Connect with us

Hi, what are you looking for?


Incident Response

Countermeasure: Hack the Hacker?

In light of the growing number of mega breaches (e.g., MEGA Collection #1, Dunkin’ Donuts, Citrix) and the ongoing ransomware epidemic, politicians on both sides of the aisle are pushing for legislations that would allow organizations to take an offensive posture vis-à-vis attackers — often called “hack back”. 

In light of the growing number of mega breaches (e.g., MEGA Collection #1, Dunkin’ Donuts, Citrix) and the ongoing ransomware epidemic, politicians on both sides of the aisle are pushing for legislations that would allow organizations to take an offensive posture vis-à-vis attackers — often called “hack back”. 

Initially introduced in 2017, the Active Cyber Defense Certainty Act (ACDC) was reintroduced in the U.S. Congress earlier this year. The bill would make changes to the Computer Fraud and Abuse Act (CFAA) and allow corporations and other victims of cyber-attacks to pursue adversaries outside their network boundaries to disrupt their activities. However, many security experts warn against commercial organizations taking the law into their own hands and oppose this type of legislation, since it could result in unintended consequences such as targeting the wrong groups or triggering a cyber war with nation-states. 

In order to implement an active cyber defense strategy similar to the posture taken by the U.S. Cyber Command over the past few years, organizations could take several steps such as booby-trapping files to trigger alerts, conducting reconnaissance on hacker infrastructures, remotely breaking into attackers’ servers and wiping any data, and even launching distributed-denial-of-service (DDoS) attacks against cybercriminal operations.

However, under current CFAA law reaching beyond an organization’s boundaries to target hackers who have stolen their data, or are trying to steal their data, is considered illegal hacking. Organizations that still choose to implement active cyber defense strategies operate in a gray area in which no guidelines exist. That’s what the ACDC aims to address by establishing acceptable rules of engagement for responding to data breaches. 

Active Cyber Defense Flaws

Cyber security experts are opposed to this legislative initiative due to the following concerns:

Most corporations lack the skills and expertise to take on professional hackers. While high-tech giants like Google might have the necessary in-house talent to carry out a “hack back” attack without causing any unwanted collateral damage, this cannot be said for many other organizations. Even the ACDC bill acknowledges that it requires a high level of sophistication to carry out “hack backs” by stating that only those that are “qualified defenders with a high degree of confidence in attribution” should be leveraging an active cyber defense strategy.

Advertisement. Scroll to continue reading.

An even bigger issue is how organizations would establish the true identity of their cyber adversary. Attribution has always been the most difficult element of data breach investigations, which can often take months to complete and does not always achieve conclusive identification of the threat actor. Professional hacker groups are very skilled at concealing their tracks using spoofed IP addresses, publicly available third-party attack tools, and the computer systems of innocent corporations to carry out their attacks. As a result, organizations run the very real risk of targeting the wrong groups as part of their hack back activities. 

And, finally, giving corporations the right to hack back could pit private companies against nation-states such as North Korea, Russia, China, or Iran. What would happen, for example, if a major private sector company that believes it has been hacked by China, decides to hack back? This could have major national security implications if they decide to go after the computer of the attacker.

Back to the Basics

Before implementing an active cyber defense strategy, organizations should conduct a self-assessment to determine if they are applying the most basic cyber hygiene best practices, which can go a long way towards preventing security infections and minimizing the risk of falling victim to a cyber-attack. 

When conducting post-mortem analysis of data breaches, it becomes apparent that lack of cyber hygiene was often a contributing factor. Therefore, organizations should focus on implementing the following cyber security best practices:

• Maintain a comprehensive asset inventory and classify all assets based on their sensitivity and risk;

• Conduct security awareness training among employees and contractors;

• Back up data regularly;

• Use preventive security technology such as anti-virus, anti-malware, and email spam filtering tools;

• Continuously patch vulnerabilities based on a risk assessment; and

• Configure access controls with least privilege in mind. 

When it comes to assessing the leading security vulnerabilities facing today’s organizations, the human factor is high on the list. In fact, analyst firm Gartner identified Privileged Access Management as one of the Top 10 information security projects in 2018 and again for 2019, since it is an area where organizations can achieve the greatest return on IT security investments.

While the urge to hack back after a data breach is very appealing, going back to the basics and applying proper cyber hygiene is a better alternative with a higher reward and lower risk of producing unintended consequences.

Related: Proposed Legislation Would Give Legal Right to Hack Back

RelatedHitting Back at Hackers: Debate Swirls on How Far to Go

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Artificial Intelligence

Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...