Play Nice! Another reason hacking back is probably a bad idea

The topic has been kicked around so much that there are now government commissions issuing reports and senators are chiming in. Private industry and corporations alike are talking about “hack-back.” It’s no secret I believe that “hack-back” is a bad idea, for many reasons. The conversation on Twitter yielded little favor for “hack-back” in my circle of friends/followers, as Wireheadlance questioned the long-term benefits, and Tadd Axon even had trouble with any provable short-term benefits.


The short version is this: I believe if you look at the enterprise space, “hack-back” is applicable as more than just a fancy neat idea to about ~.05 percent of organizations. There are a few reasons for this, including resources, attribution, and others I outline in an article I published last week.


As I was thinking about how best to explain why “hack-back” is a bad idea to the executives I talk to, an analogy from my childhood comes to mind. As a kid I went to one of those average schools in suburbia. Kids followed the playground rule of “If you hit me, I’ll hit you back until someone wins.” The problem with this approach is that it almost always ended with either the recess bell calling us back from the playground or, more likely, a teacher breaking up a massive brawl.


You see, when someone hits you and the only way you perceive to stop them is to hit back, you have to make sure you are in a position where your hit-back will be the end of the incident. In the primary school where I went this was rarely the case. I bet you’re thinking that Information Security professionals and enterprises don’t behave like primary schoolers — right? If that’s the case you’ve clearly not been around the industry long!


Anyway, when Kid A smacks another, Kid B hits back, and then they start beating on each other and a tap can quickly escalate to punches and the brawl starts to pull in friends, bystanders and other kids who had no interest in engaging in a fight. What started out as one quiet kid getting lightly picked on by a bigger kid can quickly escalate into a big-time brawl. I witnessed this, and even had the displeasure of being at the center of this type of thing in primary school many times, I can tell you it’s a fact.


So now let’s move onto how “hack-back” is different in the enterprise than on a primary school playground. There are clear differences, but I don’t think they are great enough to make one case inapplicable to the other.


First off, in cyberspace attribution is a little harder. On the playground you can see the person who hit you … well, almost always. Sometimes you’re turned around, standing in line waiting to get into school, and from behind you somewhere someone flicks the back of your ear. It hurts. So you turn around to hit back except that you have no idea who hit you. None of the other kids want to get hit, so they won’t easily give up the person who did the flicking. You’re left deducing the antagonist on your own, and odds are good you’re going to retaliate against the wrong person. It happens all the time!


Now in cyberspace we can track IP addresses and TTPs from specific threat actors, which smart analysts and researchers tell us is a viable way to perform attribution. I agree with them, largely, but there’s a fault there. An IP address belonging to China SQL injecting your enterprise applications is hardly a smoking gun that Chinese APTs are after you. Attackers have been using others’ modus operandi to mask their identities for as long as spy games have been played. Attackers have been known to use compromised machines and proxies in hostile countries for as long as I can remember caring — to “bounce through” to attack you. Heck, many of the attacks that appear to be originating from nation-states that we suspect are hacking us may very well be coming from a hacker at the coffee house next door to your office, using multiple proxies to mask their true origin. This is just good OpSec, and attackers use this method all the time, let’s not kid ourselves.


The next big problem you have if you’re turning around to retaliate after your ear has just been set afire by a strong flick from behind is the size/strength of the kid who hit you. What if you’re an average-sized kid and the person that just hit you is a big bully? You hit him or her back and then what? A punch to the face, or an atomic wedgie that’s what. Now you’ve incurred the wrath of the bully, whereas the flick was just a playful thing without intent to really hurt. This is how things escalate. In the enterprise it’s the same thing. If your forensics tell you that you’re being attacked from a specific origin, going and attacking them back may actually make things much worse.


Let’s say you find an attacker originating from within the Russian Federation IP space. You locate, identify and strike back at the system being used to attack you — completely disabling it. Now maybe that system is no big deal, or maybe you’ve now taken down a critical Russian government server and caused a diplomatic incident. I know this is an extreme case, but the point is no less valid.


Remember folks, the saying “an eye for an eye” leaves the whole world blind. The idea of “hack-back” is best left to 007 and his army of hacker-geeks, because in real life unless you’re part of that .05 percent, you’re likely to make things worse for yourself. Maybe this is just one of those things enterprises leave up to the professionals if they find themselves in dire straits with no other options.


All that being said, “Active Defense” as some have described it actually is both achievable and doesn’t appear to violate any international law. But, more on that in a future post.

Brascount(anon) | ‎06-03-2013 10:13 PM


My Orlando Doctrine response.  I think you make some good points, but its time to recognize that there is real risk associated with this brawl.  Is there a risk of significant loss or death? 

Screamingbyte(anon) | ‎06-03-2013 10:21 PM

I have made this discussion before and I continue to insist that defense does not include offense.  You made the primary point that the target is often obfuscated beyond reasonable ability to resolve. 

I would like to actually take this one step further.  Some might consider what I'm about to write to be alarmist, but misinformation can be a very powerful tool and some attackers will undoubtedly be aware of such tactics and use them to their advantage. 

For example, Company A is partnered with Company B and they have interconnected IT processes that are critical.  In a bad situation turned worse, an attacker could impersonate IP and packets to trigger IDPS response, effectively shutting down those links.  Of course, I know this is highly simplified and under-evaluated, but it does illustrate the point that attackers often know, or learn, the response protocols of an organization and any information they get can be used against the company.

To sum it up, I think that hack-back would lead to situations in which orgnaizations target the wrong device, and let's be honest here, it's not the device that is doing the attack, but a person.  Even if an organization does get the target right, it is likely a disposable system that wasn't even owned by the attacker anyway.  So, as I see it, the very policy and implementation of any hack-back activity, cyber-laws notwithstanding, will actually create a new vector of attack.  Why would anyone create new vectors for the sake of risk prevention?  It's an oxymoron.

Jume James(anon) | ‎06-04-2013 10:29 PM
Great read;I don't support hack back,it could start a cyber war cos no attacker will use real IPP.
MichaelHyatt_(anon) | ‎06-06-2013 10:52 AM

There is generally a very good, practical basis for societal norms and what we call 'ethics'. If vigilante justice worked, communities would use vigilante justice to provide security for the population.  If just breaking things and hurting people because we suspect they have wronged us was a viable method for ensuring peace and security, it would be standard operating procedure.


However, it has been discovered time and again that we have to be very careful about who we empower to defend our security and protect our rights.  A free for all just leaves the most powerful holding all the cards, and that isn't going to make people happy.  We don't even let law enforcement kick down doors, or, as an analogy to hack-back, destroy the car of a suspected bank robber. 


We need to have a legal framework for offensive intervention, with rules and judges and some guarantees and checks and balances to prevent the whole thing from spiraling out of control into some kind of digital Somalia.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About the Author

Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation