{"id":270,"date":"2017-06-05T17:49:56","date_gmt":"2017-06-05T17:49:56","guid":{"rendered":"http:\/\/securitycurve.com\/?p=270"},"modified":"2017-06-05T17:49:56","modified_gmt":"2017-06-05T17:49:56","slug":"hacback-so-dumb","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=270","title":{"rendered":"Hackback: Dumb yet apparently still a thing"},"content":{"rendered":"

\"\"<\/a>So the Active Cyber Defense Certainty Act<\/a> (the “ACDC” Act) is now apparently making the rounds. \u00a0The gist is that it would make it legal for someone to attack someone else provided two things are true: 1) that “someone else” is in the process of conducting a cyberattack against\u00a0you and 2) the attack is done for the purposes of “attribution” (i.e. for gathering information to give to law enforcement.)<\/p>\n

If you’re not familiar with this particular bit of legislation, there’s a great article on why it’s dumb over on Engadget<\/a> that’s worth a read — and another over on Forbes that explains why hackback doesn’t work anyway<\/a>. \u00a0All good reading, but what I find fascinating is why this particular debate continues to resurface. \u00a0Meaning, this argument has been going on for at least twenty years (that I can recall) and it continues to not go away,\u00a0despite the fact that it makes absolutely no sense logistically, technically, or practically. \u00a0 It’s\u00a0kind of thing that sounds good unless you’ve actually try doing it and then you realize that its applicable only in certain situations, that it really only applies to a few very specific activities (and then even arguably), and that in most cases what you’re likely to want to do is already arguably legal anyway.<\/p>\n

Before going into that though, let me first of all take a moment to separate out “Active Defense” from “Hack-Back”. \u00a0I’m not talking about active defense when I say “hack back is dumb”. \u00a0Active defense is just that – defending yourself actively; it can encompass a number of things from deception, to honeypots, to recon, to enhanced analysis, to intelligence-gathering, and even to manipulating attacker requests or providing certain manipulated output. \u00a0If you want to read an excellent paper on Active Defense – and get a flavor for why its useful in the process – check out the CCHS “Into the Gray Zone” paper<\/a>.\u00a0 Specifically, the section on Google’s response to Operation Aurora (starts on numbered page 14) really makes the point.<\/p>\n

But all that stuff that you do on your side of the fence (from a blue team point of view) in an “active defense” scenario isn’t really “hack back” – at least not in the way that many people who use that term mean it. \u00a0For example running Artillery<\/a>\u00a0or\u00a0OpenCanary<\/a>\u00a0is not hack-back. \u00a0Doing stuff to waste an intruder’s time (e.g. Spidertrap<\/a>, Portspoof<\/a>)? Irritating to the attacker I’m sure – but not “hack back”. \u00a0Heck, even\u00a0BeEF <\/a>hooks are (IMHO) not really “hack-back.” \u00a0While it’s a vehicle to gather information for law enforcement, it does so without any “hacking”, “backing” – or for that matter “whacking”, “smacking” or otherwise chopping that meat<\/a>\u00a0(see what I did there… because beef vs. BeEF… and Pete was a butcher… nevermind<\/em>).<\/p>\n

I’d argue that even what some people call “weaponized documents” aren’t really hack back the way that people typically mean it. \u00a0First of all, note that I take issue with the word “weaponized” in this context. \u00a0Do these documents have some functionality specifically built into them for the situation where they’re exfiltrated? \u00a0Yes. \u00a0Yes they do. \u00a0But weaponized implies that they’re somehow offensive in a way that I don’t think they really are. \u00a0Like if I have Lojack in my car or a mobile phone “find my device” feature – they can both alert law enforcement to criminal activity when it happens, right? \u00a0But does that mean my\u00a0car or phone has been “weaponized”? \u00a0No. \u00a0Because that’d be ridiculous, right?\u00a0 So let’s instead call them what they really are: “decoy documents that may or may not have call-home or other intelligence gathering or reconnaissance functionality”. Since I don’t want to write that every time, maybe “safe docs” for short? \u00a0 Sure, let’s go with that.<\/p>\n

So you’re maybe asking yourself why I say that “hack back” is dumb when I’m also in the same breath saying that active defense is\u00a0OK. \u00a0In my opinion, there are a few reasons 1) intent, 2) ability to opt out, and 3) tradecraft. \u00a0Let’s start with the third one because it’s easiest. \u00a0First,\u00a0consider\u00a0the tiny question of how exactly you’d conduct an “attack” (hack back – again, not active defense) for the non-destructive, attribution-only attack referenced by the ACDC Act? \u00a0I mean, specifically how would you – as a practical matter – exercise your ‘1337 |-|4x0r-ing sk1llz to ‘hack back’ over a network? \u00a0You pretty much can’t, right? \u00a0Consider, for example, what the attack surface\u00a0is of the origination point for an attack in progress. \u00a0When an attacker is coming at you, they have a number of potential targets to select from (i.e. the external footprint of your environment) – what exactly do you have available to attack them back? \u00a0One IP? \u00a0A specific origination port on what could be a router or proxy? \u00a0Some NAT’ed address that may or may not have a listening port on the other side of it? \u00a0Some poor schmo’s system that got owned on the attacker path to you? \u00a0Good luck. \u00a0So really, you’re limited in what you can do. \u00a0Yes, you can allow exfiltratration of some “safe docs” or other beaconing software. \u00a0Maybe that “beacon” is even a root shell. \u00a0But it’s a totally different attack surface and thereby a totally different methodology to subvert it.<\/p>\n

 <\/p>\n

Plus intent matters. \u00a0If your intent is not to break in to the other guy but instead to report a suspected intrusion to law enforcement, it’s not “hacking” but instead active defense. \u00a0Semantics? \u00a0Maybe. \u00a0But words matter.<\/p>\n

Lastly, keep in mind the fundamental different between an attacker and a victim: the ability to opt out. \u00a0Like, if I’m the victim, I don’t get the ability to opt out of someone haxoring me. \u00a0The BS comes to me whether I seek it or not. \u00a0Whereas, if I’m an attacker, there’s one foolproof way for me not to run afoul of someone else’s\u00a0active defense methods: which is to not attack them in the first place.<\/p>\n

The point? \u00a0If 1) my intent is not to pwn you but instead to report your foolishness to the po-po, 2) you get to opt out to prevent me from doing it (or better said you have to explicitly opt in so I do), and 3) I’m using defensive methods… how’s that “hacking”? \u00a0If 1) I intend to pwn you, 2) you don’t get a say in it, and 3) I’m using offensive methods then it’s just hacking and not “hack back”.<\/p>\n","protected":false},"excerpt":{"rendered":"

So the Active Cyber Defense Certainty Act (the “ACDC” Act) is now apparently making the rounds. \u00a0The gist is that it would make it legal for someone to attack someone else provided two things are true: 1) that “someone else” is in the process of conducting a cyberattack against\u00a0you and 2) the attack is done […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[61,90],"class_list":["post-270","post","type-post","status-publish","format-standard","hentry","category-security","tag-hack-back","tag-pewpew"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/270","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=270"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/270\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=270"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}