Vulnerability Management

Hacking Back

Close your eyes for a moment and whisper the term “hack back.” Doesn’t it conjure up familiar rough-hewn heroes played by the likes of Charles Bronson and Kris Kristofferson who roamed the silver screen with some regularity in the 1970s, tracking down bad guys and meting out justice when authorities either could not or fell short? Or possibly, the Die Hard series’s John McClane, played with roguish bravado by Bruce Willis, who takes matters into his own hands when terrorists takeover the Nakatomi Tower during a company Christmas Party (Hit me up on social media to debate whether Die Hard is actually a Christmas movie).

But in reality (and ideally), hacking back is likely something much more mundane and less violent than the vigilante justice of roving Bronson-esque gangs – we’re talking people in business casual attire tracing threats and tracking hackers through corporate systems at banks, healthcare organizations and other private enterprises to assist the government – but just as impactful and effective to stopping miscreants in their tracks. And, some contend, it’s fraught with as many challenges as benefits.

Circadence Vice President and
Security Evangelist Keenan Skelly.

“It is very important to define ‘hack back’ in this instance. For example, the difference between identifying and defeating a beacon and shutting down a botnet could have dramatic second and third order affects not intended,” says Circadence Vice President of Global Partnerships and Security Evangelist Keenan Skelly, who sat on the Active Defense task force assembled by the Center for Cyber & Homeland Security at The George Washington University (GWU). “The term ‘active defense’ has become the preferred phrase or term of art to describe a wide variety of proactive cybersecurity measures that lie between traditional offense and defense.”

While Mounir Hahad, head of the Juniper Threat Labs at Juniper Networks, calls hacking back “a must-have tool in the government’s arsenal,” he is adamant that it is illegal for private entities to do on their own “and should not be pursued” – in the same way enterprises shouldn’t launch kinetic attacks against their enemies.

“There is little difference in my mind between conventional warfare and cyber warfare – governments must have defensive and offensive capabilities,” says Hahad. “Private enterprises, on the other hand, must do what they can to protect themselves and the public, but should not engage in offensive action.”

Cybereason Chief Security Officer
(CSO) Samuel Curry.

Grappling with hacking back is still in the early days, says Cybereason Chief Security Officer (CSO) Samuel Curry, and he’s detecting a shift in perspective and momentum, driven by a number of forces.

“There is a cycle to this. The consensus has been that hack-back is bad and should be avoided, and now that’s being re-examined,” he says. “The technology is changing fast, and the players are changing and politics too. This is something that should be in the public eye, debated, decided and a new ‘status quo’ should be established.”

Private, public allies

The appeal of hacking back has grown more recently in part as cyberattacks have grown more frequent, insidious and damaging. The Active Defense report cites estimates of the cost of cyberattacks against private business at between 0.64 percent and 0.9 percent of the United States’ gross domestic product. “If those estimates are accurate, cyberattacks did between $120 [billion] and $167 billion dollars of damage to the U.S. economy in 2015” alone, the report says.

Acknowledging the importance of public-private collaboration in combatting cyberattacks, and pointing to Google’s response to Operation Aurora a decade ago in which Chinese hackers leveraged a previously unknown vulnerability in Internet Explorer to compromise systems at Google, Adobe and more than 39 other large companies, Skelly believes active defense “can be a good idea” and in the future will “become a standard practice with private and government partners working together to accomplish.”

Organizations like Google and large telecom providers, “which have global reach and access, offer unique opportunities to stop major cyberattacks before they become a global problem,” Skelly says. “This is a great example of active defense benefiting far beyond just the companies’ assets and interests.”

She explains “the benefits, as demonstrated by the Google response or by the Dridex Botnet Takedown are shutting down malicious activities before they have critical global consequences.”

Private sector organizations operate “on the front lines of cyber conflict,” but have very few options for responding to them – and most of those options are “outdated and constrained,” according to an October 16 report, “Into the Gray Zone The Private Sector and Active Defense Against Cyber Threats,” from the Active Defense task force.

“The status quo is reactive in nature and advantages the attacker,” the report’s writers contended. “The time has come for the private sector, working together with governments, to flip the equation and enhance its ability to counter such cyberthreats.”

Government and private industry, too, are natural allies, bringing different but complementary talents, skills and capabilities to the table. The government has the overarching authority to address and respond to threats to the nation as well as the diplomatic reach, law enforcement apparatus and capability to distribute information on threats and attacks. Private enterprises, particularly security and tech companies, bring deep knowledge of cyberthreats, historical and current forensics, and an investment in strong security assets and technical know-how. It is no secret that government, understanding its own budgetary and technical limitations, has sought to foster collaborative relationships with cybersecurity companies.

