Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/24/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Hacking Back: Simply a Bad Idea

While the concept may sound appealing, it's rife with drawbacks and dangers.

As the topic of hacking back continues to resurface among elected officials, those of us in the cybersecurity community are scratching our heads over why this concept refuses to die. After digging deeper, one can see that there are many misperceptions regarding what the terms "hacking back" and "active cyber defense" (ACD) actually mean. General frustration and misinformation are driving the interest, but the mixing of definitions is fueling confusion.

Let's start with the Active Cyber Defense Certainty (ACDC) Act, which was introduced to Congress by Rep. Tom Graves (R-Ga.) and Rep. Kyrsten Sinema (D-Ariz.) in March 2017 (updated in October 2017) as legislation that would give companies the right to hack back after a "persistent unauthorized intrusion." The bill's name itself generates confusion.

Hacking follows a very methodical approach, often referred to as the "kill chain." This defines a hacker's actions from initial compromise, escalation, lateral movement, to exfiltration. Hacking back would require a reverse traversal of the kill chain (with heavy modification) in order to understand the attack, adversary, and attribution. The danger with uninformed companies hacking back is that they typically won't have well-defined strategies or methods for their actions. There are also many issues regarding what hacking back would achieve. It is likely that companies could gain some threat intelligence but less likely that they could recover their data.

ACD is a specific approach for gathering intel (internal-external), assessing risks and threats, developing a tech plan to lure and misdirect in-network attackers, and implementing a consistent operational strategy. Fundamentally, ACD consists of cyber intelligence, deterrence, and defense-in-depth strategies to create a comprehensive, proactive defensive posture.

Recently, the issue of hacking back resurfaced at the federal level in a Judiciary Committee hearing, when Sen. Sheldon Whitehouse (D-R.I.) weighed the merits of hacking back during a broader discussion on more open disclosure of digital threats and breaches as well as security stress testing. Whitehouse advocated for creating a more transparent process for private companies to seek guidelines for hacking back, noting, "We ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression."

While promoting a forum for discussion is smart, doing anything that advances this idea forward — like setting guidelines for hacking back — is dangerous. Organizations must know how to establish a proactive cyber defense, but counter-hacking exposes many practical, ethical, and legal concerns that most are ill-equipped to address. It also creates the risk for unintended consequences that could have adverse effects.

Although the concept of an "eye for an eye" may seem appealing to some, Whitehouse is correct that we must carefully consider the implications and consequences of what might happen if hacking back is allowed. We should also seek to understand and embrace new technologies that empower a proactive defense and new compliance standards for legacy and innovative technologies that present high security risks.

What if Hacking Back Became Legal in the US?
If hacking back were to become legal, an organization would first have to accurately identify its adversary, pinpoint the location of its information, and retrieve it without causing other harm. Then it would need to notify the FBI prior to hacking back.

The next steps are challenging because:

1. It's difficult to prove an attacker "persistently" attacked a network.

  • Attribution is extremely challenging, with traffic or commands that may appear to come from one source but originate elsewhere.
  • Adversaries often hide behind third-party "zombie" computers they've compromised to orchestrate their attacks. Feasibly, the original victim could now unwittingly become the attacker.

2. The bill only legalizes hacking back against attackers within the US. Attacks involving individuals from other countries would be subject to local laws.

3. A private organization's counter-hacking may interfere with investigations or activities by government agencies. Reliable mechanisms for cross-coordination do not exist in the US and are even less established when applied internationally.

How Would It Work?
A typical hack starts with probing a cybercriminal's infrastructure for weaknesses to prepare for retrieval/retaliation, followed by remotely breaking into a target's servers and wiping any data, or disabling the attacker's malware from delivering a payload.

Counter-hacking requires specialized skills and is generally deemed unwise by cybersecurity experts for two reasons:

1. Most organizations lack the skill set, basic tools, and defensive posture to conduct a precision hack back and cannot handle the potentially escalated wrath of an aggravated attacker — especially one that may have sizable resources to retaliate.

2. A far less complex and contentious approach could be achieved by fortifying their defenses, implementing strategies for detecting threats quickly, and adding proactive measures to reduce risk and increase the effort an adversary would need to complete their attack.    

A Better Approach
Organizations should pick the best perimeter defenses their budgets and resources can afford, understanding that with human error and advanced targeting, nothing can be 100% bulletproof. Companies shouldn't stay passive, instead leveraging their home-field advantage by adding proactive security measures and focusing on threat models that affect the organization the most. They should also adopt active defense tools, such as deception, that change an attack's asymmetry, gather threat intelligence, and use the attacker's behavior for strengthening proactive cybersecurity behavior. Consider this a chess match where traps are used to manipulate adversaries and trick them into making mistakes, ultimately leading to their loss.

While organizations should have the support, rights, and permission to defend themselves from a cyberattack, conducting a retaliatory attack isn't the answer. Legislation will also not solve the problems of cyberattacks. Instead, adoption of proactive cyber operations will drastically minimize the impact of a breach, and ultimately eliminate the need to retaliate. As a wise person once said, "the best revenge is massive success."

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Carolyn Crandall is the Chief Security Advocate and CMO at Attivo Networks, the leader in cyber deception and attacker lateral movement detection. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
9/24/2018 | 12:47:25 PM
Simple and effective
For a smile, a brilliant security analyist I worked with will leave a Microsoft scam tech call on hold for for 20 min or so to see how long it takes before they give up and move on.  On occasionl he lets them play in his sandbox and even tried to have them infect themselves WITH ransomware. 
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27400
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1
CVE-2021-29653
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.
CVE-2021-30476
PUBLISHED: 2021-04-22
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.
CVE-2021-22540
PUBLISHED: 2021-04-22
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
CVE-2021-27736
PUBLISHED: 2021-04-22
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.