Throughout history, acts of revenge, retaliation, retribution and reciprocation have been used to deter further deeds by a perceived wrongdoer. Michael McCullough, a professor of psychology at the University of Miami, suggested to Jennifer Breheny Wallace in her Washington Post article Why getting even may make you feel worse in the long run, there’s another reason for revenge: “Acts of revenge also act as an insurance policy against future harm by others, a warning signal that you’re someone who will not tolerate mistreatment.”
SEE: Security incident response policy (TechRepublic Premium)
None of us wants to be seen as an easy target, but is retaliation a good idea?
In the tech realm, some victims of cyberattacks want to enact revenge by hacking their hackers, a.k.a. the hack back.
What is hack back?
Jen Ellis, in her Rapid7 article Hack Back Is Still Wack, offers one of the better definitions of hack back: “When we say ‘hack back,’ we’re referring to non-government organizations taking intrusive action against cyberattackers on technical assets or systems not owned or leased by the person taking action or their client. This is generally illegal in countries that have anti-hacking laws.”
The term hack back is showing up in the political arena as well as tech media. Some U.S. politicians are trying to pass legislation that will allow private-sector organizations to hack back. A recent bill was introduced by U.S. Senators Steve Daines (R-Montana) and Sheldon Whitehouse (D-Rhode Island). The proposal’s introduction: “To require the Secretary of Homeland Security to study the potential consequences and benefits of amending the Computer Fraud and Abuse Act to allow private companies to take proportional actions in response to an unlawful network breach.”
The proposal also says the legislation would be subject to oversight and regulation by a designated federal agency.
Why we want revenge
There is an allure to hacking back. “Often cybercriminals have no fear of reprisal or prosecution due to the existence of safe-haven nations that either can’t or won’t crack down on their activities,” Ellis said. “The scales feel firmly stacked in the favor of the cybercriminals, and it’s understandable that organizations want to shift that balance and give attackers reason to think again before targeting them.”
Paul Zimski, VP of product at Automox, in his Help Net Security article, Why companies should never hack back and during a recent email conversation, said he agrees with Ellis that hacking back is an understandable response. “It’s human nature to want justice when you’ve been wronged,” Zimski said. “The mere act of thinking about revenge triggers a response in our (brain’s) reward centers.”
The dangers of hacking back
Zimski cautioned that launching cyberattacks against cybercriminals carries enormous risk. “From inadvertently targeting innocent bystanders’ devices to escalating a cyber conflict, a lot can go wrong,” he said, “and attribution is very difficult to accomplish, especially when it comes to advanced or highly-sophisticated adversaries.”
According to Zimski, even organizations with significant resources will find it difficult or even impossible to attribute cybercrime activities successfully and accurately. Zimski added, “Attempting to hack back an adversary could have geopolitical implications that go beyond the scope of the individual business and increase the possibility of false-flag operations.”
Furthermore, these attacks will be purely retaliatory, meaning:
- The chances of getting data back are slim, so there’s little to be gained
- Open retaliation will only normalize and rationalize activity by bad actors, leading to escalation
Examples of hacking back ending badly
Hack back attempts are not often publicized; there is a great deal of risk in doing so. That said, Zimski offered the following two examples.
- Blue Security: A now-defunct company that made technology to fight against spammers but ultimately yielded to overwhelming cyberattacks and pressure.
- Shawn Carpenter: A famous case that involved cyber espionage against foreign actors. Carpenter tracked down a Chinese hacker group called Titan Rain that was stealing sensitive military and science data. Carpenter alerted the U.S Army and FBI against orders from his company and was later fired for doing so.
What companies should do instead of hacking back
Rather than go on the offensive, Zimski suggested organizations improve their defensive capabilities. “Investing in a proactive cyber defense is a far better use of an organization’s critical IT and security operations resources,” he said.
Besides investing in a proactive cyber defense, improving cyber hygiene through patch and configuration processes is the most effective way to reduce risk and exposure to attackers, and it must be done quickly. “Cybercriminals can exploit vulnerabilities in just seven days, so organizations must be actively looking and remediating these vulnerabilities,” Zimski said. “Adopting a 24/72 threshold can be a good way to maintain urgency, which means fixing zero-day vulnerabilities within 24 hours and critical vulnerabilities in 72 hours.”
Ever the realist, Zimski said he believes the conversation regarding hack backs should focus on what outcomes they provide for victim organizations. That conversation should look at the pitfalls around attribution and the possible collateral damage that could occur from hacking back. Then ask yourself, Zimski said, “Does it empirically accomplish anything for a victimized organization, or does it just scratch an evolutionary itch?”