Hack the hackers? The debate rages on

The debate over "hacking back" (also known as "active defense") against criminal cyber attackers has raged for decades. And it doesn't look like it will be ending anytime soon.

On the pro side are experts like Stewart Baker, former general counsel at the National Security Agency (NSA), former assistant secretary for policy at the Department of Homeland Security (DHS) and now a blogger and partner at Steptoe & Johnson with a cybersecurity practice.

He has, for years, preached that, "defense is not enough," and that the only way to deal effectively with cybercrime is to make it more costly by attacking the attackers.

On the other side are experts who, as the Washington Postreported last fall, will warn anybody even considering it that most forms of hacking back are illegal under the Computer Fraud and Abuse Act (CFAA) and that, "retaliating could spark full-scale cyberwar, with collateral damage across the Internet."

That has never convinced Baker. "We will never defend our way out of the current cybersecurity crisis," he wrote on his Steptoe Cyberblog. "That's because putting all the burden of preventing crime on the victim rarely succeeds. The obvious alternative is to identify the attackers and punish them."

Stewart also told the Post reporters that the legal risks are declining -- that government officials are more likely to assist those who hack back than to prosecute them. "The government is giving ground silently and bit by bit on this by being more open," he said.

Indeed, that may be in part because the Pentagon has declared publicly for the first time that it considers offensive cyber actions to be one of its options in conflicts with enemies.

Its latest cybersecurity strategy document says the Defense Department, "should be able to use cyber operations to disrupt an adversary's command and control networks, military-related critical infrastructure and weapons capabilities."

Robert Hansen, vice president of WhiteHat Labs, WhiteHat Security, said another problem with enforcing the CFAA is that, "the law currently is so poorly written that almost nothing we do online is legal. So without consulting a lawyer on everything you do, it's entirely possible that you're breaking the law by not doing something -- complicit in a crime, willful negligence, accomplice after the fact, etc."

Still, on the other side are those like Anthony Di Bello, director, strategic partnerships at Guidance Software, who in a recent post on Dark Reading repeated the warning that hacking back, or what some call "active defense," is a violation of the CFAA, which prohibits "trespassing" into another computer network.

Beyond that, he argued that defense is indeed enough and, done properly, is more effective than "an ego-fueled war of revenge."

In an interview, Di Bello said those who disagree with him who responded to his post, "feel there are not sufficient legal channels for recourse."

He is sympathetic, noting that there are only 1,000 FBI agents in the agency's Cyber Division who are, "stretched to their limits, and in a sense, leaving victims to consider ways they can take matters into their own hands."

But, he also cites his firm's general counsel, Mark Harrington, who has called hacking back, "a form of trespassing, and I don't think trespassing is going to become legal anytime soon."

Di Bello and others contend that before organizations even consider going on offense, they need to understand their own environment well enough to detect the presence of invaders, who can remain silently inside a network for months or even years before exfiltrating data or causing other damage.

Indeed, on a panel at the recent RSA conference in San Francisco, Rhonda MacLean, founder and CEO of MacLean Risk Partners, declared that most organizations should assume they have been breached. "If a company tells you they haven't been breached, they don't know," she said.

To have a meaningful debate on the issue, however, requires some defining of terms. Some experts object to the use of "active defense" as a euphemism for hacking back.

Rafal Los, director of solutions research & development at Accuvant, said he believes active defense is a good thing when it means, "the actions a defensive team takes to protect themselves, on their own systems/network and explicitly not hacking back to protect themselves and their assets from attackers."

In other words, in his view, active defense still means defense.

Los said he believes if defenders do what attackers have been doing -- learning about their adversaries' tactics, capabilities and tools -- they will be more successful.

But to do that, he agrees with Di Bello that defenders need to know much more about their own environment.

"Trying to adapt to an adversary without first knowing where our own weaknesses and critical assets lie is worse than futile," he said, adding that, "knowing externalities is completely fruitless if you don't know your internals. Period."

That is also the view of Robert M. Lee, co-founder of Dragos Security LLC, who shares Los's frustration at the use of "active defense" to describe hacking back.

Lee opposes the hack-back strategy in part because he says most organizations are not very good at it. "If organizations cannot effectively run defense programs and tackle the security basics, they cannot run an effective offensive program," he said.

