The concept of “hack/strike back”, under any of its names, is decades old. Every year or three it surfaces again and makes news. Almost every time, it is a result of a new company claiming they do it to some degree. This extends to the related idea of “active defense”, which is equally absurd. Not only because it is used as a cop-out fallback when a company is challenged on notion of “hack back”, because the term is misleading at best.
The entire debate over “strike back” can be put to an end with one sentence; a simple realization that anyone in the industry should have realized. After this thought, I will expand on it just in case there are equivocations on terminology or the ideas behind this.
Ending the Debate In One Easy Line
If a company can’t do defense correctly, why do you think they can do offense right?
That simple, that logical. Sure, some of these companies may claim no one can defend against 0-day and so-called APTs. On the surface that sounds valid, but responding to that by attacking others with your own 0-day, presumably in the same manner and methodology as the adversary you scapegoat, does not make sense.
More importantly, while hacking into a system is generally considered easy by knowledgeable attackers, the issue of attribution is far from it. Entire debates can be had on the merit of attribution, and they have been. Ultimately, the argument that attribution can happen fails if carried out far enough.
- If you can easily and positively attribute, they shouldn’t have breached your defenses. You have no business attacking them when you were negligent on defense 101.
- If you think you can positively attribute, you cannot, you are out of your element.
- Even if you can miraculously attribute the human at the keyboard, regardless of how many hops back, you cannot positively attribute who hired them to hack you.
- If you attribute the person, and not the motive, by hacking back, you violated the law just as they did.
All of this makes strike back seriously problematic at best. Ultimately, the concept of “strike back” is a cop out. The attacked can lash out at whoever they thought attacked, with no burden of proof. Last I checked, we as a society like the concept of “burden of proof”. Or apparently, at least when it suits us.
The Misleading “Active Defense”
The concept of “active defense” is equally old. Back in the day it simply meant that if you were attacked from an IP address, you or a device would perform a certain level of active reconnaissance. First, note that recon is not ‘defense’. By port scanning, pinging, or tracerouting the remote system that attacked you, it does not help you defend your network. It is the first stage of an active response. Strictly based on the terminology of “active defense”, activity such as changing a configuration or creating real-time decoys to increase the cost of attack. Even today’s news, covering an entire talk on the legal risks of “active defense”, does not even define the term.
Anyone in the world of “active defense” should know this. If not, they are not qualified for the position they are in, or they are intentionally riding the wave of fear, uncertainty, and doubt (FUD) spearheaded by the by media, following the lead of those very same individuals. The last year of news on the topic leads me to believe these companies are using the blurry line of “active defense” to suggest they do more, which in turn sells their services.
Dull old concepts are still dull; resist the urge to buy into the bullshit.
11 responses to “Putting an end to ‘strike back’ / ‘active defense’ debate…”
When and why did we entrust our economic and logistical data to this “ready, fire, aim” mindset?
It’s been baked into the system since long before we were born.
And, it’s not just us.
For that matter, what Jericho is describing here is very like http://www.ncbi.nlm.nih.gov/pubmed/2052671
Rick Holland (@rickhholland on Twitter) points to his recent article on the topic:
http://blogs.forrester.com/rick_holland/13-06-03-counter_strike
This was more or less the sentiment for my talk at SOURCE Boston this year. If you’re interested I’ll tweet the link when the video is finally avalable.
*available
Please do, or post it here.
Will do. Its genesis was a blog post I wrote back in November. Like most of my posts it is more or less a loosely organized stream of consciousness.
http://www.securityramblings.com/2012/11/hacking-back-is-bad-idea.html
Great summary of the issues, and amusing that you did so in response to Wilson, who wrote a crappy blog in response to mine.
I think a large part of the desire for “active defense” comes from our culture. I know I was raised with the mindset that if someone hits you, you’re supposed to hit back – if you just stand there and take it, you’re labeled “wimp”,”pussy”, or something equally emasculating. And regardless of the very good points raised above, at some level that conditioning still exists. I’ve successfully argued against implementing “active defense” a couple times, but I still get twinges of “maybe fire up pentoo just this once….”
Bottom line to my wee mind: the only time hacking back is a good idea is in a Hollywood script, and only if you can suspend disbelief enough.
This is a better argument against hack back than the other one: Don’t do it because it is wrong. However, it does not help us answer the question what to do about cyberattacks. I believe we are living a metaphor of wartime rather than peacetime where laws and norms are central. Your blog implies the answer is “defend better.” But the state of defense technology and products are so pathetic that most of us know they won’t ultimately suffice. Similarly, what passes for security professional education does almost nothing to prepare the annointed to defend against cyberattack. The New York Times paid Mandiant a lot of money to find out “who did” the bad thing to them which adds legitimacy to the notion of “hack back.” If I had fun hacking in school or the Army and just got a copy of Metasploit, why not acquire some “overbilled clients” and sell hack back? It would be no more unethical than selling todays other panaceas such as “next gen firewall.” Beyond this, we need to address our conflicted view of “hackers” (villains or heros) and maybe even our ongoing codependency with technology makers over the adoption and use of standards that are laughably insecure and insecurable.
I absolutely advocate “defend better”, but I also know that no company is 100% secure, and that a dedicated attacker with the right resources WILL get in at some point. I still don’t see that as justification to go arbitrarily hack back. I have also been very vocal on the attribution problem in the past year. You are absolutely right on security education these days. Most rely on shallow certifications that prove they have cereal box knowledge of a topic at best.