I Am Befuddled By Hackback / Strikeback!
I’ve been meaning to write this literally for years. But now all this hoopla around “Active Cyber Defense Certainty Act” [PDF] (aka “the Hackback Law”) has triggered me into action.
While we can all make fun of it (yo ho, AC/DC is now law!), this is not about how difficult, funny, ethically-questionable, etc it may be. This is about how USEFUL it can be - or not.
Perhaps my imagination is weak today, but I am having trouble envisioning the scenarios where any hack-back actually delivers value to the non-government defender. Frankly, all the scenarios I envision are kinda idiotic:
- They steal your data, and then you hack them, find the only copy they have and delete it (because hackers never back up and can never hack you again?)
- They send you malware, you find them and send them … 1] the same malware 2] different malware 3] fake malware just to scare them?
- 1] They DDoS you, you DDoS them. 2] ???? 3] Profit!
- They hack you and get your corporate secrets, then you hack them and …. steal theirs? dox them? format their machines? All sound very iffy….
- They hack you and plant a logic bomb (BTW, I cringe when I write this!) on your ICS systems, you hack them and actually destroy their ICS electrical systems, thiniking if they don’t have electricity they cannot hack. Sadly, they decide to nuke you :-( since they liked their electricity. Boom!
- Perhaps, they hack you - you hack them, and install a beacon on their laptop/phone. When the device beacons from a country where your government can arrest them, you call dispatch_fbi_team(location) API and they get arrested within minutes?
So, help me out. Ethics and attribution challenges aside, what are the cases where “hacking back” will be:
- actually useful to the enterprise, and
- more useful than the alternatives (get a better firewall, hire threat hunters, etc)
Otherwise, I feel the inherent asymmetry of “cyberspace” attack and defense kicks in and derails my thinking :-)
Discuss!
Note: originally posted here at my Gartner blog.
Related posts:
- Bye-bye, Compliance Thinking. Welcome, Military Thinking!
- On Tanks vs Tractors
- Security: Automate And/Or Die?
- Defeat The Casual Attacker First!!
- On “Defender’s Advantage”
A couple of things, Hacking back, is being done today, and yesterday and tomorrow, even if the law is not on the side of the person hacking back, it is still being done and will be done in the future, no stopping them. It is still the unspoken Playground rule, "Someone punches you, you punch back" mentality I Think there is a major skillset gap in this area and warning show last "Don't try this at home, these are the professionals" But if you are a professional, experienced, and want to own the liability, I all for giving you the ability to act. If you really want to strike back, and you are awesome with attribution. Just send them the book below, Make the Point made :) and Checkmate Or you then get a book back. :"The Art of War" :)
It's genesis is indeed a moribund mindset! Well, you said it all, Anton. Can't agree more.
"The supreme art of war is to subdue the enemy without fighting." ...
Organizations are barely managing their arsenal of detection tools and in most cases dont even get to investiget most of the threats they see. Unless you're goverment you would probably be better off focusing on undestanding all the alerts you have before chasing anybody else in his home court...
It's effective for rapid asset recovery / destruction of the stolen copy before dissemination/ use