"Offense is harder than folks think, and returns less value than actually doing security."

He also notes that entering a cyber thief's network is not the same as entering a thief's physical property to reclaim a stolen item.

"Once intellectual property, for example, is stolen in an espionage campaign, it simply cannot be reclaimed. It cannot be deleted off the adversary network like most folks preach about," he said.

Legal issues aside, the debate also continues over attribution, collateral damage and escalation.

Opponents of hacking back say attribution -- positively identifying the attackers -- is almost impossible, since it is so easy for them to cover their tracks. This makes collateral damage likely -- retaliation aimed at an innocent party whose network has been compromised by the real attacker.

And they say counter attacking will simply escalate the conflict, risking an all-out cyberwar with major collateral damage.

"Let's say I'm an attacker from a nation-state sponsored group," Los said. "Obviously, I would attack you first by compromising one of your top competitors and then bouncing through them to attack you.

"Then, if you blindly try and hack back, you attack your competitor and I win twice. First I achieve my objective, in all likelihood, by stealing whatever I wanted. Second, now you're actively engaged in battle with a competitor."

Baker disputes that, insisting that attackers are not as brilliant as conventional wisdom says they are.

He has written that, "all the human traits that cause our security to fail also plague our attackers. They leave bits of code behind on abandoned command-and-control computers. They reuse passwords and email addresses and computers. Their remote access tools are full of vulnerabilities."

This, he says, has allowed investigators to trace attacks back to the command and control computers used to carry out attacks, and then to the homes and offices of the hackers.

[ 9 data breaches that cost someone their job ]

He calls it Baker's Law: "Our security sucks, but so does theirs."

Joel Harding, a retired military intelligence officer, information operations expert and blogger, agrees that the tools to track attackers have vastly improved.

"Attribution is really difficult, but it's gotten much better," he said. "It used to take weeks or months. Now we have tools that can tell us within seconds and minutes."

Hansen, while he is not an unqualified supporter of hacking back, also agrees that attribution -- at least enough to disrupt an attack -- is within reach.

"In most cases, I'd say real-time forensics is nearly impossible to do with any real degree of accuracy," he said, "but most bad guys don't really hide their tracks beyond using Tor, proxies or hacked machines.

"If you see a machine hacking you, chances are that that machine itself was hacked. Hacking into it and shutting it off is indeed not stopping the adversary, but it is stopping the weapon that the adversary is using, and might give you clues to who the adversary actually is."

Hansen also has doubts about the escalation theory. "I've never seen that to be true, so I'm not sure where the theory comes from," he said.

But opponents remain unconvinced.

"It's equivalent to poking the hornet's nest," Los said. "And yes, the adversary is likely able to out-gun you, so playing antagonist is rarely in a company's best interests."

"You also run the risk of disrupting a government operation against the adversary, which will leave you in serious trouble," Lee said. "There are always secondary and third order effects -- I do not see the value for 99.99% of organizations participating in hacking back."

Harding said the value comes from the reality that a defense-only strategy is never bullet proof. "The advantage is always with the offense," he said. "It's true that if you didn't have vulnerabilities, they wouldn't be attacking you. The problem is that you have entire IT departments desperately trying to patch systems and networks. But you always have human vulnerabilities, so saying defense is enough is always harder than doing it."

To that, the defense advocates say it is not that hard to do it better. One technique, mentioned in the Post article, is called a "beacon," the digital equivalent of an exploding dye pack in a bag of cash stolen by bank robbers, that can help victims "both spot the stolen loot and determine who spirited it away across the Internet."

Hansen said he has seen beacons used effectively in a number of cases, and added that, "it's always a good idea to seed the adversaries with bad data. It makes them easier to find down the road. Honeytokens are very useful in that regard."

But Lee is less impressed. "Yes the tactic can be effective, but those preaching and practicing it are not nearly as effective as they think," he said.

Los said the entire industry needs to shift from its focus on IOCs (indicators of compromise), which attackers can be stealthy about and change regularly, to IOAs (indicators of attack).

"What attackers can't change are objectives, such as having to elevate privileges to move laterally within an organization. There are only a few ways to do that -- that's what we need to watch," he said.

Tags softwareapplicationsnsawashington postNational Security AgencyDepartment of Homeland Security

Show Comments