Another Reason Hacking Back is Probably a Bad Idea

Thursday, June 20, 2013

Rafal Los


The topic has been kicked around so much that there are now government commissions issuing reports and senators are chiming in. Private industry and corporations alike are talking about “hack-back.” It’s no secret I believe that “hack-back” is a bad idea, for many reasons. The conversation on Twitter yielded little favor for “hack-back” in my circle of friends/followers, as Wireheadlance questioned the long-term benefits, and Tadd Axon even had trouble with any provable short-term benefits.


The short version is this: I believe if you look at the enterprise space, “hack-back” is applicable as more than just a fancy neat idea to about ~.05 percent of organizations. There are a few reasons for this, including resources, attribution, and others I outline in an article I published last week.


As I was thinking about how best to explain why “hack-back” is a bad idea to the executives I talk to, an analogy from my childhood comes to mind. As a kid I went to one of those average schools in suburbia. Kids followed the playground rule of“If you hit me, I’ll hit you back until someone wins.” The problem with this approach is that it almost always ended with either the recess bell calling us back from the playground or, more likely, a teacher breaking up a massive brawl.


You see, when someone hits you and the only way you perceive to stop them is to hit back, you have to make sure you are in a position where your hit-back will be the end of the incident. In the primary school where I went this was rarely the case. I bet you’re thinking that Information Security professionals and enterprises don’t behave like primary schoolers — right? If that’s the case you’ve clearly not been around the industry long!


Anyway, when Kid A smacks another, Kid B hits back, and then they start beating on each other and a tap can quickly escalate to punches and the brawl starts to pull in friends, bystanders and other kids who had no interest in engaging in a fight. What started out as one quiet kid getting lightly picked on by a bigger kid can quickly escalate into a big-time brawl. I witnessed this, and even had the displeasure of being at the center of this type of thing in primary school many times, I can tell you it’s a fact.


So now let’s move onto how “hack-back” is different in the enterprise than on a primary school playground. There are clear differences, but I don’t think they are great enough to make one case inapplicable to the other.


First off, in cyberspace attribution is a little harder. On the playground you can see the person who hit you … well, almost always. Sometimes you’re turned around, standing in line waiting to get into school, and from behind you somewhere someone flicks the back of your ear. It hurts. So you turn around to hit back except that you have no idea who hit you. None of the other kids want to get hit, so they won’t easily give up the person who did the flicking. You’re left deducing the antagonist on your own, and odds are good you’re going to retaliate against the wrong person. It happens all the time!


Now in cyberspace we can track IP addresses and TTPs from specific threat actors, which smart analysts and researchers tell us is a viable way to perform attribution. I agree with them, largely, but there’s a fault there. An IP address belonging to China SQL injecting your enterprise applications is hardly a smoking gun that Chinese APTs are after you. Attackers have been using others’ modus operandi to mask their identities for as long as spy games have been played. Attackers have been known to use compromised machines and proxies in hostile countries for as long as I can remember caring — to “bounce through” to attack you. Heck, many of the attacks that appear to be originating from nation-states that we suspect are hacking us may very well be coming from a hacker at the coffee house next door to your office, using multiple proxies to mask their true origin. This is just good OpSec, and attackers use this method all the time, let’s not kid ourselves.


The next big problem you have if you’re turning around to retaliate after your ear has just been set afire by a strong flick from behind is the size/strength of the kid who hit you. What if you’re an average-sized kid and the person that just hit you is a big bully? You hit him or her back and then what? A punch to the face, or an atomic wedgie that’s what. Now you’ve incurred the wrath of the bully, whereas the flick was just a playful thing without intent to really hurt. This is how things escalate. In the enterprise it’s the same thing. If your forensics tell you that you’re being attacked from a specific origin, going and attacking them back may actually make things much worse.


Let’s say you find an attacker originating from within the Russian Federation IP space. You locate, identify and strike back at the system being used to attack you — completely disabling it. Now maybe that system is no big deal, or maybe you’ve now taken down a critical Russian government server and caused a diplomatic incident. I know this is an extreme case, but the point is no less valid.


Remember folks, the saying “an eye for an eye” leaves the whole world blind. The idea of “hack-back” is best left to 007 and his army of hacker-geeks, because in real life unless you’re part of that .05 percent, you’re likely to make things worse for yourself. Maybe this is just one of those things enterprises leave up to the professionals if they find themselves in dire straits with no other options.


All that being said, “Active Defense” as some have described it actually is both achievable and doesn’t appear to violate any international law. But, more on that in a future post.

Cross Posted from Following the Wh1t3 Rabbit  

Possibly Related Articles:
Enterprise Security Breaches
Information Security
Offensive Security Hacking Back
Post Rating I Like this!
Gregory MacPherson There is only one valid argument against 'hack back" - why would I steal your data unless I gain some competitive advantage over you by the theft?

The Russians just want to steal money. So yes, we can hack them back and steal their money too. And it goes on and on and on…but Europe and America are broke anyway so let’s have some fun, right?

Regarding the PRC and the USA, the USA has had the competitive advantage over the rest of the world for - oh one hundred years. The PRC did not have a space program, or aircraft carriers, or stealth fighters. They could spend decades developing those technologies (maybe) or they could steal them from the USA.

The USA has a problem with "hack back" - Americans already know how to make gunpowder and spaghetti (and any other innovative things that the PRC might have). So why steal what you already know?

The whole "they might hit you back harder" argument just wreaks of timidity, which is not a wise posture when one is in a WAR, information or otherwise.

Rafal Los Gregory - I think your position is a little too forward, but then that's my opinion. The problem with escalating tensions is that right US and China are intertwined financially and politically - neither can really afford to poke at the other on official channels or allow escalations although rhetoric has been thick lately.
I'm not sure what the final outcome will be, but vigilantism is just a bad idea.
Gregory MacPherson Huh?!? Vigilantism?!? Wow, someone needs to re-read my post...

China has doddly-squat competitive advantage that the USA wants (besides more Yuan to borrow for their profligate Congress). So why would the USA hack them?

Yes, China has stolen all of the USA competitive advantage. Like a girlfriend who no longer interests, the USA is in jeopardy of being "dumped".

Only strategy that the USA (Britain, Germany, etc.) can adopt now is (a) secure against the known threats, (b) post guards against future threats, and (c) start over with the innovation operation.

BTW what does "far forward" mean?

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.