这会有什么影响?那是另一面。”

尼克尔斯补充说:“我觉得自己被撕裂了,这是我从大多数人那里听到的。过去的几个月里,随着世界了解到SolarWinds和Exchange Server攻击,安全社区看到准备好面对这些事件的组织和那些没有准备好面对这些事件的组织之间的差距越来越大,需要帮助缺乏保护自己的公司

打乱敌人的目标 CrowdStrike Services总裁、前FBI执行助理局长肖恩·亨利(Shawn Henry)说,执法部门网络犯罪中的作用是一个复杂的问题,因为这其中很多事情以前从未做过,立法没有跟上技术的步伐,事情进展很快。私营部门的雇员经常防御训练有素的军事专业人员

“那里有如此多的复杂性,这就是为什么这些事情从来都不容易,”他说,导航无数的法律,问题,修正案和干预的后果如果我认为政府的首要责任是保护公民,我认为他们这种情况下的作用是破坏基础设施。这是政府可以取得成功的领域。”

政府打击犯罪方面的作用往往集中威慑上。现实世界中,这可能意味着扣押用赃款购买的资产、用于洗钱的银行账户以及用于储存和销售非法产品的仓库和其他设施。罪犯不能一个基础设施被毁、投资回报率下降的环境中运作

亨利将同样的概念应用于网络安全领域,这一领域,攻击者“逍遥法外”,而且往往不东道国无法干预的地方

阅读完整的文章>

 

 

英文译文:

The FBI last month was authorized to remove malicious Web shells from machines running on-premises versions of Microsoft Exchange Server, a move that caught the eyes of cybersecurity pros and sparked a conversation about the government’s role in responding to these attacks.

This operation, which specifically authorized the activity for email servers in the United States, was announced some six weeks after Microsoft disclosed critical Exchange Server vulnerabilities that have since been used to target thousands of networks around the world. An attacker could chain the flaws together to compromise an exposed server and steal data, among other actions.

These infections commonly start with deploying a Web shell, which adversaries can later use to communicate with target machines and distribute files to infect them with additional malware. While many admins of target systems were able to successfully remove these Web shells from thousands of devices, others didn’t. Web shells persisted, unmitigated, on some target servers.

They soon became the object of an FBI operation that removed the remaining Web shells of an early hacking group. The Web shells could have been used to “maintain and escalate persistent, unauthorized access to U.S. networks,” the Justice Department wrote in a statement. Officials conducted the removal by issuing a command through the Web shell to the server, which was designed to cause the server to only delete the Web shell, as identified by its unique file path.

It’s important to note that while the FBI copied and removed Web shells, it did not patch any of the vulnerabilities, nor did it search for or remove additional malware or hacking tools that may have been present on target servers. Officials said they were attempting to contact the owners and operators of infected machines following the operation; they did not give advance notice.

The FBI has been involved in several operations against cybercrime. Officials most recently teamed up with global law enforcement agencies to bring down the Emotet botnet.

But this operation, in which the FBI was present on enterprise servers without owners’ knowledge, caught the eyes of many. It feels different than law enforcement dismantling a botnet, which often involves tracking a command-and-control server that the bots communicate with, disrupting communication, and gaining control over it.

“That’s a nuanced difference, but it’s a little different than the FBI specifically knowing endpoints that are compromised, remoting in, and deleting a Web shell,” says Katie Nickels, threat intelligence director at Red Canary, who feels “pretty divided” about the operation.

For Nickels, and for many defenders, it was difficult in early March to see many organizations compromised in the Exchange Server attacks. Security practitioners know there are teams that aren’t current on security news and don’t know to patch or detect Web shells, she explains. It’s frustrating, as a defender, to know all these businesses are going to be compromised and not know about it.

“Part of me as a defender is really happy that someone is trying to help these organizations remove a Web shell,” she says. “Of course, there’s the other side: What kind of precedent does this set, allowing law enforcement to go into a computer … what kind of precedent does that set for the future? When could these operations take actions in the future, and what could be the implications of that? That’s the other side.”

“I feel squarely torn, and that’s what I’ve heard from most people,” Nickels adds. In the past few months, as the world learned about SolarWinds and the Exchange Server attacks, the security community has seen a growing disparity between organizations prepared to face these incidents and those that aren’t — and a need to help lacking companies protect themselves.

A Goal of Disrupting the Adversary
Law enforcement’s role in cybercrime is an intricate matter because much of this has never been done before, legislation hasn’t caught up with technology, and things move quickly, says Shawn Henry, president of CrowdStrike Services and former FBI executive assistant director. Employees in the private sector are often defending against trained military professionals.

“There’s so many complexities there, and that’s why these things are never easy,” he says of navigating the myriad laws, issues, amendments, and ramifications of intervening. “If I [believe] the government’s primary responsibility is to protect the citizens, I think that their role in a case like this is to disrupt infrastructure. That is an area that the government can have success in.”

The government’s role in fighting crime is often focused on deterrence. In the physical world, this could mean seizing assets bought with stolen funds, bank accounts used to launder money, and warehouses and other facilities used to store and sell illicit products. Criminals can’t operate in an environment where their infrastructure is destroyed, and their return-on-investment drops.

Henry applies the same concept to cybersecurity, an area in which attackers “are operating with impunity” and often out of places where the host country can’t be expected to intervene.

 

 

Share this Post:

相关资讯: