Attacks/Breaches
10/24/2017
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Tool Debuts for Hacking Back at Hackers in Your Network

Deception technology firm Cymmetria offers a new offense option for defenders.

Call it hacking back, call it next-generation incident response, but don't call it illegal: that's how security firm Cymmetria frames a new security platform it rolled out today.

Cymmetria's newest deception technology platform, called MazeHunter, lets organizations engage with attackers that infiltrated their network and are operating on their machines. The company calls this "legal hackback," and along with the new tool also published a framework for organizations to determine what types of actions they can perform legally against the attacker in their network, as well as within their risk profile.

The idea for kicking deception and incident response up a notch with legal hack-back came via two of Cymmetria's customers, a Fortune 500 telecommunications firm and a major financial services firm, which separately approached Cymmetria about their interest in hacking back at attackers that had taken over machines in their networks. "They wanted to connect to the computer inside [their] network and steal their toolsets" or perform more proactive incident response tasks, says Gadi Evron, founder and CEO of Cymmetria.

Hacking back has long been a controversial topic in security circles. The act of attacking an attacker head-on outside your network is a high-risk practice that most experts do not recommend because it can quickly backfire or escalate an attack. Not only is it potentially dangerous, it's also illegal in the US under the Computer Fraud and Abuse Act (CFAA) to purposely access a computer without proper authorization. (However, a movement to legalize some form of hacking back was most recently introduced last week by Reps. Kyrsten Sinema, D-Ariz,. and Tom Graves, R-Ga. Their bill, H.R. 4036, the Active Cyber Defense Certainty Act, would amend CFAA.)  

"I don't think hacking back is a good thing. I also don't think it's a productive thing to engage with" attackers, says Itzik Kotler, CTO and co-founder of SafeBreach, of hacking hackers outside your network. Attackers can hide behind layers of IP addresses, and abusing others' systems or networks, for instance, can lead to collateral damage in a hack-back situation, he points out.

But Cymmetria says its new "legal hackback" MazeHunter passes CFAA muster because it only allows organizations to attack their own machines within their own network. They can interface live with the attacker camped on their machine, allowing them to feed phony data via deception technology, for example, or access the attacker's tools to thwart further attacks.

"Cymmetria's automated 'Hack Back' allows us to take the fight directly to the enemy, battling them on our own terms," said a senior executive from a telecommunications customer that requested the feature from Cymmetria. "They're on our turf, and we use that to our advantage."

The difference between this form of hacking back and pure incident response, according to Cymmetria, is that MazeHunter lets the victim organization run any payload on the infected machine to engage with the attacker, live. "You don't have to wait for forensics, after the fact. It extends the capabilities of incident response … so you can collect on their toolset, instead of [wondering] 'what are they doing to us?'" Evron explains. It also provides an automated way to contain or mitigate the attack.

Joe Stewart, a security researcher with Cymmetria, says it's also not a manual process like traditional incident response. "In the past, it was 'let's find that machine and send someone over to physically take it down, do forensics or use a tool we can launch,'" he says. "By then, the attacker is gone and you've lost an opportunity" to gain more information or even thwart the attacker's spread, he says.

"Why not just instantly launch our response right then and there … Get on that machine really quickly, get the payloads they have before they delete it" and forensics is built in, he adds. They can launch PowerShell, Metasploit, or other payloads on the attacker in their machine to fight back and thwart the attack, he says.

And unlike hacking back outside the network, the target is known. "They can be more aggressive in their response because they are 100% confident that the machine has a bad actor on it" because they've been employing deception technology and watching the attacker take the bait, for example, he says.

Deception Not Mainstream

But deception technology such as Cymmetria's remains a rarity, adopted mainly by the usual early adopters: government, financial services, and telecommunications providers. The concept isn't new: honeypot lures have been around in the research field for years. But a wave of deception technology startups such as Cymmetria, Illusive Networks, and TrapX, as well as veteran security firms, offer commercial products that allow organizations to be a bit more aggressive in their defenses with phony devices or fake data to lure and catch attackers in action.

[Hear INGuardians' John Sawyer discuss "Using Offensive Tools to Improve Enterprise Cyber Defense" at the INSecurity conference at National Harbor, Md., on Wed., Nov. 29. Register here.]

The so-called legal hack-back approach now offered by Cymmetria takes deception and incident response to the next level. Even so, most organizations are still mainly concerned with minimizing the damage and getting back to business after an attack.

John Sawyer, senior managing researcher with INGuardians, says in most incident response cases, victims are all about returning to normalcy: "The primary goal is to make sure data didn't get stolen and equipment is back online. It's not about attribution; that's a little harder," he says, although some organizations would like to know who was behind their security incident. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dono_ns
50%
50%
dono_ns,
User Rank: Apprentice
10/27/2017 | 2:01:05 AM
Re: Wondered why didn't fire with fire?
Many of the tools that we use have open source options that you can start with. Tools include, Nexpose, Alienvault,TinyWall etc etc. You just have not looked.
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
10/26/2017 | 3:15:22 PM
Wondered why didn't fire with fire?
I love all this new technology.  Too bad that short of building my own honeypot at home, there aren't tools available for home use.  Or are there?
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.