Hackback: Dumb yet apparently still a thing


So the Active Cyber Defense Certainty Act (the “ACDC” Act) is now apparently making the rounds.  The gist is that it would make it legal for someone to attack someone else provided two things are true: 1) that “someone else” is in the process of conducting a cyberattack against you and 2) the attack is done for the purposes of “attribution” (i.e. for gathering information to give to law enforcement.)

If you’re not familiar with this particular bit of legislation, there’s a great article on why it’s dumb over on Engadget that’s worth a read — and another over on Forbes that explains why hackback doesn’t work anyway.  All good reading, but what I find fascinating is why this particular debate continues to resurface.  Meaning, this argument has been going on for at least twenty years (that I can recall) and it continues to not go away, despite the fact that it makes absolutely no sense logistically, technically, or practically.   It’s kind of thing that sounds good unless you’ve actually try doing it and then you realize that its applicable only in certain situations, that it really only applies to a few very specific activities (and then even arguably), and that in most cases what you’re likely to want to do is already arguably legal anyway.

Before going into that though, let me first of all take a moment to separate out “Active Defense” from “Hack-Back”.  I’m not talking about active defense when I say “hack back is dumb”.  Active defense is just that – defending yourself actively; it can encompass a number of things from deception, to honeypots, to recon, to enhanced analysis, to intelligence-gathering, and even to manipulating attacker requests or providing certain manipulated output.  If you want to read an excellent paper on Active Defense – and get a flavor for why its useful in the process – check out the CCHS “Into the Gray Zone” paper.  Specifically, the section on Google’s response to Operation Aurora (starts on numbered page 14) really makes the point.

But all that stuff that you do on your side of the fence (from a blue team point of view) in an “active defense” scenario isn’t really “hack back” – at least not in the way that many people who use that term mean it.  For example running Artillery or OpenCanary is not hack-back.  Doing stuff to waste an intruder’s time (e.g. Spidertrap, Portspoof)? Irritating to the attacker I’m sure – but not “hack back”.  Heck, even BeEF hooks are (IMHO) not really “hack-back.”  While it’s a vehicle to gather information for law enforcement, it does so without any “hacking”, “backing” – or for that matter “whacking”, “smacking” or otherwise chopping that meat (see what I did there… because beef vs. BeEF… and Pete was a butcher… nevermind).

I’d argue that even what some people call “weaponized documents” aren’t really hack back the way that people typically mean it.  First of all, note that I take issue with the word “weaponized” in this context.  Do these documents have some functionality specifically built into them for the situation where they’re exfiltrated?  Yes.  Yes they do.  But weaponized implies that they’re somehow offensive in a way that I don’t think they really are.  Like if I have Lojack in my car or a mobile phone “find my device” feature – they can both alert law enforcement to criminal activity when it happens, right?  But does that mean my car or phone has been “weaponized”?  No.  Because that’d be ridiculous, right?  So let’s instead call them what they really are: “decoy documents that may or may not have call-home or other intelligence gathering or reconnaissance functionality”. Since I don’t want to write that every time, maybe “safe docs” for short?   Sure, let’s go with that.

So you’re maybe asking yourself why I say that “hack back” is dumb when I’m also in the same breath saying that active defense is OK.  In my opinion, there are a few reasons 1) intent, 2) ability to opt out, and 3) tradecraft.  Let’s start with the third one because it’s easiest.  First, consider the tiny question of how exactly you’d conduct an “attack” (hack back – again, not active defense) for the non-destructive, attribution-only attack referenced by the ACDC Act?  I mean, specifically how would you – as a practical matter – exercise your ‘1337 |-|4x0r-ing sk1llz to ‘hack back’ over a network?  You pretty much can’t, right?  Consider, for example, what the attack surface is of the origination point for an attack in progress.  When an attacker is coming at you, they have a number of potential targets to select from (i.e. the external footprint of your environment) – what exactly do you have available to attack them back?  One IP?  A specific origination port on what could be a router or proxy?  Some NAT’ed address that may or may not have a listening port on the other side of it?  Some poor schmo’s system that got owned on the attacker path to you?  Good luck.  So really, you’re limited in what you can do.  Yes, you can allow exfiltratration of some “safe docs” or other beaconing software.  Maybe that “beacon” is even a root shell.  But it’s a totally different attack surface and thereby a totally different methodology to subvert it.

 

Plus intent matters.  If your intent is not to break in to the other guy but instead to report a suspected intrusion to law enforcement, it’s not “hacking” but instead active defense.  Semantics?  Maybe.  But words matter.

Lastly, keep in mind the fundamental different between an attacker and a victim: the ability to opt out.  Like, if I’m the victim, I don’t get the ability to opt out of someone haxoring me.  The BS comes to me whether I seek it or not.  Whereas, if I’m an attacker, there’s one foolproof way for me not to run afoul of someone else’s active defense methods: which is to not attack them in the first place.

The point?  If 1) my intent is not to pwn you but instead to report your foolishness to the po-po, 2) you get to opt out to prevent me from doing it (or better said you have to explicitly opt in so I do), and 3) I’m using defensive methods… how’s that “hacking”?  If 1) I intend to pwn you, 2) you don’t get a say in it, and 3) I’m using offensive methods then it’s just hacking and not “hack back”.