Security Experts:

Hacking Back: Industry Reactions to Offensive Security Research

Hacking back, whether as part of an active defense strategy or a threat intelligence effort, is a controversial practice that many security firms and experts officially advise against. However, retribution is in some cases part of active defense offerings and researchers do occasionally compromise the infrastructure of threat groups to unmask their activities.

Feedback Friday

A good example of researchers “hacking back” is detailed in a report published this week by security firm Check Point. The company hacked into the phishing and C&C servers of the Iran-linked group dubbed Rocket Kitten (aka Newscaster), which led to the identification of victims and even an individual suspected of being the main developer.

Many industry professionals contacted by SecurityWeek pointed out the legal implications of hacking back, and while some condone these practices to some extent, others condemn Check Point for the way it acted. Some experts have provided more legitimate alternatives to hacking back, both when it comes to active defense and threat research.

And the feedback begins...

Costin Raiu, Director of Global Research and Analysis Team, Kaspersky Lab: 

"First of all, it's important to mention that hacking servers would be illegal in most countries unless done by various law enforcement organizations, with a court order. In our case, we do work with law enforcement and other partners to acquire disk images and sinkhole malicious domains in order to get a better understanding of cybercriminals.


For instance, in one case we noticed that a legit website was used to host a C&C script for a high profile malware campaign. We contacted the owners of the website and kindly asked for a copy of the scripts, which they were glad to share. In exchange, we offered them advice on how to secure their website against future attacks. Actually, this happens a lot of times - asking kindly does work!"

Anthony DiBello, director of security, Guidance Software:

“Unless there is backstory that justifies the decision Check Point made to hack into an unknown server, this action is difficult to support. While the result of the research is certainly interesting, the full report acknowledges Check Point doesn’t know with certainty where the data was physically located. The report acknowledges that Check Point hacked into machines that might have been in Germany, "Because of the way satellite communications work, the infrastructure geo-located to Germany may not be physically located in that country."


“MAY not be…?” That’s hardly a defensible position. This is precisely why hacking back is not legal according to the terms of the Computer Fraud and Abuse Act. Attribution is very difficult to achieve, and while Check Point may have applied attribution to the “ring leader,” how do we know for sure? I would be fairly suspicious of the weak safeguards that were found to be in place.


Along such solid logic, one could also say “…may by a rogue server operating in the ceiling tiles of a multi-national company located in Germany.” Check Point, according to the facts of the report, has no idea as to the physical location (or nature) of the machine they broke into.


The other side of this is how actionable data and intelligence obtained illegally would stand up in a court. Did the vendor collaborate with law enforcement before conducting their attack on the Rocket Kitten C&C server? Was the attack and investigation done in such a way as to ensure any government entity could obtain a warrant for and ultimately prosecute Yaser Balaghi? If nothing else, assuming Yaser is a real person, this report certainly tipped him off that it’s time to go dark.”

Toni Gidwani, Director of Analysis and Production, ThreatConnect:

“'Hacking back' is a vague term that can often be confused and I think we have to be careful what we're talking about. There's a difference between researchers using legal means to exploit a hackers' incompetence with the intent to understand and expose their activities (the Rocket Kitten / CAMERASHY example) and launching a counter-exploitation campaign where researchers use illegal means and methods with the intent to surreptitiously monitor the adversary.


'Hacking back' is symptomatic of how frustratingly inadequate macro-level efforts are in the cybersecurity sphere. Rocket Kitten had been exposed by numerous researchers with no impact on their ultimate ability to continue launching attacks. If publicly exposing adversary activity (naming and shaming) and government entreaties aren't enough to dissuade adversaries from hacking, we're going to keep having this discussion as organizations push the envelope in pursuit of more effective means to mitigate today’s threats.”

Related Reading: Long-Term Strategy Needed When Analyzing APTs

Bob Hansmann, Director of Security Analysis and Strategy at Raytheon|Websense:

"We advise avoiding the 'attribution trap.' Forensic investigation should focus on profiling the attacker only to the extent necessary to understand their intent and techniques. You can then adjust defenses and processes to maintain an adaptive security posture.


