Threat Intelligence

9/24/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Hacking Back: Simply a Bad Idea

While the concept may sound appealing, it's rife with drawbacks and dangers.

As the topic of hacking back continues to resurface among elected officials, those of us in the cybersecurity community are scratching our heads over why this concept refuses to die. After digging deeper, one can see that there are many misperceptions regarding what the terms "hacking back" and "active cyber defense" (ACD) actually mean. General frustration and misinformation are driving the interest, but the mixing of definitions is fueling confusion.

Let's start with the Active Cyber Defense Certainty (ACDC) Act, which was introduced to Congress by Rep. Tom Graves (R-Ga.) and Rep. Kyrsten Sinema (D-Ariz.) in March 2017 (updated in October 2017) as legislation that would give companies the right to hack back after a "persistent unauthorized intrusion." The bill's name itself generates confusion.

Hacking follows a very methodical approach, often referred to as the "kill chain." This defines a hacker's actions from initial compromise, escalation, lateral movement, to exfiltration. Hacking back would require a reverse traversal of the kill chain (with heavy modification) in order to understand the attack, adversary, and attribution. The danger with uninformed companies hacking back is that they typically won't have well-defined strategies or methods for their actions. There are also many issues regarding what hacking back would achieve. It is likely that companies could gain some threat intelligence but less likely that they could recover their data.

ACD is a specific approach for gathering intel (internal-external), assessing risks and threats, developing a tech plan to lure and misdirect in-network attackers, and implementing a consistent operational strategy. Fundamentally, ACD consists of cyber intelligence, deterrence, and defense-in-depth strategies to create a comprehensive, proactive defensive posture.

Recently, the issue of hacking back resurfaced at the federal level in a Judiciary Committee hearing, when Sen. Sheldon Whitehouse (D-R.I.) weighed the merits of hacking back during a broader discussion on more open disclosure of digital threats and breaches as well as security stress testing. Whitehouse advocated for creating a more transparent process for private companies to seek guidelines for hacking back, noting, "We ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression."

While promoting a forum for discussion is smart, doing anything that advances this idea forward — like setting guidelines for hacking back — is dangerous. Organizations must know how to establish a proactive cyber defense, but counter-hacking exposes many practical, ethical, and legal concerns that most are ill-equipped to address. It also creates the risk for unintended consequences that could have adverse effects.

Although the concept of an "eye for an eye" may seem appealing to some, Whitehouse is correct that we must carefully consider the implications and consequences of what might happen if hacking back is allowed. We should also seek to understand and embrace new technologies that empower a proactive defense and new compliance standards for legacy and innovative technologies that present high security risks.

What if Hacking Back Became Legal in the US?
If hacking back were to become legal, an organization would first have to accurately identify its adversary, pinpoint the location of its information, and retrieve it without causing other harm. Then it would need to notify the FBI prior to hacking back.

The next steps are challenging because:

1. It's difficult to prove an attacker "persistently" attacked a network.

  • Attribution is extremely challenging, with traffic or commands that may appear to come from one source but originate elsewhere.
  • Adversaries often hide behind third-party "zombie" computers they've compromised to orchestrate their attacks. Feasibly, the original victim could now unwittingly become the attacker.

2. The bill only legalizes hacking back against attackers within the US. Attacks involving individuals from other countries would be subject to local laws.

3. A private organization's counter-hacking may interfere with investigations or activities by government agencies. Reliable mechanisms for cross-coordination do not exist in the US and are even less established when applied internationally.

How Would It Work?
A typical hack starts with probing a cybercriminal's infrastructure for weaknesses to prepare for retrieval/retaliation, followed by remotely breaking into a target's servers and wiping any data, or disabling the attacker's malware from delivering a payload.

Counter-hacking requires specialized skills and is generally deemed unwise by cybersecurity experts for two reasons:

1. Most organizations lack the skill set, basic tools, and defensive posture to conduct a precision hack back and cannot handle the potentially escalated wrath of an aggravated attacker — especially one that may have sizable resources to retaliate.

2. A far less complex and contentious approach could be achieved by fortifying their defenses, implementing strategies for detecting threats quickly, and adding proactive measures to reduce risk and increase the effort an adversary would need to complete their attack.    

A Better Approach
Organizations should pick the best perimeter defenses their budgets and resources can afford, understanding that with human error and advanced targeting, nothing can be 100% bulletproof. Companies shouldn't stay passive, instead leveraging their home-field advantage by adding proactive security measures and focusing on threat models that affect the organization the most. They should also adopt active defense tools, such as deception, that change an attack's asymmetry, gather threat intelligence, and use the attacker's behavior for strengthening proactive cybersecurity behavior. Consider this a chess match where traps are used to manipulate adversaries and trick them into making mistakes, ultimately leading to their loss.

While organizations should have the support, rights, and permission to defend themselves from a cyberattack, conducting a retaliatory attack isn't the answer. Legislation will also not solve the problems of cyberattacks. Instead, adoption of proactive cyber operations will drastically minimize the impact of a breach, and ultimately eliminate the need to retaliate. As a wise person once said, "the best revenge is massive success."

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Carolyn Crandall is a technology executive with over 25 years of experience in building emerging technology markets in security, networking, and storage industries. She has a demonstrated track record of successfully taking companies from pre-IPO through to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
9/24/2018 | 12:47:25 PM
Simple and effective
For a smile, a brilliant security analyist I worked with will leave a Microsoft scam tech call on hold for for 20 min or so to see how long it takes before they give up and move on.  On occasionl he lets them play in his sandbox and even tried to have them infect themselves WITH ransomware. 
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
CVE-2018-18375
PUBLISHED: 2018-10-16
goform/getProfileList in Orange AirBox Y858_FL_01.16_04 allows attackers to extract APN data (name, number, username, and password) via the rand parameter.
CVE-2018-18376
PUBLISHED: 2018-10-16
goform/getWlanClientInfo in Orange AirBox Y858_FL_01.16_04 allows remote attackers to discover information about currently connected devices (hostnames, IP addresses, MAC addresses, and connection time) via the rand parameter.