Call it hacking back, call it next-generation incident response, but don't call it illegal: that's how security firm Cymmetria frames a new security platform it rolled out today.
Cymmetria's newest deception technology platform, called MazeHunter, lets organizations engage with attackers that infiltrated their network and are operating on their machines. The company calls this "legal hackback," and along with the new tool also published a framework for organizations to determine what types of actions they can perform legally against the attacker in their network, as well as within their risk profile.
The idea for kicking deception and incident response up a notch with legal hack-back came via two of Cymmetria's customers, a Fortune 500 telecommunications firm and a major financial services firm, which separately approached Cymmetria about their interest in hacking back at attackers that had taken over machines in their networks. "They wanted to connect to the computer inside [their] network and steal their toolsets" or perform more proactive incident response tasks, says Gadi Evron, founder and CEO of Cymmetria.
Hacking back has long been a controversial topic in security circles. The act of attacking an attacker head-on outside your network is a high-risk practice that most experts do not recommend because it can quickly backfire or escalate an attack. Not only is it potentially dangerous, it's also illegal in the US under the Computer Fraud and Abuse Act (CFAA) to purposely access a computer without proper authorization. (However, a movement to legalize some form of hacking back was most recently introduced last week by Reps. Kyrsten Sinema, D-Ariz,. and Tom Graves, R-Ga. Their bill, H.R. 4036, the Active Cyber Defense Certainty Act, would amend CFAA.)
"I don't think hacking back is a good thing. I also don't think it's a productive thing to engage with" attackers, says Itzik Kotler, CTO and co-founder of SafeBreach, of hacking hackers outside your network. Attackers can hide behind layers of IP addresses, and abusing others' systems or networks, for instance, can lead to collateral damage in a hack-back situation, he points out.
But Cymmetria says its new "legal hackback" MazeHunter passes CFAA muster because it only allows organizations to attack their own machines within their own network. They can interface live with the attacker camped on their machine, allowing them to feed phony data via deception technology, for example, or access the attacker's tools to thwart further attacks.
"Cymmetria's automated 'Hack Back' allows us to take the fight directly to the enemy, battling them on our own terms," said a senior executive from a telecommunications customer that requested the feature from Cymmetria. "They're on our turf, and we use that to our advantage."
The difference between this form of hacking back and pure incident response, according to Cymmetria, is that MazeHunter lets the victim organization run any payload on the infected machine to engage with the attacker, live. "You don't have to wait for forensics, after the fact. It extends the capabilities of incident response … so you can collect on their toolset, instead of [wondering] 'what are they doing to us?'" Evron explains. It also provides an automated way to contain or mitigate the attack.
Joe Stewart, a security researcher with Cymmetria, says it's also not a manual process like traditional incident response. "In the past, it was 'let's find that machine and send someone over to physically take it down, do forensics or use a tool we can launch,'" he says. "By then, the attacker is gone and you've lost an opportunity" to gain more information or even thwart the attacker's spread, he says.
"Why not just instantly launch our response right then and there … Get on that machine really quickly, get the payloads they have before they delete it" and forensics is built in, he adds. They can launch PowerShell, Metasploit, or other payloads on the attacker in their machine to fight back and thwart the attack, he says.
And unlike hacking back outside the network, the target is known. "They can be more aggressive in their response because they are 100% confident that the machine has a bad actor on it" because they've been employing deception technology and watching the attacker take the bait, for example, he says.
Deception Not Mainstream
But deception technology such as Cymmetria's remains a rarity, adopted mainly by the usual early adopters: government, financial services, and telecommunications providers. The concept isn't new: honeypot lures have been around in the research field for years. But a wave of deception technology startups such as Cymmetria, Illusive Networks, and TrapX, as well as veteran security firms, offer commercial products that allow organizations to be a bit more aggressive in their defenses with phony devices or fake data to lure and catch attackers in action.
[Hear INGuardians' John Sawyer discuss "Using Offensive Tools to Improve Enterprise Cyber Defense" at the INSecurity conference at National Harbor, Md., on Wed., Nov. 29. Register here.]
The so-called legal hack-back approach now offered by Cymmetria takes deception and incident response to the next level. Even so, most organizations are still mainly concerned with minimizing the damage and getting back to business after an attack.
John Sawyer, senior managing researcher with INGuardians, says in most incident response cases, victims are all about returning to normalcy: "The primary goal is to make sure data didn't get stolen and equipment is back online. It's not about attribution; that's a little harder," he says, although some organizations would like to know who was behind their security incident.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.