Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/30/2015
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Hacking Back: Two Wrongs Don’t Make A Right

Here's the critical issue: Do you want to risk engaging your company in an ego-fueled war of revenge, or do you want to cut the bad guys off at the pass?

If the sheer volume of alerts you face daily or the massive damage from hacks, like the ones that dominate headlines, have driven you to the point of contemplating the available hacking-back options, let’s take a step back for a second. In the long-running debate about the legalities, ethics, and tactics of hacking back and its more politically correct cousin, “active defense,” it can be easy to let anxiety and even ego fuel a passionate “pro” viewpoint.

Entering a private network without permission is illegal, whether you are the hacker or the hacked, according to the terms of the Computer Fraud and Abuse Act. Anything we can do within our own networks and on our own devices is defensible—honeypots, mobile-device kill switches, forensic preservation, and the like are legit.

But first things first: strategy, then tactics. As the oft-quoted Sun Tzu notes in The Art of War, it’s vitally important to know your enemy and more importantly, to know yourself. Theoretically, you have access to all the information you need to fully understand what constitutes normal activity within your enterprise network, and today’s enemy is not the stereotypical basement dweller from days of yore.

So you want to pick a fight with North Korea?
This winter’s Sony Pictures Entertainment breach was a bracing reminder that we are operating at a whole new level in information security now—and it is definitely no game we’re playing. Whether you agree with the FBI or the private sector on attribution, the fact remains: the bad guys are in our networks, they know how to hide there for months or even years, and they can unleash some devastating results when they’re ready.

For those of us protecting sensitive data (and that’s all of us), here’s the critical question: Do you want to risk engaging your company and its reputation in an ego-fueled war of revenge, or do you want to cut the bad guys off at the pass and maybe even sic the feds on them? Doing the latter requires keeping operations above board in the eyes of federal law enforcement agencies and that means not breaking into a network without permission. After all, the “But they started it!” defense doesn’t stand up any better in court than it did with your third-grade teacher.

Given that many attackers commandeer and corrupt the infrastructure of innocent third parties to obfuscate the trail, that IP address you hunted down may not represent the actual cyber attacker. So how can you be sure you’re hacking back (excuse me, actively defending against) the actual criminals? There’s no way to know whether your team of four infosec pros is, in fact, attempting to out-hack a force of 20,000 people like the People’s Liberation Army Unit 61398, or erroneously striking out at an innocent ISP. In fact, hacking back carries tremendous potential for unleashing dire and completely unforeseen circumstances.

Inside-out security
A cyber forensic specialist I know who has had the rare privilege of speaking at a Congressional hearing on cyber crime once told me, “The real problem is that most companies don’t understand their own environments. If they did get hacked, they couldn’t say what had been touched. The most critical thing to do is to understand your own environment.” I like to refer to the concept as “inside-out security.”

Ensuring you have visibility into any unusual activity occurring on your network and its endpoints is the first step toward pinpointing unusual activity and its root cause. So what’s required in order to be able to call the FBI instead of hearing about a hack the other way around? Wouldn’t it mean more to have the smoking gun in your hand than an attempt to shut down what may or may not be the origin of any given attack?

To the limit your budget allows—and in preparation to justify an increase of that budget with scary cost figures from recent headline-making attacks and industry reports—you’ll enhance your hacker-busting posture by ensuring that you have:

  • The right number of trained incident responders; 
  • The right technology and training for honeypots, sandboxing, and other defensive measures; 
  • A way to spot, receive alerts about, study, and capture the contextual data around unknown or unusual activity on network endpoints at the earliest possible stages; and 
  • A chronological report of the events and indicators related to that security incident.

It’s that contextual data that tells you whether this is a real cyber attack. Being able to pinpoint and take a snapshot of that data and preserve it forensically will set you up to work with law enforcement. Without it and without that chronological report, you have little hope of truly pursuing and ensuring punishment for the offenders. And in the end, isn’t learning from each new attack and then doing our part to lock up the threat actors the best possible outcome of a security incident?

As the Director of the Security Practice for Guidance Software, Anthony Di Bello is responsible for providing in-depth insight into the advanced threat landscape. Since joining the company in 2005, he has been instrumental in defining the company's suite of security products, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4108
PUBLISHED: 2019-11-14
Multiple unspecified vulnerabilities in Cryptocat Project Cryptocat 2.0.18 have unknown impact and attack vectors.
CVE-2018-12207
PUBLISHED: 2019-11-14
Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access.
CVE-2019-0117
PUBLISHED: 2019-11-14
Insufficient access control in protected memory subsystem for Intel(R) SGX for 6th, 7th, 8th, 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Xeon(R) Processor E3-1500 v5, v6 Families; Intel(R) Xeon(R) E-2100 & E-2200 Processor Families with Intel(R) Processor Graphics may allow a ...
CVE-2019-0123
PUBLISHED: 2019-11-14
Insufficient memory protection in Intel(R) 6th Generation Core Processors and greater, supporting SGX, may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2019-0124
PUBLISHED: 2019-11-14
Insufficient memory protection in Intel(R) 6th Generation Core Processors and greater, supporting TXT, may allow a privileged user to potentially enable escalation of privilege via local access.