HackedRarely a day goes by without mention of a targeted attack against some government-related website, massive disruptions in online banking services, or critical vulnerabilities in specialized software running our power plants and water supplies. And all the while, IT and security organizations have thought little about fighting back. Their options were limited to better patching, more security hardware and new firewall rules. That dynamic is changing because the buzzwords active defense and hacking back are creeping into conversations between vendors and customers, IT managers and executives, executives and legal teams. 

The thinking is twofold: How can we either trace attacks back to their origin and take hackers out on their own turf; or how do we frustrate attackers on our own networks and drive up the cost of an attack to the point where they move on?

“[Hacking back] is one of those things that’s not even up for discussion as far as security is concerned,” said Michael J. Keith, security associate with Stach & Liu. “That’s one thing you don’t do.”

Aside from the fact that hacking back is as much a violation of the Computer Fraud and Abuse Act as are the actions of the parties invading your networks, correct attribution of the attacks against your networks are close to impossible.

“You could do a ping and find the IP address of the computer that is attacking you. And if you take it out, that could be an innocent party that has now been infiltrated by you,” said Randy Sabett, counsel at ZwilGen, a Washington, D.C., law firm. “You may soon find out you took down an e-commerce website that does $100,000 a day in business and you could be facing that in a civil action. Or worse, you could take out a computer that’s part of critical infrastructure. All kinds of bad can happen. Attribution is the most significant issue when it comes to this.”

Hackers often use compromised third-party computers to attack their targets, the best example being a botnet of tens of thousands of computers firing spam or bad traffic at a website in a denial-of-service attack.

“Attribution is so hard with today’s open Internet, the lack of authentication and the way protocols were developed,” Sabett said. “You don’t know who the ultimate source of the attack is.”

While hacking back is not typically a consideration in commercial circles, it certainly is part of the discussion on a government and military scale. Yet, in those instances, attribution is equally difficult and important. The U.S. government has been vocal about offensive security for some time, publicly speaking about it at security conferences, and most recently when former defense secretary Leon Panetta issued a declaratory policy that if an incident causes harm to American lives, there would be retribution on some level, be it a military or cyberattack.

The response isn’t clear on that playing field because the ground rules have not been laid out. There are no formal rules of engagement for cyberattacks on U.S. assets despite state-sponsored attacks such as Aurora against American companies, and espionage campaigns such as Stuxnet and Flame against nuclear and strategic targets in Iran and elsewhere in the Middle East.

On the corporate level, the liability is a little clearer.

“There’s never an instance where you want to break computer crime laws as attackers do,” said Paul Asadoorian, host of the popular PaulDotCom podcast, SANS Institute instructor, and a pen-tester with Tenable Network Security. “There are real reasons why it’s a bad thing. How effective are you going to be if you’re attacking attackers back? You’re not going to truly effect change by singling out one attack and attacking back. Another reason is that you don’t know who you are hacking back. They could have compromised any computer and used that as a jumping off point. You could be committing a crime against another government or large financial, and that would end badly.”

For now, only the largest organizations with the best IT resources are likely to be among the few considering hacking back. And those conversations likely begin and end among IT and coders, and don’t involve executives or general counsel—at least at the outset. And there would have to be considerable monetary losses involved as well, experts said, for it even to be an option. Even then, the benefits to tracing attacks back and taking down the last system to DDoS your organization or to delete your data copied to a FTP server are next to nil. The system carrying out the DDoS attack is likely a bot, and the FTP server would likely be compromised.

“I don’t understand why that would be viewed as a benefit to a company, other than the fact they may be able to do a better postmortem without involving authorities,” said Stach & Liu’s Keith. “Then again, to do that, you have to have a Charlie Miller to pull it off.”

Part two of this two-part series will cover active defense techniques and the legal and ethical questions surrounding active defense.


Categories: Hacks

Comments (8)

  1. Anonymous

    right, just continue to drop those attackers off at your firewall,  block the origin IP’s, don’t let any ASN from outside the US in, and oh yeah just roll over and let them have their way?

    no wonder the criminal is happy in cyberspace, no one fights back.

    I say track em down like we did binladen and take em out.  You will see the cowards stop the abuse quickly, once firearms are introduced in the mix.

  2. Anonymouse

    I do it all the time, just not from my employers network.

    Now that I think of it, my neighbors must look like some real cyber bad azzes. lol

  3. Conrad Constantine

    I say track em down like we did binladen and take em out.  You will see the cowards stop the abuse quickly, once firearms are introduced in the mix.

    that’s all fine and dandy, but non-government orgs do not have the resources or the authority to do this. Meanwhile ‘hacking back’ achieves nothing – computing power is ubiquitous and agility is instrinsic to being an attacker – there is literally nothing you can do to significantly destroy an attacker’s ability to coninue to attack, likewise tracking down and identifying them without government cooperation in the process is utterly futile.

