Mitigating the effects of a cyberattack is an enormous challenge for businesses. But what if you could ‘hack back’ and destroy stolen information before it hits the dark web. Would you do it?
It’s been said that the best defense is a good offense. Surely, the same should apply to cyber defense too? Falling victim to a cyberattack is always going to be bad news, but what if you could prevent the effects of a breach before they even manifest? Imagine being able to ‘hack back’ by probing an attacker’s computer to destroy stolen data before it has a chance to end up on the illegal dark web marketplaces. It’s something that government organizations are doing all the time. Law enforcement agencies like the FBI in the US, for example, have the authority to hunt down suspected hackers in this way.
The rise of cyberwarfare
Nation-states have perpetrated some of the biggest cyberattacks of all time. One of the most infamous examples is the WannaCry ransomware attack, alleged to be the work of North Korea. UK officials blamed the global NotPetya malware campaign on the Russian military, while Russia recently claimed to have thwarted cyberattacks against its critical infrastructure by the US. The list goes on.
Many countries consider cyber-warfare a core part of their military strategy. Today, the digital world is the fifth theatre of war – after land, sea, air and space.
It’s easy to assume that nation-state attackers are only interested in going after big targets, namely government organizations of rival states. But, as attacks like WannaCry perfectly illustrate, any business or individual can be targeted, even if only via collateral damage.
Amidst growing concerns of cybersecurity breaches targeting corporations, there’s now growing momentum to give victims a way to fight back actively. It’s the concept of ‘hacking back,’ part of the broader active cyber defense (ACD) methodology. But what are the implications, and why do they matter?
Hacking back has cybersecurity experts worried
Currently, almost all jurisdictions make it illegal for a private entity to access computers that don’t belong to them, regardless of the scenario. But there have been attempts, particularly in the US congress, to make some exceptions to help protect victims of cyberattacks by allowing them to probe attacker’s computers to stop attacks in progress, identify threat actors and destroy the stolen information.
It’s a debate that’s been raging for years. Organizations, many of whom have fallen victim to cyberattacks themselves, have been clamoring to be legally allowed to engage in some form of proactive cyber self-defense. In 2017 in the US, growing pressure spawned a legislative proposal known as the Active Cyber Defense Certainty (ACDC) act. Although the bill has yet to enter into US law, it would make it legal, under certain circumstances, for organizations to go outside the boundaries of their networks to target attackers and send them packing on the highway to hell.
Sounds great, doesn’t it? Unfortunately, many cybersecurity experts aren’t so sure. The proposed legislation has opened up a proverbial can of worms and has been hailed by many cybersecurity professionals as the worst idea ever in cybersecurity.
While giving companies greater freedom to defend themselves sounds like a great idea, there’s a very legitimate fear that allowing them to ‘hack back’ would only make the situation worse. Taking a cue from competitive video gaming – this could lead to a free-for-all cybersecurity deathmatch.
The shortage of cybersecurity skills is a major concern, with around three-quarters of organizations claiming it negatively impacts their operations. It shouldn’t be hard to see why that presents a severe problem when it comes to tackling sophisticated cyberattacks by hacking back.
The ACDC act (the proposed legislation, not the popular Australian rock band) makes no mention of exactly what constitutes a qualified, legally sanctioned cyber defender. While a company like Google might have the necessary expertise, for smaller and less-equipped organizations, a lack of skills could lead to hacking back in an uncontrolled fashion. When that happens, the collateral damage could be catastrophic. It isn’t likely, for example, that the perpetrators specifically wanted to target the UK’s National Health Service with the WannaCry ransomware attack, but that didn’t stop it from falling victim to their dirty deeds.
Unfortunately, and especially without the right expertise, there’s no real protection when things go wrong. It’s notoriously easy to cause harm to networks belonging to innocent parties unintentionally. Even the US National Security Agency, who can hardly be described as newbies in cyber defense or hacking, had their EternalBlue exploit leaked by a hacker group who used it to carry out the WannaCry and NotPetya attacks.
The foremost concern experts have is that legally allowing companies to hack back sets a dangerous precedent (a highway to hell, if you like) in which private companies and individuals end up being dragged into the world of cyber-warfare too.
If the bill in the US, or a similar one in any other country, were to pass, it would ultimately encourage other nations to relax their anti-hacking laws. What we could end up with is a digital Wild West on a truly global scale.
What should companies do instead of hacking back?
While hacking back is the crux of the active cyber defense (ACD) debate, there are other things that organizations can do to defend themselves against cyberattacks proactively. It’s also true that the overwhelming majority of data breaches occur due to human error, with the most common being mismanaged access rights or a failure to update software. Thus, organizations should first work on bolstering their defenses by establishing tougher administrative, physical and technological controls.
At the same time, organizations, particularly large enterprises, which tend to be the target of highly sophisticated, often nation-state attacks, need real-time defense. Methods like real-time detection and mitigation are becoming increasingly important with the rise of zero-day exploits targeting critical networks.
One increasingly popular form of active cyber defense is the so-called ‘honeypot.’ Honeypots are digital decoys placed within a network to lure attackers away from what’s important. These decoys contain fake accounts and information that encourages hackers to continue. But, once the hacker infiltrates the honeypot, victims can collect information about them to help bolster the defenses of their critical systems. In other words, a honeypot defense can serve as a sandbox for testing the efficacy of existing cyber-defense systems, as well as profiling attackers.
Unfortunately, honeypots are a legal grey area at best as such methods could be considered entrapment. A similar method, which is legal in many jurisdictions, is to use beacons, which do much the same thing but don’t track the hacker’s behavior once they’ve left the system. Beacons are web links where company servers can collect information about intruders, such as IP addresses, which they can then add to their blacklists as likely threats. However, in the EU, at least, this method may also constitute a breach of GDPR due to its covert nature.
Another ACD strategy, and one that’s legal, is address-hopping. This is especially common among financial institutions, given the highly sensitive and sought-after nature of the information they hold. Address-hopping involves changing the IP address at random while data is transmitted. It’s similar to the age-old military strategy of regularly changing radio frequencies to keep ahead of enemy forces.
Establishing the standards in cybersecurity
Active cyber defense is an area where organizations need to tread carefully. Many forms of reconnaissance alone, such as beacons, can be construed as hack backs. Other strategies are outright illegal. But private entities still have every right to monitor and control activities in their networks and, in doing so, identify recurring attack patterns and learn more about their assailants. That’s far better (from a legal, ethical and technical standpoint) than breaking into suspected assailants’ networks to follow them around the web.