5 reasons not to “hack back”

Are hacking victims “hacking back”? That question was recently posed in headlines like this one from Bloomberg: FBI Investigating Whether Companies Are Engaged in Revenge Hacking. The Marketplace reporter, Ben Johnson, speculated that 2015 might be the year of “hacking back” when he asked me about revenge hacking. As I told Ben, there are several good reasons not to engage in hacking back, tempting though it may be to do so; I will enumerate those reasons after some background on this strategy and its place within cybersecurity.

Counterstrike vs. Active Deception

I should probably start out by saying that I do understand the urge to strike back, whether it is against perpetrators of a distributed denial of service (DDoS) attack that has closed down your website or the thieves who stole your customer data. The scumbags that are doing this appear to be doing so with impunity. Law enforcement can’t seem to stop them, let alone identify who they are and bring them to justice. Yet there they are, on the other end of a connection they have made to you. The urge to strike back or otherwise mess with them is strong; however, my advice is to go with “otherwise mess with them” and avoid the major risks and serious unknowns that come with striking back.

Fortunately, there is a solid body of work on messing with network intruders, which falls within the “active deception” category of the realm of security known as Active Defense. A good paper by Josh Johnson on implementing active deception on private networks is available from SANS; it describes a number of techniques to “identify and slow down attackers who have established pivot points into private networks before data exfiltration occurs”. Note the term: private networks. The fact that you are messing with intruders within your network is a very important legal and tactical distinction. If you still want to pursue hacking back outside your own domain, please consider the reasons that I have enumerated below. I also encourage you to abide by this three-point pledge:

I will not hack back until…

  1. I have already tried active deception.
  2. I am sure that my network defenses are able to withstand any counter-counter-attack.
  3. I have permission from legal counsel, in writing.

Reason #1 not to hack back: it’s illegal

For companies and individuals to conduct denial of service attacks is illegal. Accessing a system that does not belong to you is illegal. Distributing code designed to enable unauthorized access to a system is illegal. To be clear: doing unto others the illegal stuff they are doing unto you? Illegal. The lawyers in the room might want to pipe up and remind you that I’m not a lawyer. That is true, so please ask your corporate counsel to sign off on your plans to hack back before you proceed. I guarantee they will refuse to do so. (If you have knowledge of any real world cases that would refute this, please let me know.)

The very angry people in the room, maybe those who are being, or have been, victimized by criminal hackers, might want to say: “Stuff the law, we won’t get caught, and if we do, the public will be sympathetic; law enforcement will take it easy on us.” I respectfully suggest that public sympathy is little comfort if you are convicted of a crime, or face court ordered restitution costs for the collateral damage your counterstrike caused. Even in the realm of physical encounters, the legality of striking back is complex and dependent on a wide range of factors, any one of which might put you on the wrong side of the law.

Reason #2 not to hack back: it leads to a dark place

Freelance law enforcement and citizen aggression is frowned upon in civil society because it shoves us down the road toward a type of Wild West free-for-all in which criminal activity targets those least able to strike back. Suppose that a large bank, the kind that makes tens of billions of dollars a year in profits, decides to strike back at criminal hackers. That will likely cause some criminals to target smaller banks instead, the kind that cannot afford a counterstrike program, let alone pay millions of dollars in fines if their hack back efforts are found to be in breach of the law.

Surely it is better to channel the anger and outrage over being hacked into lobbying for a bigger and better law enforcement response to cyber crime. Clearly, the current state of affairs in unacceptable. Two of the five largest American retailers get seriously hacked but nobody gets arrested. Tax identity thieves rake in $5 billion yet the IRS budget gets cut. Clearly, there is plenty of room to improve law enforcement before we resort to outsourcing cyber-aggression.

Reason #3 not to hack back: you’re not tough enough

Please don’t take this advice personally, I’m not saying there is any weakness in your character. My point is: hacking back carries a serious risk of escalating the very activity you are trying to discourage. Let’s assume you have figured out how the bad guys got in and you’ve remediated that weakness in your defenses. You are now poised to hack back. Now ask yourself, or rather your team: Are we sure there are no other weaknesses as yet undiscovered?

If you are sure, then I’m very impressed, but also very skeptical. The Internet has created a highly asymmetric threatscape which manifests itself in two key realities. First, defenders have to get things 100% right 100% of the time, but attackers seeking to penetrate your systems only need to find one hole to get in. Second, attackers seeking to damage your systems can probably marshal more resources than you. Don’t believe me? As currently implemented, the architecture of the Internet enables a wide range of denial of service attacks, and new types of attack continue to emerge, like the SSDP attacks described here. Bear in mind that the number of devices that could be recruited for such attacks is more like 14 million than the 4 million originally reported.

Reason #4 not to hack back: known unknowables

Anyone who has followed the saga of the Sony Pictures hack will know how hard it is to know who is attacking you. While the FBI says it was North Korea, there are plenty of security experts who are skeptical of that claim. Some signs point to insiders, or Russian-speaking persons, or “the Chinese”. A group called Guardians of Peace claims it was them, but who are they? The technical term for this mess is: the attribution problem. It is a very tough problem to solve, but here’s the thing: it is a known problem, which means you may not get much sympathy if you hack back at the wrong person because you messed up the attribution. To put this another way, if you have enough evidence to prove who is attacking you, why not hand it over to law enforcement and have them take legal action? A lot of folks in law enforcement would love to bring an ironclad criminal hacking case to court.

