Threat Intelligence

10:00 AM
Levi Gundert
Levi Gundert
Connect Directly
E-Mail vvv

Hacking Back & the Digital Wild West

Far from helping organizations defend themselves, hacking back will escalate an already chaotic situation.

The Internet is a modern day Wild West.

It is a largely lawless territory with still-uncharted potential.

We all find ourselves confronting modern and often elusive thugs — like the famous outlaws of the American West in the 19th century, such as Jesse James, Billy the Kid, Butch Cassidy, etc. — waging digital stagecoach robberies and worse (usually after the fact). 

Source: Recorded Future
Source: Recorded Future


The past two years specifically have been a cornucopia of accelerating malice and resulting chaos: attempted Olympic disruption, American election interference, global ransomware worms, central bank heists, credit bureau pillaging, global business losses, cryptocurrency exchange thefts; and these are only the highlights of what has been publicly reported. 

Individuals, businesses, and governments face extraordinary challenges protecting themselves in the digital Wild West, and history has shown that law enforcement is under-resourced to tackle all but the most pressing criminal cases. What's the answer?

U.S. Congressional Representatives Tom Graves and Kyrsten Sinema are proposing legislation — the Active Cyber Defense Certainty Act — with good intentions, aimed at reforming the Computer Fraud and Abuse Act (CFAA) – 18 U.S. Code § 1030. The CFAA is outdated (signed in 1986) and doesn't provide an adequate disincentive to cybercrime.

However, hacking back is not the answer. The Internet crosses national boundaries in milliseconds, and attackers routinely encrypt and disguise their traffic between compromised servers and victim machines in multiple geographies. Adversaries reuse existing code and tools to plant false flags and confuse attribution efforts.

For example, the origins of the recent Olympic Destroyer malware is still the subject of debate within the security community. Should the Olympics organization have engaged in a "hack back" campaign? The malware used hard-coded credentials from a major IT and telecommunications company. Does that present a green light to "hack back" against the IT company?

Similarly, India's City Union Bank was recently the victim of an unauthorized SWIFT transfer, resulting in a $2 million loss, two years after the Bangladesh Central Bank heist. The two attacks bear the same hallmarks. If the victim bank was American, should they employ offensive investigative techniques against the DPRK (Lazarus Group)? The answer should be a resounding "no." If the US is going to allow businesses to hack back, it won’t take international businesses long to follow suit.

If Congress opens the hacking-back Pandora's Box, defenders' jobs become even harder. It will become impossible to differentiate malicious activity. Far from helping organizations defend themselves, hacking back will escalate an already chaotic situation. Companies should not be initiating even basic fact-finding missions if unauthorized access is required.

There is too much nuance and potential for error when committing unauthorized access of Internet-connected information systems. Allowing — and even going so far as to encourage — "hacking back" will result in vast unintended outcomes, the consequences of which cannot be fully anticipated.

Congress should reform CFAA, but including a "hacking-back" provision is misguided and will only prolong the digital Wild West era.

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Levi Gundert is the vice president of intelligence at Recorded Future, where he leads the continuous effort to measurably decrease operational risk for customers. Levi has helped position Recorded Future as the international leader in universal threat intelligence. Levi has ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/10/2018 | 10:45:21 PM
Re: prevention better than prosecution
Good analysis and wonderful say sir. Your in-depth post has cleared my many doubts. Of course, prevention is better than prosecution.
User Rank: Ninja
3/10/2018 | 8:48:51 AM
prevention better than prosecution
Prevention is better than Prosecution

The Internet has been described as a "Fool's Paradise" from time to time.   I always liked that characterization.

The troubles on the net today largely originate in a general failure to authenticate.

Consider for example the troubles with fraudulent 1040 tax forms.    Or the new mortgage loan scams.  or the grand-daddy of them all: e/mail "phishing" (BEC).

For prevention we need to turn to the work of Whitfield Diffie and Martin Hellman.    These gentlemen understood this issue and knew what they needed to do.   What we need to do is to understand our part in their work: authentication.

When my daughter sat down in the office at the Credit Union to open a new account: that is when the Credit Union -- and my daughter -- should have authenticated the keys needed -- for her online interface(s).

This will need to be incorporated into systems as packaged technology.

We are talking about Public Key Cryptology: PGP, PKI, SSL, TLS, X.509 GnuPG ... it's "out there" -- but to make it work it is necessary to authenticate the keys.

I could give you the "fingerprint" for my key: 4DEA0DAD.  and you could download it from the servers.   But you still wouldn't know who I am.  Once you find a way to identify me and verify the fingerprint on my key THEN you can SIGN my key.   This will make my key VALID in your system meaning you are satisfied that you know who I am.    This doesn't happen with X.509: it's too easy for anybody to acquire an x.509 certificate -- and -- generally -- users have no idea what the certificates are supposed to look like or what data they should contain.

That doesn't matter: HERE -- but -- at the Credit Union or with my tax software and such : yes, it does matter.

Note: the most important aspect of PKI/PGP/GnuPG --- is AUTHENTICATION.

what was the cost of hacking last year:   I'm remembering $600B - .8% of GDP
User Rank: Apprentice
3/6/2018 | 1:08:14 AM
"Active Response Continuum" is a better phrase, better model, than "active defense"
I fully agree with Levi, that current proposals to modify existing computer crime statutes are insufficiently nuanced, insufficiently framed, and not ready to move forward. He is right that the consequences of allowing the private sector to become too agressive, too casually, will likely make the situation for law enforcement more difficult rather than easier. I published my own analysis of the ACDC Act 2.0 (and proposals to improve it) along the lines of Levi's suggestions. You can find that analysis on Medium (search for "Medium Dittrich Active Defense Certainty Act", since URLs are not allowed in comments) and read about the Active Response Continuum (search "Dittrich Active Response Continuum").

I believe the end goal here should be to facilitate victims' reporting of meaningful evidence of computer crimes in a timely manner to law enforcement, to better enable the U.S. government to use its sovereign levers of power (diplomacy, intelligence, military, economic sanctions and law enforcement, DIME-LE for short) to pursue criminal actions and violations of international norms and laws against foreign and domestic actors. The private sector does not have the authorities, nor the "whole of government" options, necessary to reduce international incidents like those Levi listed.

There are many examples of corporations using civil legal process (e.g., botnet "takedowns" using temporary restraining orders) within the U.S. justice system. When and if a victim determines that the situation is sufficiently grave to justify violating domestic laws and taking aggressive uncooperative actions on systems not under their authority, outside of civil or criminal legal process, they already have the option under U.S. law to make an affirmative defense for their actions. The idea in the ACDC Act of forcing a harmed intermediary to bring suit in civil court for damages resulting from an entity taking ill considered "active defense measures" seems to me to be unfair and unecessary.
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
IoT Product Safety: If It Appears Too Good to Be True, It Probably Is
Pat Osborne, Principal - Executive Consultant at Outhaul Consulting, LLC, & Cybersecurity Advisor for the Security Innovation Center,  3/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.