Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/30/2015
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Hacking Back: Two Wrongs Don’t Make A Right

Here's the critical issue: Do you want to risk engaging your company in an ego-fueled war of revenge, or do you want to cut the bad guys off at the pass?

If the sheer volume of alerts you face daily or the massive damage from hacks, like the ones that dominate headlines, have driven you to the point of contemplating the available hacking-back options, let’s take a step back for a second. In the long-running debate about the legalities, ethics, and tactics of hacking back and its more politically correct cousin, “active defense,” it can be easy to let anxiety and even ego fuel a passionate “pro” viewpoint.

Entering a private network without permission is illegal, whether you are the hacker or the hacked, according to the terms of the Computer Fraud and Abuse Act. Anything we can do within our own networks and on our own devices is defensible—honeypots, mobile-device kill switches, forensic preservation, and the like are legit.

But first things first: strategy, then tactics. As the oft-quoted Sun Tzu notes in The Art of War, it’s vitally important to know your enemy and more importantly, to know yourself. Theoretically, you have access to all the information you need to fully understand what constitutes normal activity within your enterprise network, and today’s enemy is not the stereotypical basement dweller from days of yore.

So you want to pick a fight with North Korea?
This winter’s Sony Pictures Entertainment breach was a bracing reminder that we are operating at a whole new level in information security now—and it is definitely no game we’re playing. Whether you agree with the FBI or the private sector on attribution, the fact remains: the bad guys are in our networks, they know how to hide there for months or even years, and they can unleash some devastating results when they’re ready.

For those of us protecting sensitive data (and that’s all of us), here’s the critical question: Do you want to risk engaging your company and its reputation in an ego-fueled war of revenge, or do you want to cut the bad guys off at the pass and maybe even sic the feds on them? Doing the latter requires keeping operations above board in the eyes of federal law enforcement agencies and that means not breaking into a network without permission. After all, the “But they started it!” defense doesn’t stand up any better in court than it did with your third-grade teacher.

Given that many attackers commandeer and corrupt the infrastructure of innocent third parties to obfuscate the trail, that IP address you hunted down may not represent the actual cyber attacker. So how can you be sure you’re hacking back (excuse me, actively defending against) the actual criminals? There’s no way to know whether your team of four infosec pros is, in fact, attempting to out-hack a force of 20,000 people like the People’s Liberation Army Unit 61398, or erroneously striking out at an innocent ISP. In fact, hacking back carries tremendous potential for unleashing dire and completely unforeseen circumstances.

Inside-out security
A cyber forensic specialist I know who has had the rare privilege of speaking at a Congressional hearing on cyber crime once told me, “The real problem is that most companies don’t understand their own environments. If they did get hacked, they couldn’t say what had been touched. The most critical thing to do is to understand your own environment.” I like to refer to the concept as “inside-out security.”

Ensuring you have visibility into any unusual activity occurring on your network and its endpoints is the first step toward pinpointing unusual activity and its root cause. So what’s required in order to be able to call the FBI instead of hearing about a hack the other way around? Wouldn’t it mean more to have the smoking gun in your hand than an attempt to shut down what may or may not be the origin of any given attack?

To the limit your budget allows—and in preparation to justify an increase of that budget with scary cost figures from recent headline-making attacks and industry reports—you’ll enhance your hacker-busting posture by ensuring that you have:

  • The right number of trained incident responders; 
  • The right technology and training for honeypots, sandboxing, and other defensive measures; 
  • A way to spot, receive alerts about, study, and capture the contextual data around unknown or unusual activity on network endpoints at the earliest possible stages; and 
  • A chronological report of the events and indicators related to that security incident.

It’s that contextual data that tells you whether this is a real cyber attack. Being able to pinpoint and take a snapshot of that data and preserve it forensically will set you up to work with law enforcement. Without it and without that chronological report, you have little hope of truly pursuing and ensuring punishment for the offenders. And in the end, isn’t learning from each new attack and then doing our part to lock up the threat actors the best possible outcome of a security incident?

As the Director of the Security Practice for Guidance Software, Anthony Di Bello is responsible for providing in-depth insight into the advanced threat landscape. Since joining the company in 2005, he has been instrumental in defining the company's suite of security products, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8720
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
CVE-2020-12300
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-12301
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-7307
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
CVE-2020-8679
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version 26.20.100.7755 may allow an authenticated user to potentially enable denial of service via local access.