Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Preventing the Other Kind of Hack Back

There has been endless discussion among security professionals about the ethics, propriety, legality, and effectiveness of corporations “hacking back” against attackers. On the other hand, there is no hesitation on the part of attackers to hack back against threat intelligence researchers who are investigating them.

There has been endless discussion among security professionals about the ethics, propriety, legality, and effectiveness of corporations “hacking back” against attackers. On the other hand, there is no hesitation on the part of attackers to hack back against threat intelligence researchers who are investigating them. Identification and retaliation are a constant risk for anyone probing the darkest back alleys of the internet.

There are two paths criminals use to attack investigators: they can try to compromise the investigator’s computer directly, or they can identify and attack the organization behind the investigation. Many techniques can protect against both paths.

What’s at Risk

Attacks on the organization are the more potentially damaging risk. By properly hiding your identity during your investigations, the target will not know who to attack. Attacks on your organization can manifest in many ways, including DDOS, phishing, and hacking. In some cases, the counter-attack can be against the investigating organization’s reputation. I worked with a toy company that discovered that some of its products were appearing in adult videos. In the course of their unprotected research, they were identified. The adult video website then publicized the fact that the toy company personnel were frequent visitors to the website, causing the company significant embarrassment.

Covering Your Tracks

As the Russian DNC hackers showed, it is not easy to maintain your anonymity. The first step is to ensure that your visible IP address is not associated with your organization. That means not only that it should not be a company IP, but that it can’t be a coffee shop in the building or any other address which could easily be connected with the organization. Because many protocols can leak identifying information, take care to ensure that all communications from your desktop go out through your chosen IP.

It is critical to hide your identity from the very beginning, and each and every time after. The Russian hackers only forgot to turn on their VPN once, exposing their real IP address. From that one mistake, all of their activities could be attributed back to the GRU. 

Hiding your Fingerprint

Advertisement. Scroll to continue reading.

After hiding your IP, you need to take care of all the other ways an attacker can identify your computer. Your browser fingerprint, cookies, and super cookies can all quickly expose your organization. Conducting all of your investigations inside a clean virtual machine, used only for this purpose, can be very effective at protecting your identity. Even seemingly innocuous activities can expose you. Any personal browsing, searching, or social media use within the virtual machine can leak identifying information to a savvy opponent.

Carefully isolating the virtual machine from your real desktop can go a long way toward preventing damage from any direct counter-attacks while investigating. Any malware they sneak past your scanners will be destroyed when the virtual machine is rolled back. Restricting all network traffic to only flow over a VPN to your chosen exit point ensures that malware can’t scan your local network for vulnerable targets or identifying device names.

Actively investigating and infiltrating criminal groups online is not “hacking back,” but it may provoke that as a response. Taking proper care during your online activities can ensure that you get the information you need without putting yourself at risk.

RelatedConsidering The Complexities of Hack Back Laws

Related: FireEye Denies Hacking Back Against Chinese Cyberspies

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.