Hack back doesn’t need to be a dirty word. According to security startup Cymmetria, organizations and individuals can employ a number of attack tools to disrupt attacker operations, as long as the security teams stay within their own network. There is no need to go after attacker infrastructure on foreign servers when the attackers set shop right in the organization’s infrastructure.
“I can’t attack the attacker where he lives, but I don’t have to. I can stop him while he is in my network,” said Gadi Evron, founder and CEO of Cymmetria.
Cymmetria has added “legal hack back” tools to its deception technology platform MazeHunter and published a framework that security professionals can use to discuss with their legal teams the what types of actions and tools can be performed. Security teams can perform actions such as delivering a payload, wiping data, and setting up a beacon to see what attackers are doing next.
Hack back is a controversial topic among security professionals, because so much can go wrong and the massive collateral damage that can result. Going after attacker infrastructure isn’t as straightforward as grabbing IP addresses and domain names; attackers regularly commandeer machines belonging to other individuals and launch attacks without the owners’ knowledge.
It’s an open secret that some companies already hack back. However, hacking back can impact these innocent users more than the attackers themselves. Attribution is extremely hard, and there is no room for getting it wrong in a hack back scenario. Even if the security team gets it right, hacking back can escalate the situation, with attackers responding with more advanced payloads.
Hack back as incident response
Evron said there is a middle ground between not going after the attackers and what the industry calls hack back, and that middle ground has to do with where the security defenders engage with the attackers. Most hack back operations involve security teams tracking down the attack servers and wiping data originally stolen from their servers, probing the attack infrastructure for weaknesses to exploit, disabling the systems controlling malware, looking for information about the attackers to use in attribution, and launching distributed denial-of-service attacks to slow down criminal operations.
Cymmmetria’s MazeHunter will let security teams perform any of these actions, but the activities are restricted to systems within the organization’s the attackers had compromised as part of their operations. There is less chance of collateral damage, since the incident responders know without a doubt that a machine, which belongs to the organization, is being used in the attack. “Hacking back is actually incident response,” Evron said. “It’s not hacking if I am in my network and on my computer. I am closing the hole the attacker used.”
Call it hack back, active defense, or incident response, the fact remains that organizations are looking for ways to contain the damage after a breach without running afoul of the law. Legal hack back via MazeHunter is more than traditional incident response because the organization can run a payload on the infected machine to engage with the attacker even before the forensics part of the investigation is complete, Evron said.
Joe Stewart, a security researcher with Cymmetria, said MazeHunter automates incident response. Traditional incident response involves finding the compromised machine, taking it offline or creating an image of the machine, and then performing forensics on the machine. “By then, the attacker is gone and you’ve lost the opportunity to stop the attacker,” Stewart said. MazeHunter speeds up response, “to get on the machine quickly, get the payload before they delete it.”
The idea for legal hack back came after two Cymmetria customers, a major financial services firm and telecommunications firm, asked the company about how they could target the attackers who had compromised machines in their networks. The customers wanted to be more proactive and disrupt operations before the attackers could cause any more damage, Evron said.
Understanding the law
The restriction on hacking back isn’t on the tools or the actual techniques. Defenders and attackers use the same tools, such as nmap to map the network, Metasploit to find vulnerable systems, or PowerShell to execute code. It’s fine for the security team to defend the network by monitoring traffic patterns and encrypting data but not okay for attackers to perform those same activities. The challenge is knowing where it is permitted to perform those activities, and where it isn’t, and that is why organizations interested in legal hack back need to look at the framework.
“The framework is critical because it clarifies and categorizes what organizations can or cannot do,” said Jim Christy, Cymmetria’s vice president of investigations and digital forensics, and former U.S. government computer forensics expert. “It’s not immediately obvious.”
