Rarely a day goes by without mention of a targeted attack against some government-related website, massive disruptions in online banking services, or critical vulnerabilities in specialized software running our power plants and water supplies. And all the while, IT and security organizations have thought little about fighting back. Their options were limited to better patching, more security hardware and new firewall rules. That dynamic is changing because the buzzwords active defense and hacking back are creeping into conversations between vendors and customers, IT managers and executives, executives and legal teams.
The thinking is twofold: How can we either trace attacks back to their origin and take hackers out on their own turf; or how do we frustrate attackers on our own networks and drive up the cost of an attack to the point where they move on?
“[Hacking back] is one of those things that’s not even up for discussion as far as security is concerned,” said Michael J. Keith, security associate with Stach & Liu. “That’s one thing you don’t do.”
Aside from the fact that hacking back is as much a violation of the Computer Fraud and Abuse Act as are the actions of the parties invading your networks, correct attribution of the attacks against your networks are close to impossible.
“You could do a ping and find the IP address of the computer that is attacking you. And if you take it out, that could be an innocent party that has now been infiltrated by you,” said Randy Sabett, counsel at ZwilGen, a Washington, D.C., law firm. “You may soon find out you took down an e-commerce website that does $100,000 a day in business and you could be facing that in a civil action. Or worse, you could take out a computer that’s part of critical infrastructure. All kinds of bad can happen. Attribution is the most significant issue when it comes to this.”
Hackers often use compromised third-party computers to attack their targets, the best example being a botnet of tens of thousands of computers firing spam or bad traffic at a website in a denial-of-service attack.
“Attribution is so hard with today’s open Internet, the lack of authentication and the way protocols were developed,” Sabett said. “You don’t know who the ultimate source of the attack is.”
While hacking back is not typically a consideration in commercial circles, it certainly is part of the discussion on a government and military scale. Yet, in those instances, attribution is equally difficult and important. The U.S. government has been vocal about offensive security for some time, publicly speaking about it at security conferences, and most recently when former defense secretary Leon Panetta issued a declaratory policy that if an incident causes harm to American lives, there would be retribution on some level, be it a military or cyberattack.
The response isn’t clear on that playing field because the ground rules have not been laid out. There are no formal rules of engagement for cyberattacks on U.S. assets despite state-sponsored attacks such as Aurora against American companies, and espionage campaigns such as Stuxnet and Flame against nuclear and strategic targets in Iran and elsewhere in the Middle East.
On the corporate level, the liability is a little clearer.
“There’s never an instance where you want to break computer crime laws as attackers do,” said Paul Asadoorian, host of the popular PaulDotCom podcast, SANS Institute instructor, and a pen-tester with Tenable Network Security. “There are real reasons why it’s a bad thing. How effective are you going to be if you’re attacking attackers back? You’re not going to truly effect change by singling out one attack and attacking back. Another reason is that you don’t know who you are hacking back. They could have compromised any computer and used that as a jumping off point. You could be committing a crime against another government or large financial, and that would end badly.”
For now, only the largest organizations with the best IT resources are likely to be among the few considering hacking back. And those conversations likely begin and end among IT and coders, and don’t involve executives or general counsel—at least at the outset. And there would have to be considerable monetary losses involved as well, experts said, for it even to be an option. Even then, the benefits to tracing attacks back and taking down the last system to DDoS your organization or to delete your data copied to a FTP server are next to nil. The system carrying out the DDoS attack is likely a bot, and the FTP server would likely be compromised.
“I don’t understand why that would be viewed as a benefit to a company, other than the fact they may be able to do a better postmortem without involving authorities,” said Stach & Liu’s Keith. “Then again, to do that, you have to have a Charlie Miller to pull it off.”
Part two of this two-part series will cover active defense techniques and the legal and ethical questions surrounding active defense.