Organizations all over the world are concerned about protecting the information assets they need to produce products,...
deliver services, differentiate themselves in the marketplace, produce revenue and deliver value to their customers and their shareholders. These organizations are devoting enormous amounts of resources to protecting the information assets needed for them to operate and stay in business.
Businesses and government agencies are under attack every day. The costs are enormous. According to a 2014 study by the Center for Strategic and International Studies, and security firm McAfee, cybercrime costs the United States 0.64% of GDP annually. Using a 2015 GDP figure of $18 trillion, that works out to be $115.2 billion a year.
Given the extent of cybercrime costs, many organizations are wondering, "Why can't I defend myself against these constant attacks and prevent these losses?" Actually, enterprises can defend themselves -- and can even engage in "hacking back." But the reality of a typical cybersecurity defense consists of passively sitting, waiting for the next attack to hit, while hoping that whatever defensive schemes you have employed will protect you.
Organizations may hope that attackers don't find where they didn't employ any defensive strategies, but also know that attackers would probably know about the next new vulnerability ahead of them. An attacker is likely to have an exploit for these vulnerabilities before organizations can form an effective defense against it. Organizations all over the world are finally coming to the realization that employing a purely defensive strategy to protect their information assets is a strategy that ultimately will fail.
This type of strategy will fail because of the asymmetric nature of information defense. This asymmetry is often expressed as, "To be successful, the defender needs to right 100% of the time, while the attacker needs to be right only once."
Given that the defensive strategies commonly employed are not working to protect vital information assets, organizations are becoming frustrated that the resources expended on cybersecurity only provide, at best, a low level of assurance that their information systems are protected.
For organizations that have been attacked, and suffered intrusions and losses in spite of investments in cybersecurity, the level of frustration and anger has built to the point where they may be willing to become more active and aggressive in dealing with their attackers. In a survey conducted at Black Hat USA 2012, 36% of respondents claimed they had retaliated in response to a cybersecurity attack.
One particular method of turning the tables on the attacker is "hacking back," in which the target of an attack responds with a counterattack against the cybercriminals or hackers. For organizations willing to at least consider going on the offensive by hacking back, what are some of the issues to consider?
Hacking and hacking back
Hacking is defined as accessing a computer, network or information system, including its information, without authorization. Hacking involves circumventing security controls or exploiting vulnerabilities with malicious intent.
Hacking back is also accessing a computer, network or information system without authorization. The difference with hacking back is with respect to motivation. The motive for an organization to hack back against an attacker may be to recover or wipe stolen data or intellectual property. Other motives for hacking back may be retaliatory in nature, including disrupting or damaging the attacker's systems and degrading their ability to carry out future attacks.
The decision to hack an adversary is a policy decision that needs to be made at the highest levels of management. Hacking back is a technical activity, but deciding to do it is a business decision. Information security is a business-focused operational risk management activity, and the decision to hack an adversary in order to protect information needs to be considered from a risk management perspective.
Legal and ethical implications
If malicious hacking is an illegal activity, then hacking back is also illegal. In the United States, the Computer Fraud and Abuse Act of 1986 (CFAA) has been interpreted broadly enough that unauthorized access to almost any computer is seen as illegal.
Another issue with hacking back is collateral damage. Cybercriminals will often use the computer of an unwitting third party to conduct attacks, sometimes gathering these compromised computers into large botnets that are used to launch attacks and distribute spam and malware. Identifying the true source of an attack is difficult and to hack back into a computer owned by a third party presents serious liability concerns. A 1994 amendment to the CFAA now permits claims pursuing civil damages.
Legality aside, a simple ethical code that lists values such as "do no harm," "respect employees, contractors and vendors" and "follow the law" would also be violated by the activities and outcomes involved in hacking back.
The decision to hack an adversary has a number of risk considerations, including:
- Financial Loss
Organizations need to answer several questions -- Does hacking back offer any financial incentives? Will hacking an adversary prevent the loss or allow recovery of information assets and intellectual property? Will hacking an adversary prevent damage to computers and networks? How much will hacking back save? What does it cost to hack back?
- Reputation and Customer Confidence
There is the possibility that an organization's reputation would be impacted if its hacking back activities attract interest by the press and law enforcement. What if hacking back resulted in damage to a third party? This could lead to a negative reaction by customers, with possible revenue implications.
- Civil and Criminal penalties
What are the potential penalties that may result from hacking back? A cybercriminal may not be likely to sue, but what about the organization that was forced offline and lost business as a result of your hacking back?
With respect to criminal prosecution, the U.S. government has aggressively pursued violations of the CFAA, although not for hacking back.
The productivity and business losses from a denial of service attack could be severe. Is hacking back a realistic response strategy to a denial-of-service attack? Could hacking back reduce the damage and speed recovery from a malicious security incident?
What if, after an attempt to hack back, the attacker decides to conduct additional attacks solely for the purpose of damaging your information systems and damage your ability to conduct business? What would a complete denial of service mean to your business?
What if your hacking back activity causes damage to a third party? What if that third party decides to pursue damages in civil court?
What hacking back is not
Hacking back is not an alternative to cybersecurity best practices. It is not a way to sidestep the responsibility to protect information assets through conventional means. Deciding to hack back is a last ditch strategy after all other alternatives have failed. Hacking back should only be considered, if at all, after an organization has already implemented world-class cybersecurity plans, policies and procedures and has operational experience with them. With the various legal and ethical problems that may exist, organizations should ponder if hacking back really is a reasonable and viable cybersecurity protection strategy.
About the author:
Peter Sullivan began his career in network operations, information security, incident response and risk management over 20 years ago with the U.S. Army. For the last twelve years, Sullivan has been a visiting scientist at the Software Engineering Institute, Carnegie Mellon University, where he teaches courses in risk management, information security and assurance, computer security incident response and digital forensics. He is also a partner with InfoSecure Solutions LLC, a consultancy specializing in IT risk management and incident response planning based in Massachusetts.
Find out where active cyberdefense is moving toward in the future.
Read about the risks of hacking back and cybervigilantism.
Learn how to develop an incident response policy.