If the sheer volume of alerts you face daily or the massive damage from hacks, like the ones that dominate headlines, have driven you to the point of contemplating the available hacking-back options, let’s take a step back for a second. In the long-running debate about the legalities, ethics, and tactics of hacking back and its more politically correct cousin, “active defense,” it can be easy to let anxiety and even ego fuel a passionate “pro” viewpoint.
Entering a private network without permission is illegal, whether you are the hacker or the hacked, according to the terms of the Computer Fraud and Abuse Act. Anything we can do within our own networks and on our own devices is defensible—honeypots, mobile-device kill switches, forensic preservation, and the like are legit.
But first things first: strategy, then tactics. As the oft-quoted Sun Tzu notes in The Art of War, it’s vitally important to know your enemy and more importantly, to know yourself. Theoretically, you have access to all the information you need to fully understand what constitutes normal activity within your enterprise network, and today’s enemy is not the stereotypical basement dweller from days of yore.
So you want to pick a fight with North Korea?
This winter’s Sony Pictures Entertainment breach was a bracing reminder that we are operating at a whole new level in information security now—and it is definitely no game we’re playing. Whether you agree with the FBI or the private sector on attribution, the fact remains: the bad guys are in our networks, they know how to hide there for months or even years, and they can unleash some devastating results when they’re ready.
For those of us protecting sensitive data (and that’s all of us), here’s the critical question: Do you want to risk engaging your company and its reputation in an ego-fueled war of revenge, or do you want to cut the bad guys off at the pass and maybe even sic the feds on them? Doing the latter requires keeping operations above board in the eyes of federal law enforcement agencies and that means not breaking into a network without permission. After all, the “But they started it!” defense doesn’t stand up any better in court than it did with your third-grade teacher.
Given that many attackers commandeer and corrupt the infrastructure of innocent third parties to obfuscate the trail, that IP address you hunted down may not represent the actual cyber attacker. So how can you be sure you’re hacking back (excuse me, actively defending against) the actual criminals? There’s no way to know whether your team of four infosec pros is, in fact, attempting to out-hack a force of 20,000 people like the People’s Liberation Army Unit 61398, or erroneously striking out at an innocent ISP. In fact, hacking back carries tremendous potential for unleashing dire and completely unforeseen circumstances.
A cyber forensic specialist I know who has had the rare privilege of speaking at a Congressional hearing on cyber crime once told me, “The real problem is that most companies don’t understand their own environments. If they did get hacked, they couldn’t say what had been touched. The most critical thing to do is to understand your own environment.” I like to refer to the concept as “inside-out security.”
Ensuring you have visibility into any unusual activity occurring on your network and its endpoints is the first step toward pinpointing unusual activity and its root cause. So what’s required in order to be able to call the FBI instead of hearing about a hack the other way around? Wouldn’t it mean more to have the smoking gun in your hand than an attempt to shut down what may or may not be the origin of any given attack?
To the limit your budget allows—and in preparation to justify an increase of that budget with scary cost figures from recent headline-making attacks and industry reports—you’ll enhance your hacker-busting posture by ensuring that you have:
- The right number of trained incident responders;
- The right technology and training for honeypots, sandboxing, and other defensive measures;
- A way to spot, receive alerts about, study, and capture the contextual data around unknown or unusual activity on network endpoints at the earliest possible stages; and
- A chronological report of the events and indicators related to that security incident.
It’s that contextual data that tells you whether this is a real cyber attack. Being able to pinpoint and take a snapshot of that data and preserve it forensically will set you up to work with law enforcement. Without it and without that chronological report, you have little hope of truly pursuing and ensuring punishment for the offenders. And in the end, isn’t learning from each new attack and then doing our part to lock up the threat actors the best possible outcome of a security incident?