Hack Back?

Posted: May 9th, 2013
Filed under: IIS & HTTP

As discussed in a previous post on incident response, there really isn’t any form of authority one can call in the event of a hack attack. So, if we live in a world where we are left to fend for ourselves in cases of cyber criminality, what are we to do?

One potential course of action to take, in the absence of authorities or first responders, while under attack is to hack back. However, even in this regard there are not sufficient laws to help people and organizations defend themselves. In fact, if anything, there are laws that could land those who hack back in trouble.

For example, cybercrime laws in the US have extensive provisions for what is constituted as cybercrime. However, none have provisions that define exceptions to the rule for cases of self-defense.  If an organization or individual were to attempt to stop such an attack by attaching the machine(s) where the attack originated, they may not be able to plead “self-defense.” In fact, their efforts may be categorized as an attack and they may face legal repercussions.

The issue of hacking back isn’t just one that has beleaguered technical people, it’s even become a debate for lawyers. To hear the legal side of things, the Federalist Society has a recorded discussion on the legality of hacking back between a group of lawyers.

Problems with Hack Back

Legality aside, there are other issues that arise when considering hacking back. For one, attackers often don’t just attack from their own machines, but from botnets or zombie machines (i.e. machines belonging to other unsuspecting  individuals and organizations that they have been able to virtually own). In a case like this, hacking back would really mean attacking and shutting down or damaging machines belonging to people who otherwise have nothing to do with the attack. This would really just make life miserable for the person or organization in the middle of it all, and make the person who thinks they are defending themselves somewhat of a bad guy.

But it’s Kind of Like the Real World…

Criminal laws in most countries have express clauses defining what constitutes self defense and upholding the right of an individual to use force in order defend his/her body and property. So let’s take an example.

If some thieves came on a stolen bike to steal money from someone traveling in a car and in defending him or herself, if the individual in the car ends up damaging the bike, the owner of the bike cannot file a complaint against the person in the car. Isn’t this similar to what happens in the online world when the attackers hijack machines and use them to attack others? In the absence of any specific protection in the laws concerning cybercrime, shouldn’t provisions from the criminal laws come to the aid of the beleaguered organizations who when under attack, can attack back to control the damage?

It is strange that while laws don’t protect individuals and organizations, nations have already started using “hack back” as a strategy to strike back. Recently, stories came out about the United States attempting to hack back China after numerous state-sponsored hacks originating from the Chinese. This could be interpreted in two ways: there is a indeed a shadow cyberwar occurring, or it was a defensive technique.

So what can organizations do? In light of the confusion in the law and the fact that the business world is more globally connected, organizations need to focus on strengthening their own assets against attacks. Using a red team approach is a good idea to evaluate the preparedness to respond to any type of attacks. The red team approach is a concept of allowing a team of crack commando style infosec analysts to attack the corporate IT assets to gauge the preparedness of the IT assets to withstand the attacks and effectiveness of the incident response process. Preparedness and knowledge are traits that could better equip you to deal with hack attacks, in lieu of the existence of a dedicated cyber-authority.


No Comments »

Leave a Reply