In a continuation of this blog, my original thought was to outline the Cyber Defense aspects. However, I think it important to discuss the Vigilante aspect first. There’s a lot more in the news lately about the potential for companies and/or individuals to consider “Hacking Back” to recover their data, whatever it is. I have to say, it’s an interesting notion and one that I know is not lost on the American spirit when you consider the long lost days of the Wild West where everyone in one form or another had to take matters into their own hands because law enforcement either wasn’t available or non-existent. Now fast forward to today and the internet. I’ve always maintained that the internet is pretty much the Wild West in electronic form where you have good law abiding folks and folks that tend to teeter one way or the other and then folks that are out to do whatever they want even to the wanton destruction of others. So what do we do in today’s world where law enforcement and government haven’t quite caught up to the bad guys in an effective way to protect individuals or companies for that matter and your attacker is half way around the world?
Let’s discuss the issues around “hacking back”. Let’s say individuals or companies decided to “hack back”, what’s the best possible outcome? Best - You could recover your data. Now that would be good outcome, but is it really? Do you know that there’s no other copy of your data anywhere else? Do you know whether your financial (or other) data hasn’t already been exploited? Unfortunately, I submit, that you don’t know the answers to these questions. Worst – You didn’t recover your data and you pissed off the attacker because, guess what? You left your finger prints all over the place on the attacker’s machine and they decide to go back and annihilate your life. Or, you didn’t make it to the attackers’ system and got nothing for your troubles except a lot of wasted time and empty accounts because you didn’t contact your bank in time.
I’m certain there are more scenarios to the above, but I want to point out two things from the above: 1) Pissing off the attacker; and 2) Wasted time. So, we’re all professionals in the security field that typically read about this stuff all the time. I know when I first started to read about “Hacking Back” I thought, wow, what an interesting idea! This might be a good short term answer! Well, I’m glad to say I’ve had enough time to really think about this from a pragmatic and practical sense. Meaning, I’ve gotten beyond all the emotion about being hacked. Let’s think about this for a moment.
Pissing off the attacker because you’re probably not as careful or diligent as they are is most likely a result of your action especially if you’ve gotten into their systems. The likely backlash is you will potentially be attacked again with a vengeance and be much worse off than before. Regarding wasted time, the reality is that we’ve all got jobs, families, things to do, finances, homes, bills, etc. and the thought of stopping your life to take on this activity, at least to me anyway, sounds like it may not be worth it. However, there are folks out there with the technical acumen to pull off something like this. With regard to companies, I’m not sure there’s enough staff to take on this kind of activity. From what I can see, companies have a hard enough time gaining and keeping visibility into their own networks with the staff they have.
But the real question is, what you would be giving up to take this on and is it worth it not to mention the legal precedence that is lacking in this area. For example, if you need to get to an attackers computer, you may need to break into other computers that have been subverted by the attacker and does that now make you an attacker having broken the law. The good news is that there’s not a lot of precedence here and the law is pretty vague with regard to whether or not “hacking back” legal or not. Additionally, there’s the possibility that even if you got caught that law enforcement might not be interested in pursuing it. They probably would be more interested in what you found or how you got there.
There’s another possibility here that I’m starting to read more about and that has to do with “poison pills”. The idea is that if you had a poison pill on your computer that enabled you to both follow the attacker and get your data immediately or once the attacker has taken your data the poison pill activates and destroys your data on the attacker system or, possibly, destroys the attackers system. There’s also the possibility of poisoning the Remote Access Tools, known as RATs, as use this as a means to track back your information or find other unwitting victims. Now if there was something like this available to folks, I’ll just bet there would be some takers on this.
The other consideration is that attackers tend to be much more technologically sophisticated and have much more time on their hands making a “hack back” that much more dangerous for the victim than the attacker. It’s interesting how the more you go down the path of what to do that “hacking back” may be a bigger risk to the victim just given the pros and cons of what one would gain vs. lose in this battle. Given this line of thinking, I’m leaning toward what or how law enforcement and the security industry could do to deal with this in an effective manner. I wonder if the Security Vendors and government could work more closely together to do a number of things such as create poison pill technology that would render user data useless after the attacker stole it, significantly increase the number of honeypots around the world to poison attacker technology instead of just looking at their techniques and methods. We could take the “Watering Hole” attack and turn it around on the attackers. This would be a great start instead of waiting for them to go away.
Here’s my summary thoughts…
I believe “Hacking Back” is a very risky proposition for individuals or companies. Give serious consideration to what you stand to lose by going toe to toe with attackers. Both should spend more time in implementing the appropriate measures to protect themselves. Individuals and companies on the other hand should demand from their vendors and government the means by which they can participate in retaliation safely in addition to implementing protection measures. The idea of creating a significant number of “Water Hole Honeypots” worldwide to do more than understand our attackers sounds like a really interesting and effective way to get the attackers to come to you and then nail them with poisoned technology. Rather than look for them individually, have them come to you.