Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
12/14/2017
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Is a Good Offense the Best Defense Against Hackers?

A proposed new law could make it legal for companies to hack back against attacker. But will it work?

The global costs of dealing with hacking — destruction, loss of data, intellectual property theft, fraud, embezzlement, disruption to business, restoration, estimated by Cybersecurity Ventures at $3 trillion in 2015 — are projected to double to $6 trillion annually by 2021. Yet under US law, it’s illegal to attack the hackers back.

In February, a Georgia Republican introduced a bill to Congress to give legal protection to hacking victims who "hack back" at attackers. The law is continuing to wend its way through the legislative process and might just end up (in some form) as a real a law.

That’s right: you could hit the bad guys back — and hard.

The Active Cyber Defense Certainty (ACDC) Act would amend section 1030 of the Computer Fraud and Abuse Act of 1986 that bars accessing a system that does not belong to you, or distributing code designed to enable unauthorized access to anyone's system. If the bill passes, it will be legal to do both.

"This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault," said Rep. Graves in a press release March 3, 2017.

ACDC would allow victims of cybercrime to gain unauthorized access to their attackers’ systems legally, as long as their actions are only meant to identify the attacker or disrupt the attack. The bill doesn't allow retaliation that destroys the attacker's data, causes physical injury, or "creates a threat to the public health or safety."

Though the bill may never become law in this form, it’s certainly opening discussions around “hacking back,” and raises awareness of the difficulty in stopping criminal cyber activity.

High Return, Low Risk. What’s not to Like?
Attackers work anonymously and, largely, with impunity. Billions of dollars are stolen each year, with little to none of it recovered, and the criminals are rarely caught. Even when they are, it’s difficult to prosecute them; it can take years to track them down, build a case, indict and convict them. Moreover, some countries or regions tolerate—or even profit from—cybercriminals’ activities, and offer little help to or even thwart international law enforcement efforts.

If the incentives are good, and the risks low, powerful cybercrime syndicates will continue. And as things currently stand, the law limits CISOs’ options. The hope among leading CISOs is that shifting to offense will change the game. After all, the adversary remains ahead if you simply react to every problem defensively.

But, Hacking Back Is Never as Simple as It Sounds
First there’s the issue of "attribution." How do you correctly identify your attacker? It’s not as easy as it sounds. What if an attack comes from a botnet? Not one computer, but thousands or millions spread over the globe. Owners of botnet computers may not know they’re contributing to an attack. If your attacker is somewhere in the cloud, good luck finding her. Are you going to strike back against your cloud provider? They’re potentially innocent middlemen.

Second, ACDC wouldn’t allow striking back against distributed denial-of-service (DDoS) attacks, for example, a common attack. DDoS attacks don’t involve unauthorized access. And who are you going to blame? Typical DDoS attacks come from devices that are part of the Internet of Things (IoT). Say Grandma’s digital picture frame routed requests in a DDoS attack. Are you going to hack back against Grandma?

Third, what if your attacker is not on US soil? You will not be legally protected if you’re retaliating in another country with different laws. In fact, you could find yourself being the one carted off by the police or buried in lawsuits.

Strike Back Already Exists for the Largest Tech Players
If the problem is large, those with resources — primarily large IT vendors — will work with law enforcement to stop attackers. When your actions are sanctified by the authorities, it isn’t vigilantism. It helps if you’re a large company with a good legal team. In fact, many large IT vendors hire ex-DOJ prosecutors and investigators as company liaisons with law enforcement.

For example, Microsoft security researchers aided international law enforcement agencies to disrupt one of the most widely distributed malware families, "Dorkbot," estimated to have infected more than 1 million PCs in more than 190 countries. In another instance, a collaboration between Trend Micro, INTERPOL, Microsoft, Kaspersky Lab, and the Cyber Defense Institute resulted in the destruction of the notorious SIMDA botnet.

How You Can Strike Back Now
Hack backs can take several forms that you can take advantage of without the additional legal protection of the proposed ACDC law. A less legally risky defense is to set up "honeypots," or fake servers and services to lure attackers in. Once attackers have entered your network, you can sinkhole their traffic, feed them fake data, and confuse them with false systems. Studies have shown deceptive defenses do deter attacks. Best of all, deceptive defense would meet the goals of the ACDC, since you are simultaneously disrupting the attack and gathering information about the attacker.

Moreover, it’s passive, not active. With deceptive defense, you don’t go to them, the bad guys come to you. The disruption and spying happens on your equipment, on your premises, where you have a legal right to be — and the hacker doesn’t.

You can even put up warning banners: Warning—this system is the property of XYZ bank. Unauthorized users consent to being recorded and allowing XYZ to take measures to disable unauthorized access to the extent necessary to stop the illegal activity and support law enforcement investigations. An alert like this should get you off the legal hook for any defensive moves you make.

If it happens, the ACDC debate is going to be interesting to watch. Though the bill is unlikely to pass as it is, if it comes up for debate, it’s certain to spark discussions. In the meantime, CISOs have other options, such as deceptive defenses.

Get the latest application threat intelligence from F5 Labs.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.