Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/11/2018
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Hack Back: An Eye for an Eye Could Make You Blind

Attackers have had almost zero consequences or cost for stealing data from innocent victims. But what if we could hack their wallets, not their systems?

As Gandhi once said, "An eye for an eye will only make the whole world blind." The same could be said about using "hack back" technology for vengeful purposes, such as security defenders who respond to attackers with the intent to harm their systems. What would happen if we let corporations take cyber justice into their own hands? Critics fear it will make the Internet less safe and unintended harm will be directed at innocent bystanders. But should we live at the mercy of attackers who have more control over our data than we do? Or is it possible to hack back in an ethical and safe way?

Legislation has been proposed in Congress that would make it legal for folks to defend themselves in an attack by hacking back. Even if the language of the legislation is inherently ambiguous, the intent is clear: change the asymmetric cyberwar to at least provide equal footing to the defenders. Attackers have always had the high ground. It's time to change that.

It is understandable that the concept of hacking back has been met with loud opposition by some academics, security professionals, and policy analysts, claiming that it's the worst idea in cybersecurity ever. (That's certainly debatable; purely signature-based antivirus is perhaps worse.) They believe attribution of the true attacker is just not solvable and could lead to mistaken identities or hacking the wrong person. I disagree with these knee-jerk reactions, but that also depends on the definition of hacking back. When there are many sides to an argument, it's important to make sure we're all talking about the same thing.

How to Define Hacking Back
Hacking back is one of the best-kept secrets by some defenders and clearly runs afoul of the Computer Fraud and Abuse Act (CFAA). It is illegal for a defender to probe a remote source IP implicated in an attack on them and exploit any found vulnerabilities to implant code in the abusive machine, even if the defender seeks to recover or destroy stolen data. The cost to the defender is very high, especially if the target of their revenge turns out to be an innocent bystander. Under CFAA, the penalties can be quite stiff.

For these and other reasons, the Active Cyber Defense Certainty Act (ACDC) seeks to limit or entirely eliminate the liability of the corporation that seeks to defend itself and recover its own lost data by retaliatory strikes against the perpetrator. But being certain of the true source of an attack — true attribution — remains elusive and misdirected revenge could do far more harm, even if it is legal. There must be a safer way to legitimately hack back to recover or destroy stolen data.

Target the Attackers' Knowledge, Not Their Systems
Attackers have had almost zero consequences or costs for stealing data from innocent victims. What if we could hack their wallets, but not their systems? The goal of hacking back should be to confound and confuse them, especially attackers who have the primary goal of data exfiltration for monetary gain. Make them pay a price for stealing data from an innocent victim. Cost should now be part of the game.

But how do we do that without causing damage to an innocent bystander who served merely as a stepping stone for the true attack hiding in the shadows? Unmitigated (and vengeful) hacking back plays directly into the hands of the attacker who executes an old school reflector attack, for example. How might we reach past the stepping stones and serve up their just rewards to the true attacker?

One way is by feeding attackers with unbounded, exfiltrated bogus data. This strategy not only makes them think twice about whether they were snookered, but they now have the expense of figuring out what of their quarry actually has any value to them. Of course, the same may be true of nation-state actors; they, too, should not operate freely any longer, even if their goal is nonmonetary.

Deception in Depth
Deception security is a growing marketplace, and it's an obvious choice for safely hacking back (hackbacking?) with outcomes that favor the defender. But the key to successful deployment of deception security must incorporate strategic placement and replenishment of deceptive data throughout the operational networks of the defended enterprise, making it very hard to tell what is real and what isn't for the attacker. Sophisticated attackers do well to identify the "tells" that can be found in honeynets, especially those that lack realistic data and data flows. And if the deceptive data and decoy document generation is automated and architected well, it will be nearly impossible for the attacker to tell if the data is real or not.

For this to work, deceptive materials must be believable, noninterfering with normal operations, conspicuous to the attacker, and plentiful to keep the attackers well fed and deeply frustrated. These guidelines for successful decoy data deployment within operational networks are achievable and could one day become part of any modern security architecture.

Deception and decoy data is clearly a knowledge attack that seems to me to be the best choice to safely hack back. A data deception strategy may work best to feed the attacker with the false sense of accomplishment, but with the real cost of determining what they stole is real or bogus.

Revenge may best be served cold, but defenders can bask in the warmth of knowing their hack-back method, serving tons of decoys, caused the attacker as much frustration and anger as they experienced in the past when their network was pierced, and their corporate data was stolen as reported in the headlines. A knowledge attack is a safer alternative that no one can complain about from a judicial or legal perspective, and certainly no one will go blind to the fact that the defender now has the high ground.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop ITX and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Dr. Salvatore Stolfo is the founder and CTO of Allure Security. As a professor of artificial intelligence at Columbia University since 1979, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Dr. Stolfo has ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
CVE-2020-24342
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.