Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/24/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Hacking Back: Simply a Bad Idea

While the concept may sound appealing, it's rife with drawbacks and dangers.

As the topic of hacking back continues to resurface among elected officials, those of us in the cybersecurity community are scratching our heads over why this concept refuses to die. After digging deeper, one can see that there are many misperceptions regarding what the terms "hacking back" and "active cyber defense" (ACD) actually mean. General frustration and misinformation are driving the interest, but the mixing of definitions is fueling confusion.

Let's start with the Active Cyber Defense Certainty (ACDC) Act, which was introduced to Congress by Rep. Tom Graves (R-Ga.) and Rep. Kyrsten Sinema (D-Ariz.) in March 2017 (updated in October 2017) as legislation that would give companies the right to hack back after a "persistent unauthorized intrusion." The bill's name itself generates confusion.

Hacking follows a very methodical approach, often referred to as the "kill chain." This defines a hacker's actions from initial compromise, escalation, lateral movement, to exfiltration. Hacking back would require a reverse traversal of the kill chain (with heavy modification) in order to understand the attack, adversary, and attribution. The danger with uninformed companies hacking back is that they typically won't have well-defined strategies or methods for their actions. There are also many issues regarding what hacking back would achieve. It is likely that companies could gain some threat intelligence but less likely that they could recover their data.

ACD is a specific approach for gathering intel (internal-external), assessing risks and threats, developing a tech plan to lure and misdirect in-network attackers, and implementing a consistent operational strategy. Fundamentally, ACD consists of cyber intelligence, deterrence, and defense-in-depth strategies to create a comprehensive, proactive defensive posture.

Recently, the issue of hacking back resurfaced at the federal level in a Judiciary Committee hearing, when Sen. Sheldon Whitehouse (D-R.I.) weighed the merits of hacking back during a broader discussion on more open disclosure of digital threats and breaches as well as security stress testing. Whitehouse advocated for creating a more transparent process for private companies to seek guidelines for hacking back, noting, "We ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression."

While promoting a forum for discussion is smart, doing anything that advances this idea forward — like setting guidelines for hacking back — is dangerous. Organizations must know how to establish a proactive cyber defense, but counter-hacking exposes many practical, ethical, and legal concerns that most are ill-equipped to address. It also creates the risk for unintended consequences that could have adverse effects.

Although the concept of an "eye for an eye" may seem appealing to some, Whitehouse is correct that we must carefully consider the implications and consequences of what might happen if hacking back is allowed. We should also seek to understand and embrace new technologies that empower a proactive defense and new compliance standards for legacy and innovative technologies that present high security risks.

What if Hacking Back Became Legal in the US?
If hacking back were to become legal, an organization would first have to accurately identify its adversary, pinpoint the location of its information, and retrieve it without causing other harm. Then it would need to notify the FBI prior to hacking back.

The next steps are challenging because:

1. It's difficult to prove an attacker "persistently" attacked a network.

  • Attribution is extremely challenging, with traffic or commands that may appear to come from one source but originate elsewhere.
  • Adversaries often hide behind third-party "zombie" computers they've compromised to orchestrate their attacks. Feasibly, the original victim could now unwittingly become the attacker.

2. The bill only legalizes hacking back against attackers within the US. Attacks involving individuals from other countries would be subject to local laws.

3. A private organization's counter-hacking may interfere with investigations or activities by government agencies. Reliable mechanisms for cross-coordination do not exist in the US and are even less established when applied internationally.

How Would It Work?
A typical hack starts with probing a cybercriminal's infrastructure for weaknesses to prepare for retrieval/retaliation, followed by remotely breaking into a target's servers and wiping any data, or disabling the attacker's malware from delivering a payload.

Counter-hacking requires specialized skills and is generally deemed unwise by cybersecurity experts for two reasons:

1. Most organizations lack the skill set, basic tools, and defensive posture to conduct a precision hack back and cannot handle the potentially escalated wrath of an aggravated attacker — especially one that may have sizable resources to retaliate.

2. A far less complex and contentious approach could be achieved by fortifying their defenses, implementing strategies for detecting threats quickly, and adding proactive measures to reduce risk and increase the effort an adversary would need to complete their attack.    

A Better Approach
Organizations should pick the best perimeter defenses their budgets and resources can afford, understanding that with human error and advanced targeting, nothing can be 100% bulletproof. Companies shouldn't stay passive, instead leveraging their home-field advantage by adding proactive security measures and focusing on threat models that affect the organization the most. They should also adopt active defense tools, such as deception, that change an attack's asymmetry, gather threat intelligence, and use the attacker's behavior for strengthening proactive cybersecurity behavior. Consider this a chess match where traps are used to manipulate adversaries and trick them into making mistakes, ultimately leading to their loss.

While organizations should have the support, rights, and permission to defend themselves from a cyberattack, conducting a retaliatory attack isn't the answer. Legislation will also not solve the problems of cyberattacks. Instead, adoption of proactive cyber operations will drastically minimize the impact of a breach, and ultimately eliminate the need to retaliate. As a wise person once said, "the best revenge is massive success."

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Carolyn Crandall is a technology executive with over 25 years of experience in building emerging technology markets in security, networking, and storage industries. She has a demonstrated track record of successfully taking companies from pre-IPO through to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
9/24/2018 | 12:47:25 PM
Simple and effective
For a smile, a brilliant security analyist I worked with will leave a Microsoft scam tech call on hold for for 20 min or so to see how long it takes before they give up and move on.  On occasionl he lets them play in his sandbox and even tried to have them infect themselves WITH ransomware. 
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17424
PUBLISHED: 2019-10-22
A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.
CVE-2019-16404
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17400
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
CVE-2019-17498
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
CVE-2019-16969
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.