Attacking Hackers: The Next Security Frontier?

“It has been attack after attack after attack. My business has skyrocketed. I feel like I should send the Chinese a Christmas card saying thank you for a wonderful year.”

These are the words of North Dakota’s John Strand in a recent interview with the Financial Times. And no, