Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/30/2015
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Hacking Back: Two Wrongs Dont Make A Right

Here's the critical issue: Do you want to risk engaging your company in an ego-fueled war of revenge, or do you want to cut the bad guys off at the pass?

If the sheer volume of alerts you face daily or the massive damage from hacks, like the ones that dominate headlines, have driven you to the point of contemplating the available hacking-back options, let’s take a step back for a second. In the long-running debate about the legalities, ethics, and tactics of hacking back and its more politically correct cousin, “active defense,” it can be easy to let anxiety and even ego fuel a passionate “pro” viewpoint.

Entering a private network without permission is illegal, whether you are the hacker or the hacked, according to the terms of the Computer Fraud and Abuse Act. Anything we can do within our own networks and on our own devices is defensible—honeypots, mobile-device kill switches, forensic preservation, and the like are legit.

But first things first: strategy, then tactics. As the oft-quoted Sun Tzu notes in The Art of War, it’s vitally important to know your enemy and more importantly, to know yourself. Theoretically, you have access to all the information you need to fully understand what constitutes normal activity within your enterprise network, and today’s enemy is not the stereotypical basement dweller from days of yore.

So you want to pick a fight with North Korea?
This winter’s Sony Pictures Entertainment breach was a bracing reminder that we are operating at a whole new level in information security now—and it is definitely no game we’re playing. Whether you agree with the FBI or the private sector on attribution, the fact remains: the bad guys are in our networks, they know how to hide there for months or even years, and they can unleash some devastating results when they’re ready.

For those of us protecting sensitive data (and that’s all of us), here’s the critical question: Do you want to risk engaging your company and its reputation in an ego-fueled war of revenge, or do you want to cut the bad guys off at the pass and maybe even sic the feds on them? Doing the latter requires keeping operations above board in the eyes of federal law enforcement agencies and that means not breaking into a network without permission. After all, the “But they started it!” defense doesn’t stand up any better in court than it did with your third-grade teacher.

Given that many attackers commandeer and corrupt the infrastructure of innocent third parties to obfuscate the trail, that IP address you hunted down may not represent the actual cyber attacker. So how can you be sure you’re hacking back (excuse me, actively defending against) the actual criminals? There’s no way to know whether your team of four infosec pros is, in fact, attempting to out-hack a force of 20,000 people like the People’s Liberation Army Unit 61398, or erroneously striking out at an innocent ISP. In fact, hacking back carries tremendous potential for unleashing dire and completely unforeseen circumstances.

Inside-out security
A cyber forensic specialist I know who has had the rare privilege of speaking at a Congressional hearing on cyber crime once told me, “The real problem is that most companies don’t understand their own environments. If they did get hacked, they couldn’t say what had been touched. The most critical thing to do is to understand your own environment.” I like to refer to the concept as “inside-out security.”

Ensuring you have visibility into any unusual activity occurring on your network and its endpoints is the first step toward pinpointing unusual activity and its root cause. So what’s required in order to be able to call the FBI instead of hearing about a hack the other way around? Wouldn’t it mean more to have the smoking gun in your hand than an attempt to shut down what may or may not be the origin of any given attack?

To the limit your budget allows—and in preparation to justify an increase of that budget with scary cost figures from recent headline-making attacks and industry reports—you’ll enhance your hacker-busting posture by ensuring that you have:

  • The right number of trained incident responders; 
  • The right technology and training for honeypots, sandboxing, and other defensive measures; 
  • A way to spot, receive alerts about, study, and capture the contextual data around unknown or unusual activity on network endpoints at the earliest possible stages; and 
  • A chronological report of the events and indicators related to that security incident.

It’s that contextual data that tells you whether this is a real cyber attack. Being able to pinpoint and take a snapshot of that data and preserve it forensically will set you up to work with law enforcement. Without it and without that chronological report, you have little hope of truly pursuing and ensuring punishment for the offenders. And in the end, isn’t learning from each new attack and then doing our part to lock up the threat actors the best possible outcome of a security incident?

As the Director of the Security Practice for Guidance Software, Anthony Di Bello is responsible for providing in-depth insight into the advanced threat landscape. Since joining the company in 2005, he has been instrumental in defining the company's suite of security products, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15239
PUBLISHED: 2019-08-20
In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifi...
CVE-2019-15227
PUBLISHED: 2019-08-20
FlightPath 4.8.3 has XSS in the Content, Edit urgent message, and Users sections of the Admin Console. This could lead to cookie stealing and other malicious actions.
CVE-2019-15237
PUBLISHED: 2019-08-20
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
CVE-2019-15228
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.
CVE-2019-15229
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.