The concept of “hack/strike back”, under any of its names, is decades old. Every year or three it surfaces again and makes news. Almost every time, it is a result of a new company claiming they do it to some degree. This extends to the related idea of “active defense”, which is equally absurd. Not only because it is used as a cop-out fallback when a company is challenged on notion of “hack back”, because the term is misleading at best.
The entire debate over “strike back” can be put to an end with one sentence; a simple realization that anyone in the industry should have realized. After this thought, I will expand on it just in case there are equivocations on terminology or the ideas behind this.
Ending the Debate In One Easy Line
If a company can’t do defense correctly, why do you think they can do offense right?
That simple, that logical. Sure, some of these companies may claim no one can defend against 0-day and so-called APTs. On the surface that sounds valid, but responding to that by attacking others with your own 0-day, presumably in the same manner and methodology as the adversary you scapegoat, does not make sense.
More importantly, while hacking into a system is generally considered easy by knowledgeable attackers, the issue of attribution is far from it. Entire debates can be had on the merit of attribution, and they have been. Ultimately, the argument that attribution can happen fails if carried out far enough.
- If you can easily and positively attribute, they shouldn’t have breached your defenses. You have no business attacking them when you were negligent on defense 101.
- If you think you can positively attribute, you cannot, you are out of your element.
- Even if you can miraculously attribute the human at the keyboard, regardless of how many hops back, you cannot positively attribute who hired them to hack you.
- If you attribute the person, and not the motive, by hacking back, you violated the law just as they did.
All of this makes strike back seriously problematic at best. Ultimately, the concept of “strike back” is a cop out. The attacked can lash out at whoever they thought attacked, with no burden of proof. Last I checked, we as a society like the concept of “burden of proof”. Or apparently, at least when it suits us.
The Misleading “Active Defense”
The concept of “active defense” is equally old. Back in the day it simply meant that if you were attacked from an IP address, you or a device would perform a certain level of active reconnaissance. First, note that recon is not ‘defense’. By port scanning, pinging, or tracerouting the remote system that attacked you, it does not help you defend your network. It is the first stage of an active response. Strictly based on the terminology of “active defense”, activity such as changing a configuration or creating real-time decoys to increase the cost of attack. Even today’s news, covering an entire talk on the legal risks of “active defense”, does not even define the term.
Anyone in the world of “active defense” should know this. If not, they are not qualified for the position they are in, or they are intentionally riding the wave of fear, uncertainty, and doubt (FUD) spearheaded by the by media, following the lead of those very same individuals. The last year of news on the topic leads me to believe these companies are using the blurry line of “active defense” to suggest they do more, which in turn sells their services.
Dull old concepts are still dull; resist the urge to buy into the bullshit.