So the other day I tweeted a thing from Slate that systematically breaks down so-called “hack back”; they call it the “worst idea in cybersecurity” and say they are “thunderstruck by how terrible [an idea] it is.” Go check it out if you haven’t seen it. I’ve commented about why hack back is dumb in this blog. I won’t rehash it yet again since a) I’ve been saying that for years (and despite rumors to the contrary do get tired of repeating myself) and b) it seems like Slate, the Register and now Bruce Schneier are now carrying this torch pretty effectively.
However, I will point out something going on that I think makes sense to pay attention to. Specifically: hack back, as a thing, actually makes it harder to do the stuff that is actually valuable when it comes to active defense. By this, I mean that it simultaneously makes security as a discipline worse while providing little to no value. Let me spell out why so that you too can get angry about it and spend the morning fuming about the inanities of security policy-making. You’re welcome.
First thing’s first, what do I mean by “active defense”? By this, I’m referring specifically to primarily three things:
- Beaconing artifacts – e.g. documents or other content that advertise their position when opened or loaded. Using this, you can gain information about when, where, and (in some cases) who is opening or running them
- Honeypots – setting up stuff that you control designed to attract attackers
- Client hooks – using a tool like BeEF specifically for the purposes of attribution (e.g. through beaconing)
Yes, there are other techniques. But these are the ones that seem to work best and that I’d like most to not be messed with. Now, it could be argued that all of those things are forwarded by the ACDC act (the foolishness currently spurring this round of hack-back discussion in the industry). Maybe they are. However, as I argued a few weeks back, it seems to me like these things are legal already. If that’s true, does this law actually add anything to an organization’s ability to do these things? Not really. However, equating them to “hack back” has two ramifications: 1) it isn’t accurate and 2) it makes it more likely that, should people clue-up to why other “hack back” techniques are dumb and disallow them, they would get thrown out with the proverbial bathwater.
First, let’s be honest about it: it is clear that in the industry there isn’t a real clear understanding of the differentiation between “active defense” and “hack back”. Examples of “hack back” are legion but could include stuff like: “landing and expanding” at the origination point (i.e. IP address) of someone attacking you, establishing a C&C channel via a malicious document, DoS’ing an attacker based on origination point, etc. The thing about all these things is that you’re much more likely to target some relatively-innocent chump who just happens to be a cats-paw for your real adversary.
To me, active defense is like Akido. It’s using the attacker’s energy against them to accomplish some purpose. In this case, that purpose is attribution and facilitation of law enforcement. Hack back, on the other hand, is like someone pushing you in a crowd — in response, you take a swing at the person standing behind you. Sure, sometimes the person you punch happens to be the one who shoved you… if so, you righteously punching them in the face is both deserved and justified. But it’s also possible (arguably, it’s likely) that the person who pushed you did so accidentally… or maybe they were pushed by someone else and hit you because Newton… or maybe they just straight up didn’t do it. So you punching them? In my day we called that “being an asshole.”
So what’s my point? My point is that if we continue to push the narrative that hack back is OK, what’s the likely response to be as the ripeness of its stupidity comes to fruition? I’d argue that it could very well lead to blowback that makes active defense harder to do. Point being, we don’t need this law anyway… and, if we continue to actively pursue it, it could very well undermine our ability to do legitimate countermeasures in the form of active defense. So, pretty please with sugar on it, let this one pass by.