As the topic of hacking back continues to resurface among elected officials, those of us in the cybersecurity community are scratching our heads over why this concept refuses to die. After digging deeper, one can see that there are many misperceptions regarding what the terms "hacking back" and "active cyber defense" (ACD) actually mean. General frustration and misinformation are driving the interest, but the mixing of definitions is fueling confusion.
Let's start with the Active Cyber Defense Certainty (ACDC) Act, which was introduced to Congress by Rep. Tom Graves (R-Ga.) and Rep. Kyrsten Sinema (D-Ariz.) in March 2017 (updated in October 2017) as legislation that would give companies the right to hack back after a "persistent unauthorized intrusion." The bill's name itself generates confusion.
Hacking follows a very methodical approach, often referred to as the "kill chain." This defines a hacker's actions from initial compromise, escalation, lateral movement, to exfiltration. Hacking back would require a reverse traversal of the kill chain (with heavy modification) in order to understand the attack, adversary, and attribution. The danger with uninformed companies hacking back is that they typically won't have well-defined strategies or methods for their actions. There are also many issues regarding what hacking back would achieve. It is likely that companies could gain some threat intelligence but less likely that they could recover their data.
ACD is a specific approach for gathering intel (internal-external), assessing risks and threats, developing a tech plan to lure and misdirect in-network attackers, and implementing a consistent operational strategy. Fundamentally, ACD consists of cyber intelligence, deterrence, and defense-in-depth strategies to create a comprehensive, proactive defensive posture.
Recently, the issue of hacking back resurfaced at the federal level in a Judiciary Committee hearing, when Sen. Sheldon Whitehouse (D-R.I.) weighed the merits of hacking back during a broader discussion on more open disclosure of digital threats and breaches as well as security stress testing. Whitehouse advocated for creating a more transparent process for private companies to seek guidelines for hacking back, noting, "We ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression."
While promoting a forum for discussion is smart, doing anything that advances this idea forward — like setting guidelines for hacking back — is dangerous. Organizations must know how to establish a proactive cyber defense, but counter-hacking exposes many practical, ethical, and legal concerns that most are ill-equipped to address. It also creates the risk for unintended consequences that could have adverse effects.
Although the concept of an "eye for an eye" may seem appealing to some, Whitehouse is correct that we must carefully consider the implications and consequences of what might happen if hacking back is allowed. We should also seek to understand and embrace new technologies that empower a proactive defense and new compliance standards for legacy and innovative technologies that present high security risks.
What if Hacking Back Became Legal in the US?
If hacking back were to become legal, an organization would first have to accurately identify its adversary, pinpoint the location of its information, and retrieve it without causing other harm. Then it would need to notify the FBI prior to hacking back.
The next steps are challenging because:
1. It's difficult to prove an attacker "persistently" attacked a network.
- Attribution is extremely challenging, with traffic or commands that may appear to come from one source but originate elsewhere.
- Adversaries often hide behind third-party "zombie" computers they've compromised to orchestrate their attacks. Feasibly, the original victim could now unwittingly become the attacker.
2. The bill only legalizes hacking back against attackers within the US. Attacks involving individuals from other countries would be subject to local laws.
3. A private organization's counter-hacking may interfere with investigations or activities by government agencies. Reliable mechanisms for cross-coordination do not exist in the US and are even less established when applied internationally.
How Would It Work?
A typical hack starts with probing a cybercriminal's infrastructure for weaknesses to prepare for retrieval/retaliation, followed by remotely breaking into a target's servers and wiping any data, or disabling the attacker's malware from delivering a payload.
Counter-hacking requires specialized skills and is generally deemed unwise by cybersecurity experts for two reasons:
1. Most organizations lack the skill set, basic tools, and defensive posture to conduct a precision hack back and cannot handle the potentially escalated wrath of an aggravated attacker — especially one that may have sizable resources to retaliate.
2. A far less complex and contentious approach could be achieved by fortifying their defenses, implementing strategies for detecting threats quickly, and adding proactive measures to reduce risk and increase the effort an adversary would need to complete their attack.
A Better Approach
Organizations should pick the best perimeter defenses their budgets and resources can afford, understanding that with human error and advanced targeting, nothing can be 100% bulletproof. Companies shouldn't stay passive, instead leveraging their home-field advantage by adding proactive security measures and focusing on threat models that affect the organization the most. They should also adopt active defense tools, such as deception, that change an attack's asymmetry, gather threat intelligence, and use the attacker's behavior for strengthening proactive cybersecurity behavior. Consider this a chess match where traps are used to manipulate adversaries and trick them into making mistakes, ultimately leading to their loss.
While organizations should have the support, rights, and permission to defend themselves from a cyberattack, conducting a retaliatory attack isn't the answer. Legislation will also not solve the problems of cyberattacks. Instead, adoption of proactive cyber operations will drastically minimize the impact of a breach, and ultimately eliminate the need to retaliate. As a wise person once said, "the best revenge is massive success."
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.