I’ve been meaning to write this literally for years. But now all this hoopla around “Active Cyber Defense Certainty Act” [PDF] (aka “the Hackback Law”) has triggered me into action.
Let’s start from the obvious – hilarity will ensue:
OMG, people are *seriously* debating this new hack-back law. So wow. Refer the dude to the insane asylum and be done with it 🙂
— Dr. Anton Chuvakin (@anton_chuvakin) May 23, 2017
So, yes, we can all make fun of it (yo ho, AC/DC is now law!) of course. However, this is not about how difficult, funny, ethically-questionable it may be.
This is about how USEFUL it can be. Perhaps my imagination is weak today, but I am having trouble envisioning the scenarios where any hack-back actually delivers value to the non-government defender. Frankly, all the scenarios I envision are kinda idiotic:
- They steal your data, and then you hack them, find the only copy they have and delete it (because hackers never back up and can never hack you again?)
- They send you malware, you find them and send them … 1] the same malware 2] different malware 3] fake malware just to scare them?
- 1] They DDoS you, you DDoS them. 2] ???? 3] Profit!
- They hack you and get your corporate secrets, then you hack them and …. steal theirs? dox them? format their machines? All sound very iffy….
- They hack you and plant a logic bomb (BTW, I cringe when I write this!) on your ICS systems, you hack them and actually destroy their ICS electrical systems, thiniking if they don’t have electricity they cannot hack. Sadly, they decide to nuke you 🙁 since they liked their electricity. Boom!
- Perhaps, they hack you – you hack them, and install a beacon on their laptop/phone. When the device beacons from a country where your government can arrest them, you call dispatch_fbi_team(location) API and they get arrested within minutes?
So, help me out. Ethics and attribution challenges aside, what are the cases where “hacking back” will be:
- actually useful to the enterprise, and
- more useful than the alternatives (get a better firewall, hire threat hunters, etc)
Otherwise, I feel the inherent asymmetry of “cyberspace” attack and defense kicks in and derails my thinking 🙂
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
Yes. This “hackback” phenomena is real at least in terms of its adoption as a phrase, rather than something which CEHs in 9 to 5 private orgs actually do. I’m trying to think of a real “canary in the coal mine” indicator in terms of a forewarning of “we’re in big trouble” in infosec. This “hack back” nonsense is one such canary. We had another one recently where a 2001 network propagated style worm made a come back, because organisations were opening SMB ports to the Internet. But yes – “hack back” and its widespread adoption as a phrase – this is bad. Really bad.
Ian, thanks for the insightful comment! I love your concept of “canary comment” that serves as a leading indicator of ignorance. I can guess it works for both specific people and the entire industry too (“we are in big trouble” if we need to tell people to a/ disable telnet and b/ no SMB from the internet) and c/ pentest != vuln assessment 🙂
Strike-back, in a cyber context, would work best as a very-tight OODA loop in a stimulative-intelligence scenario at a very-low layer.
How tight? How low? I imagine that it would be fully-automated at the machine layer. For example, as EIP is being overwritten and before shellcode has a chance to pop, a faster exploit pops the remote host performing that initial EIP overwrite and crashes the thread or process that would stage in shellcode.
Offensive capabilities in cyber are about speed and are measured at the nanosecond level. It’s about on-going, always-on TECHINT tradecraft (think ANT Catalog, not cyber deception via cyber threat intelligence, or the idiot-of the week version of pen testing, vuln scans, or what have you), preferably that closed-loop stimulative intelligence tradecraft — the kind that does its job and never stops doing its job with no need for human intervention — and preferably in a manner akin to a “lucky punch” where you go to hit your enemy and your fist bounces off his face and swings back behind you to hit the enemy that you weren’t even looking for, also in the face. Offensive capabilities are cool and defensive capabilities are not-as cool in these particular ways, right?
Strike-back is launching an expert-systems driven missile against an expert-systems driven missile and destroying it in the air before it destroys your city and its people on the ground.
Cyber, like nuclear weapons, has become special war. It has recently become unlimited war. The AC/DC Act will be just the first of many to try and stem an unlimited special war. Sometimes proposed laws are about balancing the scales instead of actively promulgating the effects of any-given would-be law.
Longer response is coming, but for now:
“fully-automated at the machine layer” <- this sounds like you are inventing an IPS, not hackback?
Honestly in my opinion I don’t see enterprises spending their time and money going after the DDoS groups or malware sources and DDoS-ing them back. It’s useless and counterproductive. They will rather use that money and time to do creative products, enhance their business. From a typical business point of view, if one is following basic security hygiene I don’t think they will be in much trouble (nothing was different in WannaCry case other than system patching, telling people not to use an age old protocol). The proactive people will use same old techniques (VAPT, Red Team – Blue Team or the buzz word Active Threat Hunting etc.) to assess their security loopholes and build more stronger defense and strategy for enhancing their prevention capability. I don’t think business folks will focus on a childish fight back!!
Well, this post is my attempt to hold a contrarian view (since the default view is “all hackback fans are idiots”, naturally), and so far I found few arguments and scenarios in favor of attacking the attacker, purely on the merits of this approach (NOT ethics, legality or some hurdles like attribution). You comments sort of adds to this view – we are failing to find the scenarios where it is useful…