On 'Hacking Back'

Enterprises and organizations are under a constant onslaught of attacks from cybercriminals, and in some cases Nation States, — all attempting to steal or ransom data for monetary gain. Most of these attacks come from or at least are staged from, nations that are unlikely to cooperate with law enforcement from other countries. What recourse then, do organizations and nations who are under attack have? ‘Hacking Back’, launching attacks back at the source of incoming attacks on an organization, is a manner of recourse that has oft been discussed by cybersecurity professionals, legal scholars and law enforcement — but will it work and is it a good idea?

As a security professional charged with the protection of my client’s corporate networks I do understand the drive to just take offline that one machine, or group of machines, in another country that is constantly bombarding you with scans and attacks. This urge passes quickly, as I am reminded of the old axiom ‘an eye for an eye leaves the whole world blind’. There are many reasons why this would be a very, very bad idea.

Top of the list of cons is the fact that most, if not close to all, organizations are much too optimistic regarding their offensive capabilities. It is one thing to be a penetration tester, red team member, and tinkerer; it is another to deem those skills appropriate to go head to head with what could be highly paid individuals working for nation states or organized crime. These people are working on a completely different scale, with well-practiced techniques, tactics and procedures, and the backing of what could be the military of a foreign nation. As good as you may be with Kali, it is unlikely that you are on their level. 

Attribution, determining who is behind cyber-attacks, is difficult and best left to professionals with expertise in this area. When performing Incident Response from cyber attacks responders will come across artifacts that determine how the attack took place. This includes more than just IP addresses, but the tactics that attackers employ, the code that they use, how they move within your network, how they exfiltrate data, all create a certain signature that is, in most cases, unique to that group or team. Cybersecurity pros call these ‘Techniques, Tactics, and Procedures’ or ‘TTPs’. While it could be possible for an average cyber analyst to find some of these TTPs, it would be unlikely that anyone but a seasoned responder with access to a huge database of threat intelligence could accurately determine the true source behind an attack. Without trustworthy attribution who do we launch our counterattack against? 

Infrastructure used in attacks may be owned by third parties and could be caught in the net of an attempt to launch one of these counter-attacks. Attackers will often use compromised systems to stage attacks, launch attacks, store data or as command and control systems. A counterattack could knock a web-server for another company offline, who is an unwilling participant in the initial attack. The liabilities associated with this are numerous. And then there is the potential for attackers to stage an attack as if it comes from an oblivious third party — who is then counterattacked by the initial target. Now, are you not only protecting your network from legitimate attacks but also counterattacks that are falsely attributed to you or use compromised systems on your network.

If you live in the western world most of the organized attacks that you see will come from overseas. While the US has tried to table the idea of ‘hacking back’ with the Active Cyber Defense Certainty (ACDC) Act it is still illegal under international law to hack across national borders, leaving the majority of attackers out of your reach. Hacking back outside of your nation’s borders has the potential to create an international incident and harm relationships with nations that are already under great strain.

‘Hacking back’ raises its head every year and has done so for almost a decade. It was always a bad idea, and it will always be a bad idea. Instead, organizations should focus on their efforts to enhance their defensive capabilities.