Want to cripple your attackers R&D arm? Look for them on your network...
Want to cripple your attackers R&D arm? Look for them on your network...

As I explained in a previous post, hacking back can not only constitute a crime, but it rarely does any significant damage to the somewhat advanced attacker, given the disposable, tactical nature of the attacker's assets that are typically targeted and exposed during a hack-back operation. 

Inflicting significant damage to a cyber attack organization is to target the non-scalable, strategic assets of the R&D arm of the group. To do that, organizations don't really need to go after the attacker. Think about it, the attacker's R&D assets are essentially exposed by the attacker to its victims, as part of the attack. In order to expose the attacker's set of capabilities and mode of operation (TTP = Tools, Techniques and Procedures), organizations need to develop deep, focused visibility into their own compromised environment.

In my experience, the thing hacking organizations are most sensitive to, is exposure of their tool set and techniques. This is a result of the fact that these tools are developed in cycles, just like any other software product, and cycles take time. A new tool, say a local privilege escalation tool, requires research, prototyping, prototype testing, development, QA etc. which can take between weeks to months per every tool in the attacker's toolbelt. This creates an operational limitation that is common to every cyber attacker, even the larger, more sophisticated ones - There is always a limited supply of attack tools, and permanent exposure of a tool will lead the attacker to potentially lose strategic assets. Small number of repeated exposures can wear down an attacker's tool set, to a point they may have to discontinue operations that leverage these exposed tools, forcing them to stand down, and take a few weeks or months to reorganize, before they come back.

Let's not make a mistake, in many targeted threat actor cases, the attacker will come back eventually. The value of the target usually outweighs the value of lost tool sets and operations, but the above approach may buy the targeted organization significant breathing time between attacks, to improve and better prepare. In some cases, repeated exposures may set the threat actor so far back in their operational capabilities, that they may actually go out of business, losing their edge over other hacking groups, that compete on the same market niche.

Once an accurate, comprehensive, detection and analysis of a threat actor's generic TTPs (Tools, Techniques and Practices) has been done, based on the tools and operational procedures used by it in the compromised network (i.e. The set of techniques used by the attacker to escalate privileges, to persist, and to laterally move etc.). The most damaging response, from the attacker's perspective, would be for the victim to expose those TTPs, either publicly, or to a private consortium of relevant target organizations. This will not only set back the hacking operation in your organization, but if you share that TTP information the threat actor will have little choice but to discontinue the exposed line of products.

Traditionally, organizations were concerned about exposing the information they had about threat actors, but that was mostly based on the concern that an attacker becoming aware of an exposed IoC (Indicator of Compromise) will quickly act to change its IoCs, leading organizations to lose track of it. That is the case, however, for “Static IoCs”, i.e. attacker IP addresses, domain names, file hashes, registry key names etc. The concern with sharing these is justified, since these are generated by the operations arm of the attacker, and can easily be changed, while continuing to use the same essential attack tools and techniques. Exposing a more general TTP, however, is a very different story. A TTP describes a broader, more generic, technique or mode of operation, and changing that required the threat actor's R&D to come up with a new attack tool, or a new type of exploit, which takes significant time. Hence, the overall damage an exposure will inflict on the threat actor really outweighs the risk of losing sight of the attacker's operation.

Doing this right will require specialized technology and for the security team to adopt a new MINDSET. The security community has coined the phrase ‘threat hunting' to describe this process. Conceptually, threat hunting harkens back to the military, certainly in Israel and the US. it's an activity that is based on the premise that it is impossible to prevent a skilled and tenacious attacker from penetrating their target network. Therefore, any enterprise looking to improve its cyber defence posture and ability to deter attackers needs to consider adopting ‘threat hunting' capabilities. These require security analysts to look for abnormal behavioral patterns – what I call “Behavioral Indicators of Compromise (IoCs)”.  Behavioral IoCs will stem out of things such as rare privilege escalation patterns, abnormal lateral movement or software persistence techniques. In many cases, where there's smoke, there's fire.

Let's take privilege escalation as an example – regardless of how it's done, a threat hunter can be looking for is a process execution tree that starts with a low privilege user and ends with a high privilege user.  When dealing with anomalies on your network, you have more visibility and control over the situation, and more options about how to handle it.

In order to raise the security bar we have to shift the culture to accept the fact that breaches are a fact of life, not an operational failure. Learn how to spot them and shut them down. It really is that simple.  Modern attackers are bringing their R&D intellectual property to your doorstep. If you want to send your attacker a message, don't  “hack back” - keep the fight on your network.