“Public-private collaboration is very important for information-sharing,” says James Ellis, cyber section commander, Michigan Cyber Command Center (MC3), Computer Crime Unit, Michigan State Police.

Private and public entities already regularly work together to bring down cybercriminals. In 2015, for example, the Dridex botnet – also known as Bugat and Cridex – was been significantly disrupted as part of a global operation, and a 30-year-old Moldovan man was charged in the Western District of Pennsylvania with being an administrator.

Dridex malware is best known for stealing banking and other credentials. The FBI disrupted the botnet and made the arrest with help from the U.K.’s National Crime and Agency, Europol’s EC3, the Dell SecureWorks Counter Threat Unit, several other organizations and security vendors.

More recently, with a heavy assist from private-sector cybersecurity and tech organizations, the FBI dismantled a highly complex fraud network responsible for generating billions upon billions of fake online ad placements.

In conjunction with the takedown, the U.S. Department of Justice in November announced a 13-count indictment filed against eight individuals, each a resident of either Russia, Ukraine or Kazakhstan. Charges include wire fraud, money laundering conspiracy, aggravated identity theft, and conspiracy to commit computer intrusions.

Collectively known as 3ve (pronounced “Eve”), the cybercriminal operation had fraudulently earned at least $36 million in ad view revenues since 2014, largely with the help of global botnets composed of machines infected with either Kovter or Boaxxe/Miuref malware. At its peak, 3ve was responsible for three billion daily ad bid requests and 700,000 active botnet infections, says a report from Google and White Ops, the founding two members of a cyber coalition that secretly investigated 3ve and shared its findings with U.S. law enforcement.

Who did what

One of the biggest challenges of any cyberattack is attribution. “It is often incredibly difficult today to attribute a well-executed cyberattack to a specific threat actor,” says Hahad. Therefore, hacking back often means having greater faith in circumstantial evidence.”

That’s where the private sector – and in particular cybersecurity firms - can play a defining role. With troves of data on threats and attacks, they can serve up details to support government efforts to identify and ensnare the bad guys. For example, companies like APT hunting group Intrusion Truth and Crowdstrike, assisted in identifying the perpetrators behind the recent SamSam ransomware attacks, identifying  APT10 as the group thought to be behind a long list of attacks including the targeting the U.S. Navy, NASA and various Japanese companies, and operating the Cloud Hopper campaign. APT10 is also tentatively linked to the massive Office of Personnel Management breach in 2015. That assist led to December indictments against two Chinese nationals.

After the Operation Aurora attacks in 2009, Google’s internal security probe concluded that if hackers had been able to alter its source code, they could have “they could have built vulnerabilities directly into Google’s product plans,” the Active Defense task force report says. The company’s leadership determine it “had the resources to support a mission to operate outside of its network to track down the attackers,” which led to a Taiwan-based command and control server. Finding “the attacks were likely being controlled from China and that Google was among a group of at least 30 other targeted companies,” the tech firm, ignoring potential legal and reputational risks, “took the unprecedented step of sharing its findings with law enforcement, the intelligence community, the companies involved, and even the public.”

The government strikes back

Hacking back remains controversial, with some believing such actions could do more harm than good, upping the possibility of collateral damage, according to Israel Barak, CISO at Cybereason.

Hacking back, then, experts say, should be left to governments with an assist from the private sector.

It’s “a good idea under the rule of law, under specific circumstances when exercised by sovereign states,” says Curry. “This is true for other forms of violence, as well, such as the use of marines or air strikes.”

Among the benefits would be “tools that extend political and diplomatic options among sovereign nations, as we would use the military,” said Curry, underscoring that “we don’t need private armies or abuse of violence by public officials acting in gray zones or on their own initiative.’

Hacking back’s real value is answering and fending off nation-state attacks, not those masterminded by cybercriminals. It’s “often meaningless when we’re talking about cybercrime because the assets associated with a cybergang are ephemeral,” says Hahad. “It really only makes sense when nation-states are involved as they have a nation of people and infrastructure to defend.”

He considers hacking back an effective “way of sending a signal to the adversary that the United States will not stand by and let cyberattacks go unpunished,” noting that “when attacked by the use of cyberweapons, using any other form of military retaliation has not yet been tested on the world stage.”

