Attacks/Breaches

10/24/2017
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Tool Debuts for Hacking Back at Hackers in Your Network

Deception technology firm Cymmetria offers a new offense option for defenders.

Call it hacking back, call it next-generation incident response, but don't call it illegal: that's how security firm Cymmetria frames a new security platform it rolled out today.

Cymmetria's newest deception technology platform, called MazeHunter, lets organizations engage with attackers that infiltrated their network and are operating on their machines. The company calls this "legal hackback," and along with the new tool also published a framework for organizations to determine what types of actions they can perform legally against the attacker in their network, as well as within their risk profile.

The idea for kicking deception and incident response up a notch with legal hack-back came via two of Cymmetria's customers, a Fortune 500 telecommunications firm and a major financial services firm, which separately approached Cymmetria about their interest in hacking back at attackers that had taken over machines in their networks. "They wanted to connect to the computer inside [their] network and steal their toolsets" or perform more proactive incident response tasks, says Gadi Evron, founder and CEO of Cymmetria.

Hacking back has long been a controversial topic in security circles. The act of attacking an attacker head-on outside your network is a high-risk practice that most experts do not recommend because it can quickly backfire or escalate an attack. Not only is it potentially dangerous, it's also illegal in the US under the Computer Fraud and Abuse Act (CFAA) to purposely access a computer without proper authorization. (However, a movement to legalize some form of hacking back was most recently introduced last week by Reps. Kyrsten Sinema, D-Ariz,. and Tom Graves, R-Ga. Their bill, H.R. 4036, the Active Cyber Defense Certainty Act, would amend CFAA.)  

"I don't think hacking back is a good thing. I also don't think it's a productive thing to engage with" attackers, says Itzik Kotler, CTO and co-founder of SafeBreach, of hacking hackers outside your network. Attackers can hide behind layers of IP addresses, and abusing others' systems or networks, for instance, can lead to collateral damage in a hack-back situation, he points out.

But Cymmetria says its new "legal hackback" MazeHunter passes CFAA muster because it only allows organizations to attack their own machines within their own network. They can interface live with the attacker camped on their machine, allowing them to feed phony data via deception technology, for example, or access the attacker's tools to thwart further attacks.

"Cymmetria's automated 'Hack Back' allows us to take the fight directly to the enemy, battling them on our own terms," said a senior executive from a telecommunications customer that requested the feature from Cymmetria. "They're on our turf, and we use that to our advantage."

The difference between this form of hacking back and pure incident response, according to Cymmetria, is that MazeHunter lets the victim organization run any payload on the infected machine to engage with the attacker, live. "You don't have to wait for forensics, after the fact. It extends the capabilities of incident response … so you can collect on their toolset, instead of [wondering] 'what are they doing to us?'" Evron explains. It also provides an automated way to contain or mitigate the attack.

Joe Stewart, a security researcher with Cymmetria, says it's also not a manual process like traditional incident response. "In the past, it was 'let's find that machine and send someone over to physically take it down, do forensics or use a tool we can launch,'" he says. "By then, the attacker is gone and you've lost an opportunity" to gain more information or even thwart the attacker's spread, he says.

"Why not just instantly launch our response right then and there … Get on that machine really quickly, get the payloads they have before they delete it" and forensics is built in, he adds. They can launch PowerShell, Metasploit, or other payloads on the attacker in their machine to fight back and thwart the attack, he says.

And unlike hacking back outside the network, the target is known. "They can be more aggressive in their response because they are 100% confident that the machine has a bad actor on it" because they've been employing deception technology and watching the attacker take the bait, for example, he says.

Deception Not Mainstream

But deception technology such as Cymmetria's remains a rarity, adopted mainly by the usual early adopters: government, financial services, and telecommunications providers. The concept isn't new: honeypot lures have been around in the research field for years. But a wave of deception technology startups such as Cymmetria, Illusive Networks, and TrapX, as well as veteran security firms, offer commercial products that allow organizations to be a bit more aggressive in their defenses with phony devices or fake data to lure and catch attackers in action.

[Hear INGuardians' John Sawyer discuss "Using Offensive Tools to Improve Enterprise Cyber Defense" at the INSecurity conference at National Harbor, Md., on Wed., Nov. 29. Register here.]

The so-called legal hack-back approach now offered by Cymmetria takes deception and incident response to the next level. Even so, most organizations are still mainly concerned with minimizing the damage and getting back to business after an attack.

John Sawyer, senior managing researcher with INGuardians, says in most incident response cases, victims are all about returning to normalcy: "The primary goal is to make sure data didn't get stolen and equipment is back online. It's not about attribution; that's a little harder," he says, although some organizations would like to know who was behind their security incident. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dono_ns
50%
50%
dono_ns,
User Rank: Apprentice
10/27/2017 | 2:01:05 AM
Re: Wondered why didn't fire with fire?
Many of the tools that we use have open source options that you can start with. Tools include, Nexpose, Alienvault,TinyWall etc etc. You just have not looked.
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
10/26/2017 | 3:15:22 PM
Wondered why didn't fire with fire?
I love all this new technology.  Too bad that short of building my own honeypot at home, there aren't tools available for home use.  Or are there?
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Microsoft Fixes 11 Critical, 39 Important Vulns
Kelly Sheridan, Staff Editor, Dark Reading,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12578
PUBLISHED: 2018-06-19
There is a heap-based buffer overflow in bmp_compress1_row in appliers.cpp in sam2p 0.49.4 that leads to a denial of service or possibly unspecified other impact.
CVE-2018-1061
PUBLISHED: 2018-06-19
python before versions 2.7.15, 3.4.9, 3.5.6 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.
CVE-2018-1073
PUBLISHED: 2018-06-19
The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.
CVE-2018-12557
PUBLISHED: 2018-06-19
An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could ...
CVE-2018-12559
PUBLISHED: 2018-06-19
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. The mount target path check in mounter.cpp `mpOk()` is insufficient. A regular user can consequently mount a CIFS filesystem anywhere (e.g., outside of the /home directory tree) by passing directory traversal sequ...