Chasing the bread crumbs of attribution will waste security resources that are better used for remediation and defense improvements. Even without 'hacking back,' aggressive forensic activity may also alert threat actors, causing them to shift tactics before you have successfully countered an ongoing attack.


Chasing attribution also carries with it the risk of causing collateral damage to innocent bystanders. Sophisticated threat actors often use compromised websites to host and obfuscate their attacks, as well as spoofing and complex re-direct chains. Your pursuit of a threat actor may cause harm to an innocent host, exposing your organization to legal and financial risk.


The attribution trap can be a slippery slope which consumes attention and resources, and may expose the organization legally and financially. Cooperate with law enforcement as much as possible, but maintain focus on the priorities of constantly adapting defenses for the next attack."

Lance Cottrell, Chief Scientist for Passages, Ntrepid Corporation:

“There are obvious legal issues with hacking back which could put security professionals in hot water very quickly. A huge amount of ink has been spilled about the exact line between appropriate self defense and illegal hacking by the defender. What often gets overlooked is the problem of misattribution and innocent bystanders.


Attackers are usually using hijacked computers for their command and control servers in order to execute their attacks. In many cases they are constantly changing through multiple such compromised computers to ensure their identities and locations remain unknown. This creates a big problem for hacking back. Although the attack may have been tracked to a certain computer, that computer is probably owned and used by some innocent party; a previous victim of the same hacker. Disrupting that computer, and with it the owner's business or data, further victimizes that bystander.


With proper care, and with law enforcement in tow, it can often be very effective to seize or take control of key servers in the hacker’s stolen infrastructure but it needs to be done judiciously and with a focus on minimizing collateral damage. Many people are looking for an opportunity to simply take the fight to the enemy and give them a taste of their own medicine. That is just vigilante justice. Proper "hacking back" is very deliberate and more about carefully disassembling the hackers network than exacting revenge.”

Christopher Pogue, SVP, Cyber Threat Analysis, Nuix:

"When asked about the concept of hacking back, the answer is simple. It's cyber vigilantism. It's illegal. Don't do it. So as not to operate in the world of such moral absolutes, let me provide some additional details into why this is a horrible idea:


1. Poking the Bear - Attackers, regardless of their skill level, enjoy several advantages, not the least of which is that they are hackers and most IT professionals are not. In all likelihood, they probably have hacker friends who belong to hacker groups; maybe even groups like Anonymous, Lulzsec, Malsec, The Impact Team, or God'sApstls. By hacking back, victim organizations have the potential of angering one of these groups in actuality or in principle, the results of which would most certainly be much worse than the original incident.


2. Who are you attacking - A large percentage of attacks take place from something called, "Jump Servers" or "Jump Boxes". Basically, the hackers take control of a totally benign system (public library, day care facility, non-profit, etc.) with weak security controls, and use it as a jumping off point to carry out other attacks. So, by hacking back to one of these organizations, you may very well be attacking just another victim.


3. Don't start an international incident - Many countries from which these attacks are launched consider cyber-attacks tantamount to an act of war. By hacking back from within the United States, you could be viewed as acting as an agent of the United States Government, and you could inadvertently kick a political hornet's nest.


4. We have people for that - There are federal agencies like the Secret Service, the FBI, the CIA, and the NSA whose job it is to handle situations like this. They have badges, guns, and jurisdiction (which you have none of). If you experience a cyber-attack, call in the professional right away and let them do what they do best.”

Zulfikar Ramzan, CTO, RSA:

“It’s important to note that active defense and hack back are not synonymous with each other, even though the two concepts often get conflated. Hack back is merely one tactic in the active defense playbook. It treads down a slippery slope. Aside from legal considerations, it’s easy to make a mistake when hacking back and accidentally going after the wrong resource. In the process, you might also be effectively poking the bear and risk having to face serious retaliation. Ultimately, hack back takes the eyes off the prize of understanding how the attackers got in and what you can differently moving forward.


Organizations would do well to consider active deception techniques instead. These techniques not only slow attackers down considerably, they allow you to see firsthand how attackers might be exploiting weaknesses in your IT infrastructure, which can enable you to take intelligent decisions to address the corresponding issues. We live in a world where we can’t just work hard to stop the bad guys; instead we have to work smart.” 

