Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/30/2015
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Hacking Back: Two Wrongs Dont Make A Right

Here's the critical issue: Do you want to risk engaging your company in an ego-fueled war of revenge, or do you want to cut the bad guys off at the pass?

If the sheer volume of alerts you face daily or the massive damage from hacks, like the ones that dominate headlines, have driven you to the point of contemplating the available hacking-back options, let’s take a step back for a second. In the long-running debate about the legalities, ethics, and tactics of hacking back and its more politically correct cousin, “active defense,” it can be easy to let anxiety and even ego fuel a passionate “pro” viewpoint.

Entering a private network without permission is illegal, whether you are the hacker or the hacked, according to the terms of the Computer Fraud and Abuse Act. Anything we can do within our own networks and on our own devices is defensible—honeypots, mobile-device kill switches, forensic preservation, and the like are legit.

But first things first: strategy, then tactics. As the oft-quoted Sun Tzu notes in The Art of War, it’s vitally important to know your enemy and more importantly, to know yourself. Theoretically, you have access to all the information you need to fully understand what constitutes normal activity within your enterprise network, and today’s enemy is not the stereotypical basement dweller from days of yore.

So you want to pick a fight with North Korea?
This winter’s Sony Pictures Entertainment breach was a bracing reminder that we are operating at a whole new level in information security now—and it is definitely no game we’re playing. Whether you agree with the FBI or the private sector on attribution, the fact remains: the bad guys are in our networks, they know how to hide there for months or even years, and they can unleash some devastating results when they’re ready.

For those of us protecting sensitive data (and that’s all of us), here’s the critical question: Do you want to risk engaging your company and its reputation in an ego-fueled war of revenge, or do you want to cut the bad guys off at the pass and maybe even sic the feds on them? Doing the latter requires keeping operations above board in the eyes of federal law enforcement agencies and that means not breaking into a network without permission. After all, the “But they started it!” defense doesn’t stand up any better in court than it did with your third-grade teacher.

Given that many attackers commandeer and corrupt the infrastructure of innocent third parties to obfuscate the trail, that IP address you hunted down may not represent the actual cyber attacker. So how can you be sure you’re hacking back (excuse me, actively defending against) the actual criminals? There’s no way to know whether your team of four infosec pros is, in fact, attempting to out-hack a force of 20,000 people like the People’s Liberation Army Unit 61398, or erroneously striking out at an innocent ISP. In fact, hacking back carries tremendous potential for unleashing dire and completely unforeseen circumstances.

Inside-out security
A cyber forensic specialist I know who has had the rare privilege of speaking at a Congressional hearing on cyber crime once told me, “The real problem is that most companies don’t understand their own environments. If they did get hacked, they couldn’t say what had been touched. The most critical thing to do is to understand your own environment.” I like to refer to the concept as “inside-out security.”

Ensuring you have visibility into any unusual activity occurring on your network and its endpoints is the first step toward pinpointing unusual activity and its root cause. So what’s required in order to be able to call the FBI instead of hearing about a hack the other way around? Wouldn’t it mean more to have the smoking gun in your hand than an attempt to shut down what may or may not be the origin of any given attack?

To the limit your budget allows—and in preparation to justify an increase of that budget with scary cost figures from recent headline-making attacks and industry reports—you’ll enhance your hacker-busting posture by ensuring that you have:

  • The right number of trained incident responders; 
  • The right technology and training for honeypots, sandboxing, and other defensive measures; 
  • A way to spot, receive alerts about, study, and capture the contextual data around unknown or unusual activity on network endpoints at the earliest possible stages; and 
  • A chronological report of the events and indicators related to that security incident.

It’s that contextual data that tells you whether this is a real cyber attack. Being able to pinpoint and take a snapshot of that data and preserve it forensically will set you up to work with law enforcement. Without it and without that chronological report, you have little hope of truly pursuing and ensuring punishment for the offenders. And in the end, isn’t learning from each new attack and then doing our part to lock up the threat actors the best possible outcome of a security incident?

As the Director of the Security Practice for Guidance Software, Anthony Di Bello is responsible for providing in-depth insight into the advanced threat landscape. Since joining the company in 2005, he has been instrumental in defining the company's suite of security products, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13458
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
CVE-2020-13459
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.
CVE-2020-13442
PUBLISHED: 2020-05-25
A Remote code execution vulnerability exists in DEXT5Upload in DEXT5 through 2.7.1402870. An attacker can upload a PHP file via dext5handler.jsp handler because the uploaded file is stored under dext5uploadeddata/.
CVE-2020-5537
PUBLISHED: 2020-05-25
Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code execution via unspecified vectors.
CVE-2020-13438
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.