Are hacking victims "hacking back"? That question was recently posed in headlines like this one from Bloomberg: FBI Investigating Whether Companies Are Engaged in Revenge Hacking. The Marketplace reporter, Ben Johnson, speculated that 2015 might be the year of "hacking back" when he asked me about revenge hacking. As I told Ben, there are several good reasons not to engage in hacking back, tempting though it may be to do so; I will enumerate those reasons after some background on this strategy and its place within cybersecurity.
Counterstrike vs. Active Deception
I should probably start out by saying that I do understand the urge to strike back, whether it is against perpetrators of a distributed denial of service (DDoS) attack that has closed down your website or the thieves who stole your customer data. The scumbags that are doing this appear to be doing so with impunity. Law enforcement can't seem to stop them, let alone identify who they are and bring them to justice. Yet there they are, on the other end of a connection they have made to you. The urge to strike back or otherwise mess with them is strong; however, my advice is to go with "otherwise mess with them" and avoid the major risks and serious unknowns that come with striking back.
Fortunately, there is a solid body of work on messing with network intruders, which falls within the "active deception" category of the realm of security known as Active Defense. A good paper by Josh Johnson on implementing active deception on private networks is available from SANS; it describes a number of techniques to "identify and slow down attackers who have established pivot points into private networks before data exfiltration occurs". Note the term: private networks. The fact that you are messing with intruders within your network is a very important legal and tactical distinction. If you still want to pursue hacking back outside your own domain, please consider the reasons that I have enumerated below. I also encourage you to abide by this three-point pledge:
I will not hack back until...
- I have already tried active deception.
- I am sure that my network defenses are able to withstand any counter-counter-attack.
- I have permission from legal counsel, in writing.
Reason #1 not to hack back: it's illegal
For companies and individuals to conduct denial of service attacks is illegal. Accessing a system that does not belong to you is illegal. Distributing code designed to enable unauthorized access to a system is illegal. To be clear: doing unto others the illegal stuff they are doing unto you? Illegal. The lawyers in the room might want to pipe up and remind you that I'm not a lawyer. That is true, so please ask your corporate counsel to sign off on your plans to hack back before you proceed. I guarantee they will refuse to do so. (If you have knowledge of any real world cases that would refute this, please let me know.)
The very angry people in the room, maybe those who are being, or have been, victimized by criminal hackers, might want to say: "Stuff the law, we won't get caught, and if we do, the public will be sympathetic; law enforcement will take it easy on us." I respectfully suggest that public sympathy is little comfort if you are convicted of a crime, or face court ordered restitution costs for the collateral damage your counterstrike caused. Even in the realm of physical encounters, the legality of striking back is complex and dependent on a wide range of factors, any one of which might put you on the wrong side of the law.
Reason #2 not to hack back: it leads to a dark place
Freelance law enforcement and citizen aggression is frowned upon in civil society because it shoves us down the road toward a type of Wild West free-for-all in which criminal activity targets those least able to strike back. Suppose that a large bank, the kind that makes tens of billions of dollars a year in profits, decides to strike back at criminal hackers. That will likely cause some criminals to target smaller banks instead, the kind that cannot afford a counterstrike program, let alone pay millions of dollars in fines if their hack back efforts are found to be in breach of the law.
Surely it is better to channel the anger and outrage over being hacked into lobbying for a bigger and better law enforcement response to cyber crime. Clearly, the current state of affairs in unacceptable. Two of the five largest American retailers get seriously hacked but nobody gets arrested. Tax identity thieves rake in $5 billion yet the IRS budget gets cut. Clearly, there is plenty of room to improve law enforcement before we resort to outsourcing cyber-aggression.
Reason #3 not to hack back: you're not tough enough
Please don't take this advice personally, I'm not saying there is any weakness in your character. My point is: hacking back carries a serious risk of escalating the very activity you are trying to discourage. Let's assume you have figured out how the bad guys got in and you've remediated that weakness in your defenses. You are now poised to hack back. Now ask yourself, or rather your team: Are we sure there are no other weaknesses as yet undiscovered?
If you are sure, then I'm very impressed, but also very skeptical. The Internet has created a highly asymmetric threatscape which manifests itself in two key realities. First, defenders have to get things 100% right 100% of the time, but attackers seeking to penetrate your systems only need to find one hole to get in. Second, attackers seeking to damage your systems can probably marshal more resources than you. Don't believe me? As currently implemented, the architecture of the Internet enables a wide range of denial of service attacks, and new types of attack continue to emerge, like the SSDP attacks described here. Bear in mind that the number of devices that could be recruited for such attacks is more like 14 million than the 4 million originally reported.
Reason #4 not to hack back: known unknowables
Anyone who has followed the saga of the Sony Pictures hack will know how hard it is to know who is attacking you. While the FBI says it was North Korea, there are plenty of security experts who are skeptical of that claim. Some signs point to insiders, or Russian-speaking persons, or "the Chinese". A group called Guardians of Peace claims it was them, but who are they? The technical term for this mess is: the attribution problem. It is a very tough problem to solve, but here's the thing: it is a known problem, which means you may not get much sympathy if you hack back at the wrong person because you messed up the attribution. To put this another way, if you have enough evidence to prove who is attacking you, why not hand it over to law enforcement and have them take legal action? A lot of folks in law enforcement would love to bring an ironclad criminal hacking case to court.
For a real world example of hard attribution can be, consider the case of Georbot, a malware-based hacking campaign apparently targeting government systems in Georgia (the country, not the U.S. state). When this information-stealing botnet was discovered by ESET researchers they took apart the code and monitored the command and control activity (report published March 2012); however, even then they could not be sure who was responsible. The official line from the government of Georgia was that Russia was responsible, a claim backed up with a photo of a "Russian-based hacker" sitting at his keyboard, snapped by his webcam. When elections were held in the fall of 2012, power shifted to the Georgian Dream opposition coalition of billionaire businessman Bidzina Ivanishvili. In 2013, I spoke with a source close to Mr. Ivanishvili who described in detail how the malware campaign had actually targeted members of the opposition movement, at the behest of people within the previous Georgian government. In other words: attribution is hard. Getting attribution wrong can have serious consequences.
Reason #5 not to hack back: it doesn't solve the problem
Suppose you do know exactly who has hacked into your network and you hack back at them without causing collateral damage. What have you gained besides a righteous sense of satisfaction? Are you sure that's the end of that threat? What have you done to stop someone else attacking you? I think some organizations entertain a scenario in which their counterstrike capability earns them a reputation as the guys with whom you do not mess. That scenario assumes all criminal hackers are rational actors, a very dangerous assumption given the history of hacking.
More importantly, hacking back does nothing to bring us closer to the desired goal of a well-ordered Internet governed by rules of behavior that are enforced by appropriate authorities. For a look back at previous discussions of hacking bank there is a good article with plenty of links at Bank Info Security.
(If you disagree with any of the points I've made here, please leave a comment and let me know why.)