There are legal and policy limitations on what security teams can do when investigating a security incident and containing the damage. When it comes to properly determining what kind of actions are allowed, organizations can’t just look at domestic laws. They have to consider international treaties, state and local regulations, contracts with third-party suppliers, and their own corporate policies. The legal framework gives security teams a starting point to discuss with the legal team what kind of techniques and tools would be legitimate under the organization’s legal and policy constraints, along with its risk profile.
“The framework gives security teams suggestions for legal teams to create the appropriate boundaries,” Evron said. “We are moving from ‘No way!’ to well, some activities are allowed. The framework lets you find out what [laws] applies to you.”
Having these discussions with the legal team at the onset is critical because hacking back is illegal in the United States under the Computer Fraud and Abuse Act (CFAA) and other countries have similar laws on the books.
Okay under CFAA?
Cymmetria’s legal hack back approach doesn’t run afoul of the CFAA forbidding purposely accessing a computer without proper authorization because the organization — by definition — is authorized to do what it wants with a machine on its network. Just because the attacker has compromised it doesn’t mean the organization no longer owns that machine. As part of incident response, the security team can interact with the attacker on that machine, feed phony data, deliver their own payload, or access the attack tools on the machine to thwart other attacks.
The security team can’t jump from this machine to another machine it is connecting to if that machine is on the attacker’s network. It can, however, block traffic going to that machine by launching its own payload, encrypting the data before it can be transferred to that machine, or any number of other activities.
If the attacker spun up a new virtual machine or another instance while moving laterally through the organization’s infrastructure, that system would still be considered to belong to the organization. This is where the framework is useful, because it also looks at third-party contracts and corporate policies to help identify which systems are in scope and which systems cannot be touched.
Not the hack back you know
Cymmetria’s legal hack back announcement comes at an interesting time, as a recently introduced bill in the US House of Representatives proposes amending the CFAA to allow organizations and individuals to make limited retaliatory attacks after a breach or compromise. If passed, the Active Cyber Defense Certainty Act (ACDC) would allow defenders to venture outside their networks to access the attacker servers, delete the stolen data, bombard their servers to interrupt the attack, or deploy “beaconing technology” to identify the attacker’s physical location. ACDC is severely limited, as it restricts hacking back to computers only on American soil, which means attackers using overseas systems to launch their attacks don’t have to worry.
"The certainty the bill provides will empower individuals and companies use new defenses against cybercriminals,” said Rep. Tom Graves (R-GA), the bill’s co-sponsor. “I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders.”
It’s not just US lawmakers considering letting organizations go after attackers in limited retaliatory attacks. German intelligence officials recently asked German lawmakers for the authority to hack back in the event of a nation-state attack. They requested authority to take actions such as infecting foreign servers with spying software to monitor other operations against German servers or to collect information about the attackers, and destroying data found on foreign servers which had originally been stolen from German servers. The intelligence officials emphasized that these activities aren’t intended to destroy foreign servers, but to prevent attackers from using the stolen data.
“In the real world, it would be like turning a foreign intelligence agent and getting them to work for us. Something like this should be possible in the cyber world too,” Hans-Georg Maassen, head of the BfV domestic intelligence agency, told the parliamentary oversight committee earlier this month.
Hacking back wins the “prize for the worst cybersecurity policy idea that just won’t die,” Josephine Wolff, an assistant professor of public policy and computing security at Rochester Institute of Technology and a faculty associate at the Harvard Berkman Center for Internet and Society, recently wrote in Slate. Even though everyone condemns the practice, the idea persists, because it is extremely attractive from the victim organization’s perspective to try to delete the stolen data before it can be used by the attackers. Hacking back may help investigators with attribution, to find the identities of the attackers, or at least where they are operating.
It’s unlikely that the government would ever legalize hack back, especially when law enforcement agencies agree that the potential of misfired attacks by self-appointed vigilantes outweigh the supposed benefits. However, for organizations interested in beefing up their incident response activities to be more proactive, exploring Cymmetria’s framework is a good step to understanding how to engage attackers without crossing into retaliation or retribution.
More on hack back: