The topic has been kicked around so much that there are now government commissions issuing reports and senators are chiming in. Private industry and corporations alike are talking about “hack-back.” It’s no secret I believe that “hack-back” is a bad idea, for many reasons. The conversation on Twitter yielded little favor for “hack-back” in my circle of friends/followers, as Wireheadlance questioned the long-term benefits, and Tadd Axon even had trouble with any provable short-term benefits.
The short version is this: I believe if you look at the enterprise space, “hack-back” is applicable as more than just a fancy neat idea to about ~.05 percent of organizations. There are a few reasons for this, including resources, attribution, and others I outline in an article I published last week.
As I was thinking about how best to explain why “hack-back” is a bad idea to the executives I talk to, an analogy from my childhood comes to mind. As a kid I went to one of those average schools in suburbia. Kids followed the playground rule of“If you hit me, I’ll hit you back until someone wins.” The problem with this approach is that it almost always ended with either the recess bell calling us back from the playground or, more likely, a teacher breaking up a massive brawl.
You see, when someone hits you and the only way you perceive to stop them is to hit back, you have to make sure you are in a position where your hit-back will be the end of the incident. In the primary school where I went this was rarely the case. I bet you’re thinking that Information Security professionals and enterprises don’t behave like primary schoolers — right? If that’s the case you’ve clearly not been around the industry long!
Anyway, when Kid A smacks another, Kid B hits back, and then they start beating on each other and a tap can quickly escalate to punches and the brawl starts to pull in friends, bystanders and other kids who had no interest in engaging in a fight. What started out as one quiet kid getting lightly picked on by a bigger kid can quickly escalate into a big-time brawl. I witnessed this, and even had the displeasure of being at the center of this type of thing in primary school many times, I can tell you it’s a fact.
So now let’s move onto how “hack-back” is different in the enterprise than on a primary school playground. There are clear differences, but I don’t think they are great enough to make one case inapplicable to the other.
First off, in cyberspace attribution is a little harder. On the playground you can see the person who hit you … well, almost always. Sometimes you’re turned around, standing in line waiting to get into school, and from behind you somewhere someone flicks the back of your ear. It hurts. So you turn around to hit back except that you have no idea who hit you. None of the other kids want to get hit, so they won’t easily give up the person who did the flicking. You’re left deducing the antagonist on your own, and odds are good you’re going to retaliate against the wrong person. It happens all the time!
Now in cyberspace we can track IP addresses and TTPs from specific threat actors, which smart analysts and researchers tell us is a viable way to perform attribution. I agree with them, largely, but there’s a fault there. An IP address belonging to China SQL injecting your enterprise applications is hardly a smoking gun that Chinese APTs are after you. Attackers have been using others’ modus operandi to mask their identities for as long as spy games have been played. Attackers have been known to use compromised machines and proxies in hostile countries for as long as I can remember caring — to “bounce through” to attack you. Heck, many of the attacks that appear to be originating from nation-states that we suspect are hacking us may very well be coming from a hacker at the coffee house next door to your office, using multiple proxies to mask their true origin. This is just good OpSec, and attackers use this method all the time, let’s not kid ourselves.
The next big problem you have if you’re turning around to retaliate after your ear has just been set afire by a strong flick from behind is the size/strength of the kid who hit you. What if you’re an average-sized kid and the person that just hit you is a big bully? You hit him or her back and then what? A punch to the face, or an atomic wedgie that’s what. Now you’ve incurred the wrath of the bully, whereas the flick was just a playful thing without intent to really hurt. This is how things escalate. In the enterprise it’s the same thing. If your forensics tell you that you’re being attacked from a specific origin, going and attacking them back may actually make things much worse.
Let’s say you find an attacker originating from within the Russian Federation IP space. You locate, identify and strike back at the system being used to attack you — completely disabling it. Now maybe that system is no big deal, or maybe you’ve now taken down a critical Russian government server and caused a diplomatic incident. I know this is an extreme case, but the point is no less valid.
Remember folks, the saying “an eye for an eye” leaves the whole world blind. The idea of “hack-back” is best left to 007 and his army of hacker-geeks, because in real life unless you’re part of that .05 percent, you’re likely to make things worse for yourself. Maybe this is just one of those things enterprises leave up to the professionals if they find themselves in dire straits with no other options.
All that being said, “Active Defense” as some have described it actually is both achievable and doesn’t appear to violate any international law. But, more on that in a future post.
Cross Posted from Following the Wh1t3 Rabbit