In November, the UK announced a formal policy of hacking back against nation-state attackers. While it might be a viable government policy, for most enterprises, a cyber attack is a crime, not an act of war. Legal and moral issues aside, when it comes to hacking back, what security professionals should be asking themselves is at the end of the day, will it serve their organization enough to justify the effort and risk?
Hacking back is generally done to inflict some sort of damage back on your attacker and/or enables you to expose them. It's an understandable emotional response to any sort of attack (physical or cyber) to want to hit back, and it can be argued that hacking back might serve a valid strategic purpose (i.e., to send a message to attackers that the organization won't take an attack lying down).
Regardless, I've found that in the vast majority of cases, the risks associated with hacking back outweigh the rewards.
The main risks (although certainly not the only ones) are that: (1) hacking back can quickly cross the fine line separating legal vs. illegal activities, and (2) that you risk a high chance of inflicting collateral damage, mostly since attacker attribution is highly inaccurate in many cases. If you are a large public organization do you really want to be linked to an illegal activity – attacking systems you don't own, without permission, hosted in various countries that have varying nuances to their cybercrime legislation? Currently, even scanning a system could be against the law in some countries.
I think it is reasonable that it should remain illegal, mainly because of the high chance of inflicting collateral damage. First off, attack attribution is way harder to prove than people realize. Second, if you take the recent IoT DDoS attack as an example, attacks are often executed via compromised machines whose owners don't know they've been compromised. If you hack back to the wrong network or set of servers, or even if you get it right, you can end up penetrating into or even damaging a non-malicious 3rd party, which can be used as grounds for criminal charges.
Do legitimate organizations really want to be in a situation where a third party claims they inflicted intentional damage? That results in a situation in which you become the cyberattacker. Is revenge or the need to send a message worth exposing your company to the consequences that comes with that?
Above all that, hacking back is rarely worth the risk associated with it because in most cases, especially with the somewhat more advanced attackers, it hits attackers where they are least sensitive to a counterstrike, from an operation disruption or attribution perspective, at the most scalable part of a hacking operation.
Analysis of hacking operations shows that the organizations powering them typically have two separate processes in place: (1) is essentially a software research and development process that creates hacking tools - penetration tools and stagers, privilege escalation tools, C2 client and server framework, persistence tools, anti-forensics tools and so on. When mixed and matched, these tools are then used by (2) an operations team that operates the different stages of the hacking operation, including setting up and maintaining operations infrastructure (e.g. list of targeted individuals, anonymous / “clean” infrastructure - procurement, C2 virtual private servers, etc., gaining and maintaining access to target networks and conducting activities in the target networks as needed.
Hacking back usually attempts to go after certain IOCs shown to be in use by the attacker - C2 server addresses, email addresses etc. but the reality is that all these IOCs are generated by the operations team by the dozens, hundreds, or even be unique on a per operation / attacked machine basis, and are by design the disposable, non-attributable and hence the least vulnerable part of the operation. So, even a successful penetration or takedown of many of these assets is expected to have a low impact on the attacker's ability to continue the operation.
In these situations, even a successful hack back will result in a short term, low-value fix. In those cases, you're better off spending your time and money on hardening your systems
The primary key for inflicting significant damage to a cyber attack organization is to target, not the operations arm, but the non-scalable R&D arm. So how do you target the R&D side of a hacking operation? Stay tuned – that's my next post.
This post was originally published in SC Magazine.