{"id":631,"date":"2017-10-23T14:49:35","date_gmt":"2017-10-23T14:49:35","guid":{"rendered":"https:\/\/securitycurve.com\/?p=631"},"modified":"2017-10-23T14:49:35","modified_gmt":"2017-10-23T14:49:35","slug":"hack-back-is-not-active-defense","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=631","title":{"rendered":"Hack-back is NOT active defense"},"content":{"rendered":"<p><img decoding=\"async\" class=\"alignright size-large lazyload\" data-src=\"https:\/\/i.giphy.com\/media\/14kdiJUblbWBXy\/giphy.webp\" width=\"500\" height=\"221\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 500px; --smush-placeholder-aspect-ratio: 500\/221;\" \/>So the other day I tweeted a thing from Slate that <a href=\"http:\/\/www.slate.com\/articles\/technology\/future_tense\/2017\/10\/hacking_back_the_worst_idea_in_cybersecurity_rises_again.html\">systematically breaks down so-called &#8220;hack back&#8221;<\/a>; they call it the &#8220;worst idea in cybersecurity&#8221; and say they are &#8220;thunderstruck by how terrible [an idea] it is.&#8221;\u00a0 Go check it out if you haven&#8217;t seen it.\u00a0\u00a0I&#8217;ve <a href=\"https:\/\/securitycurve.com\/hacback-so-dumb\/\">commented about why hack back is dumb<\/a>\u00a0in this blog.\u00a0 I won&#8217;t rehash it yet again since a) I&#8217;ve been saying that for years (and despite rumors to the contrary do get tired of repeating myself) and b) it seems like Slate, the Register and now Bruce Schneier are now carrying this torch pretty effectively.<\/p>\n<p>However, I will point out something going on that I think makes sense to pay attention to.\u00a0 Specifically: hack back, as a thing, actually makes it harder to do the stuff that is actually valuable when it comes to active defense.\u00a0 By this,\u00a0 I mean that it simultaneously makes security as a discipline worse while providing little to no value. Let me spell out why so that you too can get angry about it and spend the morning fuming about the inanities of security policy-making.\u00a0 You&#8217;re welcome.<\/p>\n<p>First thing&#8217;s first, what do I mean by &#8220;active defense&#8221;?\u00a0 By this, I&#8217;m referring specifically to primarily three things:<\/p>\n<ul>\n<li><strong>Beaconing<\/strong>\u00a0artifacts &#8211;\u00a0 e.g. documents or other content that advertise their position when opened or loaded.\u00a0 Using this, you can gain information about when, where, and (in some cases) who is opening or running them<\/li>\n<li><strong>Honeypots<\/strong> &#8211; setting up stuff that you control designed to attract attackers<\/li>\n<li><strong>Client hooks<\/strong> &#8211; using a tool like <a href=\"https:\/\/beefproject.com\/\">BeEF <\/a>specifically for the purposes of attribution (e.g. through beaconing)<\/li>\n<\/ul>\n<p>Yes, there are other techniques.\u00a0 But these are the ones that seem to work best and that I&#8217;d like most to not be messed with.\u00a0 Now, it could be argued that all of those things are forwarded by the ACDC act (the foolishness currently spurring this round of hack-back discussion in the industry).\u00a0 Maybe they are.\u00a0 However, as I argued a few weeks back, it seems to me like these things are legal already.\u00a0 If that&#8217;s true, does this law actually add anything to an organization&#8217;s ability to do these things?\u00a0 Not really. However, equating them to &#8220;hack back&#8221; has two ramifications: 1) it isn&#8217;t accurate and 2) it makes it more likely that, should people clue-up to why other &#8220;hack back&#8221; techniques are dumb and disallow them, they would get thrown out with the proverbial bathwater.<\/p>\n<p>First, let&#8217;s be honest about it: it is clear that in the industry there isn&#8217;t a real clear understanding of the differentiation between &#8220;active defense&#8221; and &#8220;hack back&#8221;.\u00a0 \u00a0Examples of &#8220;hack back&#8221; are legion but could include stuff like: &#8220;landing and expanding&#8221; at the origination point (i.e. IP address) of someone attacking you, establishing a C&amp;C channel via a malicious document, DoS&#8217;ing an attacker based on origination point, etc.\u00a0 The thing about all these things is that you&#8217;re much more likely to target some relatively-innocent chump who just happens to be a cats-paw for your real adversary.<\/p>\n<p>To me, active defense is like Akido.\u00a0 It&#8217;s using the attacker&#8217;s energy against them to accomplish some purpose.\u00a0 In this case, that purpose is attribution and facilitation of law enforcement.\u00a0 Hack back, on the other hand, is like someone pushing you in a crowd &#8212; in response, you take a swing at the person standing behind you.\u00a0 Sure, sometimes the person you punch happens to be the one who shoved you&#8230;\u00a0 if so, you righteously punching them in the face is both deserved and justified.\u00a0 But it&#8217;s also possible (arguably, it&#8217;s likely) that the person who pushed you did so accidentally&#8230; or maybe they were pushed by someone else and hit you because Newton&#8230; or maybe they just straight up didn&#8217;t do it.\u00a0 So you punching them?\u00a0 In my day we called that &#8220;being an asshole.&#8221;<\/p>\n<p>So what&#8217;s my point?\u00a0 My point is that if we continue to push the narrative that hack back is OK, what&#8217;s the likely response to be as the ripeness of its stupidity comes to fruition?\u00a0 I&#8217;d argue that it could very well lead to blowback that makes active defense harder to do.\u00a0 Point being, we don&#8217;t need this law anyway&#8230; and, if we continue to actively pursue it, it could very well undermine our ability to do legitimate countermeasures in the form of active defense.\u00a0 So, pretty please with sugar on it, let this one pass by.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So the other day I tweeted a thing from Slate that systematically breaks down so-called &#8220;hack back&#8221;; they call it the &#8220;worst idea in cybersecurity&#8221; and say they are &#8220;thunderstruck by how terrible [an idea] it is.&#8221;\u00a0 Go check it out if you haven&#8217;t seen it.\u00a0\u00a0I&#8217;ve commented about why hack back is dumb\u00a0in this blog.\u00a0 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[7,61],"class_list":["post-631","post","type-post","status-publish","format-standard","hentry","category-security","tag-active-defense","tag-hack-back"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/631","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=631"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/631\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=631"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=631"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=631"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}