For a real world example of hard attribution can be, consider the case of Georbot, a malware-based hacking campaign apparently targeting government systems in Georgia (the country, not the U.S. state). When this information-stealing botnet was discovered by ESET researchers they took apart the code and monitored the command and control activity (report published March 2012); however, even then they could not be sure who was responsible. The official line from the government of Georgia was that Russia was responsible, a claim backed up with a photo of a “Russian-based hacker” sitting at his keyboard, snapped by his webcam. When elections were held in the fall of 2012, power shifted to the Georgian Dream opposition coalition of billionaire businessman Bidzina Ivanishvili. In 2013, I spoke with a source close to Mr. Ivanishvili who described in detail how the malware campaign had actually targeted members of the opposition movement, at the behest of people within the previous Georgian government. In other words: attribution is hard. Getting attribution wrong can have serious consequences.

Reason #5 not to hack back: it doesn’t solve the problem

Suppose you do know exactly who has hacked into your network and you hack back at them without causing collateral damage. What have you gained besides a righteous sense of satisfaction? Are you sure that’s the end of that threat? What have you done to stop someone else attacking you? I think some organizations entertain a scenario in which their counterstrike capability earns them a reputation as the guys with whom you do not mess. That scenario assumes all criminal hackers are rational actors, a very dangerous assumption given the history of hacking.

More importantly, hacking back does nothing to bring us closer to the desired goal of a well-ordered Internet governed by rules of behavior that are enforced by appropriate authorities. For a look back at previous discussions of hacking bank there is a good article with plenty of links at Bank Info Security.

(If you disagree with any of the points I’ve made here, please leave a comment and let me know why.)

 

Author Stephen Cobb, ESET

  • John Strand

    I wanted to take a few moments and respond to this post.

    First, I am very glad to see the contrast between Strike Back and Deception. However, I do not believe that this covers the range of options effectively. There is a whole other area of attribution. It is legal to use techniques like Word Web Bugs and other geolocation methods to identify where an attacker is. We do it all the time in a whole host of other software which has little to do with security. Please Google Honey Badger and Word Web Bugs to find out more.

    Then, read the ruling on the following case:

    http://www.huffingtonpost.com/2011/09/07/susan-clements-jeffrey-absolute-software_n_951943.html

    The judges position is very clear on violation of wiretap laws and location information. Simple point, location is OK. Access without a warrant is bad.

    Now, while I was very happy with the beginning of the article. The rest is just terrifying.

    For example, #3…. Let me be very clear. If we are unwilling to escalate the risk associated with attacking networks, we have lost. Plain and simple. This also gets to number 5 as well, but I will get back to that in a moment. I have heard this reaction from many people in security and a large number of grade schoolers dealing with bullies. Do not allow yourself to be a victim. Fight back. Just be smart about it.

    For #4… Active Defense can be used to reduce the unknowables. Right now, take a few moments and honestly tell me, with current security technologies, how our ability to observe stacks up against the attackers ability to observe our networks leading up to an attack…. Back? Good, because the only true answer is our ability to observe is horrible. And as you stated, Cyber Deception is a good way to improve that balance. If however, you believe the current state of security is OK… Please read the Verizon Data Breach reports. Go to detection methods.. And cry. Current security tech is failing… Badly.

    For #5.. Yes it can help solve the problem. One of the main drivers of any type of crime is the perception of risk associated with committing a crime. It is not the only factor, but it is a large one. If there is a greater risk (perceived or otherwise) attackers will think twice about attacking if they think they can get caught. It will reduce the number of attacks.

    There is one key thing to keep in mind any time one tries to implement Active Defense, think poison, not venom. Poison is something the attacker needs to take. Venom is something which needs to be injected.

    If you are moving to strike back.. Always get a warrant. Every time.

    Finally, I would ask anyone reading this article to check out the following resources before jumping in to Active Defense:

    A full VM with all the Active Defense bells and whistles:

    http://sourceforge.net/projects/adhd/

    Below are a couple of DerbyCon presentations on the topic:

    http://www.irongeek.com/i.php?page=videos/derbycon3/3207-john-strand-hacking-back-active-defense-and-internet-tough-guys

    https://www.youtube.com/watch?v=p0gWAbMjg1U

    And remember, strike back is illegal without a Warrant. Think poison, not venom.

    Thanks for contributing to the discussion,

    John Strand

    • Stephen Cobb

      John,

      Thank you for taking the time to present such a detailed response. First, let me be clear that this article was not intended to be a full exposition of the many different forms of Active Defense, nor a flat-out rejection of Active Defense. I pointed readers to one article, on deception, just as an example.

      However, i stick by my assertion that companies engaging in counter-striking does not help. I do not see it significantly raising the perception of risk on the part of the criminals. And if it does, it will only raise the risk of attacking those few targets that can afford to mount a counterstrike. I don’t see “hacking back” being a reliable and affordable solution that the average business can easily install.

      Besides, my other assertion is that lawful, government action should be the primary active response. Maybe I did not make that clear (I have a post in the works that should clarify the point and I thank you for prodding me into finishing it up sooner rather than later).

      For example, no country should harbor bullet-proof hosting of criminal activity. No country should refuse to hand over hacking suspects for trial. Making progress on just these two items would raise the risk factor for cybercrime more than the chance that some big corporation is going to try and take your systems down.

      Let’s say your security team identifies the attacker as someone operating via a bulletproof host in Ickistania. I don’t see hacking back as a way to stop that. But I do see real potential for an offer like so: “Shutdown that ISP or we’ll delay your next aid payment and throttle your connections to the rest of the world.”

      On one point we do agree. Security at many organizations could be a lot better than it is. But the only way to end the arms race in cyberspace is international cooperation and accords. That and delivering a big dose of political and economic stability to the more troubled regions of the world.

      Stephen

Follow us

Copyright © 2016 ESET, All Rights Reserved.