There’s a fear that the private sector, emboldened with new authority to hack back, could easily devolve into vigilantes administering cowboy justice against their foes in the name of the United States.

“Without proper policies and oversight, and also an agreement internationally on Cyberspace Norms, then there will be actors who use Active Defense for more nefarious activities,” says Skelly.  

And that’s a sticking point. Legislation, rules and policies aren’t yet firmly in place.

“You don’t have to look far these days to see appalling examples of how technologically naïve many of our elected officials can be,” says Willy Leichter, vice president at Virsec. “From the people who asked how Facebook makes money and demanded that Google fix their iPhones, now we have a dangerous feel-good proposal that will not work and will almost certainly make securing the Internet more difficult.”

The Active Cyber Defense Certainty Act introduced late in 2017 initially showed promise and seemed to be a step forward.

If passed, the bill would alter the Computer Fraud and Abuse Act (CFAA) of 1986 and would allow those victimized by a cyberattack to take certain countermeasures. These would include leaving the network to establish who attacked them, disrupting cyberattacks without damaging others’ computers, retrieving and destroying stolen files, monitoring the behavior of an attacker and utilizing beaconing technology.

In its early days it quickly attracted bipartisan support. “This group of lawmakers – Republicans and Democrats – is committed to ending the status quo and moving cybersecurity solutions forward. I want to thank each of them for joining this effort to give the American people new tools to defend themselves online,” Rep. Tom Graves, R-Ga., one of the lawmakers who originally introduced the bill, said in a statement at the time.

But, like much of the cybersecurity legislation mulled by Congress, it has languished.

“The current version of the legislation is still falling short in defining the details which constitute terms for Active Defense.  For example, it specifically calls out ‘persistent’ activity against a ‘computer,” says Skelly. “This is difficult to get behind when the terms ‘persistent’ and ‘computer’ aren’t readily defined themselves.  Is a persistent threat one that lasts exactly three months? Is a persistent threat one that has caused substantive damage? If yes, how much damage?”

In this case, she says, “the devil is definitely in the details.  Until they are made more clear, I do not think the legislation will pass.”

Hahad also doesn’t think Congress will pass a “law allowing individuals and/or private entities to hack back potential attackers” nor does it think it is a good idea. “There are too many unsettled issues of attribution, liability and, plainly, justice to make this a viable option,” he says.

And too much potential for abuse. “The Active Cyber Defense Certainty Act does outline specific use cases for Active Defense; however, it is not uncommon for industry to push the boundaries when consequences aren’t clearly outlined,” says Skelly. “Unfortunately, due to the depth and breadth of cybersecurity threats, it is difficult to encapsulate a strict set of guidelines via policy.”

The issue extends far beyond the Beltway to the international community. “We need rules of engagement and official processes, by country, for how and when we will engage in hacking conflict,” says Curry. This is a new military domain, but so far there’s no Geneva Convention, no prohibition on vigilantism and no norms in international law for how to conduct cyber conflict.”

Curry favors “a Geneva Convention extension or equivalent,” noting that “we need a public dialog on this.”

Pointing out that “we don’t allow triangular bayonets or use of chemical weapons,” he asks “should we allow DDoS in time of war against critical infrastructure? If so, is that an act of war or not? Is it prohibited against the Red Cross or hospitals and so on?”

When asked what might be verboten in a hack back, Skelly says “any action that will have dangerous second and third order effects (potentially kinetic),” but notes, this is where things get tricky.

“If you are going to take down a server that you suspect is a persistent threat to you, do you know everything that server is doing?” says Skelly. “Is it also controlling the electricity at a nuclear power plant or water treatment facility in another country?  This is where it is truly gray space and should require far more detailed legislation than what is currently being presented.”

And Curry contends it’s “not a good idea when hack back creates chaos with vigilantism and massive damage to innocent parties in the name of cowboy justice.”

Hahad worries a hack back response could be heavy-handed. “Any hacking back action should be commensurate to the scope of the aggressor’s attack,” he says. “But, it is common amongst decision-makers today to opt for a strong deterrence than just a punishment commensurate with the crime.”

All of this, Curry says, “needs discussion and debate domestically and internationally.”

In the meantime, “who has their finger on the cyber button, how they use it and whom they may have to find with the new poor-man’s nuke is still largely undefined and in shades of gray,” says Curry.

“We have hacking laws and hacking, whether hack-back or not, is illegal most places; but guidelines explicitly on this and among nations is needed. Now.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.