Casey Corcoran, VP of Strategy, FourV:

“While having an active defense program such as honeypots combined with forensic analysis of intrusions are informative and useful from the perspective of understanding what the adversary is after and the tactics employed to get there (and sharing this information via sharing services such as the ISACs), hacking back at aggressors should be carefully considered. Hacking back can have severe unintended consequences:


1. Cyber-warfare is asymmetrical, where the attacker can exact considerable damage on the victim at a small cost. Striking back at someone with little at stake is ineffective at best, and dangerous otherwise.

2. Hacking (forward or back) is illegal. In the U.S. there is no analog to the “stand your ground” law in cyber security, and foreign countries have far different legal perspectives than we do in the U.S.

3. Generally, in cyber security and otherwise, taking the law in your own hands puts one in a dicey situation. These are things best left to officials.

4. There is a real chance that a hack back will do harm to innocent parties.


Honeypots and similar tactics are good early-warning systems, as they allow defenders monitor threat activity and risk factors relevant to their environment, without putting business assets at risk. Patterns learned from these can then be applied to monitoring for risk factors within the production business environment.”

Steve Lowing, Director of Product Management, Promisec:

“Security researchers are always looking to understand the approach attackers are taking or have taken if part of an incident response effort. This includes what a C&C server is doing, where it’s located, approach it might take to hide itself, compromised data, impacted victims etc. So poking and prodding the actual code of the attackers is perfectly normal. In fact under-scoping an attack is one of the biggest mistakes IR teams could make so we strongly advise teams to complete their analysis before they start to respond, otherwise they would likely miss a key element and not actually stop the attacker.


That said there is a fundamental difference between understanding an attack approach and say carrying out an attack on the hackers. The former is what research teams do every day, the latter is what makes for a good movie (well maybe weak depending on your definition of good movie). So the notion of “hacking back”, at least in our experience is best left for the sound stage.”

Guy Bejerano, CEO and Co-Founder, SafeBreach:

"Hacking back is mostly about attribution, sometimes about recovery of IP and all about retribution -- all motives that don’t erase the reality of compromise, nor do they measurably increase security. Unlike crime in the physical world, fighting back is not a deterrence, and attribution only gives you intel on that ONE event, not the hundreds of other campaigns or adversaries that threaten a company’s well-being.


That being said, companies should practice hacking, but the target should be themselves. Companies don’t need to understand adversaries as much as they need to understand how adversaries VIEW THEM. How will an adversary assess and attack YOU and your infrastructure? Ultimately, the best form of attribution is not what kind of adversary you face, but what kind of target you represent."

John Prisco, President & CEO, Triumfant:

“Over the years there have been reports of companies who have fallen victim to attacks and as a result, have decided to conduct unsanctioned, offensive operations in an effort to retrieve stolen data or knock computers offline to stop further attacks. Such a visceral response is understandable! – after all, unknown attackers infiltrated networks and stole private information.


Anyone can complete an offensive attack, it’s akin to completing a five-yard out pass in football, but the stakes of mounting a counterattack are exorbitantly high. Retaliation could make the initial attack worse – hackers who are already in your network could escalate the assault. Not to mention that hacking offensively could lead to jail time in the USA. Instead of striking back, it’s advisable to spend time focused on implementing a policy of rapid detection and removal after identifying APTs, zero-days and volatile in-memory attacks.”

Jason Lewis, Chief Collection Officer, LookingGlass Cyber Solutions:

“Companies not prepared to deal with the consequences of attempting to penetrate attacker infrastructure should stay far away from retaliation. The attackers have nothing to lose and you may encourage escalation. A DDoS attack can quickly grow from annoyance to crippling. Attackers may decide to release personal information about company executives and their families. If extortion is involved, the attackers may decide that your attempts to "hack back" increase the price to go away. Depending on location, you may be violating local laws and put yourself into the attacker category.


One has to ask, "what's the goal?", “what do you gain by penetrating the attackers infrastructure?”. If you were successful, what next? If you manage to take down infrastructure, have you stopped the threat? Is the end game to reveal the attackers? At least law enforcement has the ability to ultimately intervene at a physical level. If you can't stop the people, they will just set up new infrastructure.”

 

Related Reading: Researchers Hack Infrastructure of Iran-Linked Cyber Spies

view counter