    So for all you armchair generals out there desrying how “no wonder the criminal is happy in cyberspace, no one fights back.“, let’s hear your detailed implementation plans for ‘fighting back’ then – I’ve yet to see any of you pony up any real implementations for ‘fighting back’ beyond vague chickenhawking and saber rattling. 

  4. Richard Steven Hack

    And it only took them over ten years to find bin Laden – with all the resources of the US government involved (unless of course you subscribe to the theory that they really didn’t WANT to find him since he was so useful as a “boogeyman.”)

    Some corporations may well have the ability to hire security personnel capable of tracking down a given individual, even via computer. The cost of that operation would be enormous and the cost-benefit would depend entirely on the threat. In ninety percent or more of cases, it would be wasteful. In the remaining ten percent, it’s likely it would be ineffective due to the skill of the attacker.

    It would also be difficult to cost-justify such an expense as compared to merely cooperating with law enforcement. The larger the corporation that can afford such an expense, the more likely that corporation will get adequate cooperation from law enforcement, making expending its own personnel less justified.

    The reality is that in the legal society that has been created, “fighting back” is legally risky, whether it is beating down a mugger, shooting a burglar or hacking the hacker. This may be unfortunate, but it is the reality.

  5. David Willson

    This article is somewhat shortsighted.  The naysayers always jump right to the worst case scenario, “you will take down the life support for a hospital.”  Not likely, and you might want to find out which hospitals put their life support on the net and avoid them.  Also, attribution almost impossible?  This statement is obviously from someone who has not studied the problem.  Hackers are human and therefore creatures of habit using the same code, same language, same tools and techniques, etc.  And, as Stewart Baker says, their security sucks just like ours.  Active Defense is about “out of the box” thinking and innovative ideas and ways to solve a difficult and increasing problem.  Jumping to the conclusion that anything “Active Defense” or “hack back” is illegal is assuming you know all the facts, variables, scenarios, etc.  Active Defense must be a well planned and surgically executed operation.  Now, as to whether it is economical?  That is a decision for company leadership, who MUST be in the loop making the decisions, not IT. 

  6. Conrad Constantine

    Correct – Attribution is possible (and extremely fun!), but once you have attribution, there are very few things you can do to ‘strike back’ that are even remotely legal without government assistance..

    Except one thing – name-and-shame. Stop keeping your super-sekrit intel to yourself, attribute, identify and publish – there’s not a damn thing wrong with that in most cases. (and, money where my mouth is, the team I work with, does just that).

  7. Anonymous

    If you want to stop the attacks, there are two possible roads you can follow – at the same time if you really want to.  I will preface this by saying that all software has bugs, whether the developers want to admit it or not, whether your code is decompilable or not, whether it is the microcode in a Cisco router, or a web browser or a flash game, there are bugs that can lead to exploitation.  So road 1 is to write better code.  You’ll never get all the bugs in a system ironed out, but, you know what?  I find 10x the number of inherent bugs in code that was written ‘offshore’ than I do in code that was written ‘onshore’.  Take that as you will.  The other road is to just block IP ranges.  Don’t block single IP addresses, start at the /24 – and move up from there.  When an entire country is unable to access Google or Facebook or some site that they ‘need’, and they come complaining, tell them to find the bad guys, they are the people causing you to not be able to access these resources that you so desperately need.  While where the justice system is concerned, we’d rather let ten guilty men go free than imprison one innocent man, i think the opposite should be true for our online information.  It is better that ten non-attackers be denied access than one attacker gain access.

  8. Nara

    there’s one way i can think of right now to strike-back without risking high chance of having a losing case of law suit. I see my network equal to my house, when i don’t want thieves to go in easily, i built a fence, if i want thieves think a zillion times before entering my house, i’ll built an electric fence and/or keeping 5 pitbull dogs.

    In the case of our real house, building an electric fence is of course unthinkable for most, since not only it will cost much, but also there’s a risk where oblivious passerby might accidentally touch it. With our network though, a system that works like an electric fence or 5 pitbull dogs can become a good solution to “attack the hacker without attacking”.

    So, i believe now you all understand what my idea is right? yes, it is to create a firewall that actually burned the hacker system by default. The system will be an automatically excecuted when it tracks unauthorized system trying to take control of our computer and network.

    Of course, as you’ve already said above, the hacker could use third party computer network to hack us, but so does a thief who use stolen car to break through our electric fence. The logic here is, the law can’t sue us for the loss of the stolen car owner when a thief use their car to try breaking into our electric fence. The same logic goes with my idea here, the law can’t (or at least it will be hard) logically sue us from having a firewall that burns any computer used to hack us, wether it’s third party property or not, since the fault is at the hacker part, the one should be tracked and sued for the damage of the third party computer network is the hacker not the fence owner and builder.

    So, now i believe no more excuse about law system that could be used to not starting to be more aggressive toward hackers…unless of course any of you can point out a valid reasoning why it’s still risky on legal point of view.

    Now that’s my share of idea regarding this, don’t ask me how to create it since i’m nowhere near a programmer in skill. This is anti-virus brands job to find if they can make the firewall that burns.

Comments are closed.