Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/24/2017
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Tool Debuts for Hacking Back at Hackers in Your Network

Deception technology firm Cymmetria offers a new offense option for defenders.

Call it hacking back, call it next-generation incident response, but don't call it illegal: that's how security firm Cymmetria frames a new security platform it rolled out today.

Cymmetria's newest deception technology platform, called MazeHunter, lets organizations engage with attackers that infiltrated their network and are operating on their machines. The company calls this "legal hackback," and along with the new tool also published a framework for organizations to determine what types of actions they can perform legally against the attacker in their network, as well as within their risk profile.

The idea for kicking deception and incident response up a notch with legal hack-back came via two of Cymmetria's customers, a Fortune 500 telecommunications firm and a major financial services firm, which separately approached Cymmetria about their interest in hacking back at attackers that had taken over machines in their networks. "They wanted to connect to the computer inside [their] network and steal their toolsets" or perform more proactive incident response tasks, says Gadi Evron, founder and CEO of Cymmetria.

Hacking back has long been a controversial topic in security circles. The act of attacking an attacker head-on outside your network is a high-risk practice that most experts do not recommend because it can quickly backfire or escalate an attack. Not only is it potentially dangerous, it's also illegal in the US under the Computer Fraud and Abuse Act (CFAA) to purposely access a computer without proper authorization. (However, a movement to legalize some form of hacking back was most recently introduced last week by Reps. Kyrsten Sinema, D-Ariz,. and Tom Graves, R-Ga. Their bill, H.R. 4036, the Active Cyber Defense Certainty Act, would amend CFAA.)  

"I don't think hacking back is a good thing. I also don't think it's a productive thing to engage with" attackers, says Itzik Kotler, CTO and co-founder of SafeBreach, of hacking hackers outside your network. Attackers can hide behind layers of IP addresses, and abusing others' systems or networks, for instance, can lead to collateral damage in a hack-back situation, he points out.

But Cymmetria says its new "legal hackback" MazeHunter passes CFAA muster because it only allows organizations to attack their own machines within their own network. They can interface live with the attacker camped on their machine, allowing them to feed phony data via deception technology, for example, or access the attacker's tools to thwart further attacks.

"Cymmetria's automated 'Hack Back' allows us to take the fight directly to the enemy, battling them on our own terms," said a senior executive from a telecommunications customer that requested the feature from Cymmetria. "They're on our turf, and we use that to our advantage."

The difference between this form of hacking back and pure incident response, according to Cymmetria, is that MazeHunter lets the victim organization run any payload on the infected machine to engage with the attacker, live. "You don't have to wait for forensics, after the fact. It extends the capabilities of incident response … so you can collect on their toolset, instead of [wondering] 'what are they doing to us?'" Evron explains. It also provides an automated way to contain or mitigate the attack.

Joe Stewart, a security researcher with Cymmetria, says it's also not a manual process like traditional incident response. "In the past, it was 'let's find that machine and send someone over to physically take it down, do forensics or use a tool we can launch,'" he says. "By then, the attacker is gone and you've lost an opportunity" to gain more information or even thwart the attacker's spread, he says.

"Why not just instantly launch our response right then and there … Get on that machine really quickly, get the payloads they have before they delete it" and forensics is built in, he adds. They can launch PowerShell, Metasploit, or other payloads on the attacker in their machine to fight back and thwart the attack, he says.

And unlike hacking back outside the network, the target is known. "They can be more aggressive in their response because they are 100% confident that the machine has a bad actor on it" because they've been employing deception technology and watching the attacker take the bait, for example, he says.

Deception Not Mainstream

But deception technology such as Cymmetria's remains a rarity, adopted mainly by the usual early adopters: government, financial services, and telecommunications providers. The concept isn't new: honeypot lures have been around in the research field for years. But a wave of deception technology startups such as Cymmetria, Illusive Networks, and TrapX, as well as veteran security firms, offer commercial products that allow organizations to be a bit more aggressive in their defenses with phony devices or fake data to lure and catch attackers in action.

[Hear INGuardians' John Sawyer discuss "Using Offensive Tools to Improve Enterprise Cyber Defense" at the INSecurity conference at National Harbor, Md., on Wed., Nov. 29. Register here.]

The so-called legal hack-back approach now offered by Cymmetria takes deception and incident response to the next level. Even so, most organizations are still mainly concerned with minimizing the damage and getting back to business after an attack.

John Sawyer, senior managing researcher with INGuardians, says in most incident response cases, victims are all about returning to normalcy: "The primary goal is to make sure data didn't get stolen and equipment is back online. It's not about attribution; that's a little harder," he says, although some organizations would like to know who was behind their security incident. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dono_ns
50%
50%
dono_ns,
User Rank: Apprentice
10/27/2017 | 2:01:05 AM
Re: Wondered why didn't fire with fire?
Many of the tools that we use have open source options that you can start with. Tools include, Nexpose, Alienvault,TinyWall etc etc. You just have not looked.
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
10/26/2017 | 3:15:22 PM
Wondered why didn't fire with fire?
I love all this new technology.  Too bad that short of building my own honeypot at home, there aren't tools available for home use.  Or are there?
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.
CVE-2013-2092
PUBLISHED: 2019-11-20
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
CVE-2013-2093
PUBLISHED: 2019-11-20
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
CVE-2015-3166
PUBLISHED: 2019-11-20
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as d...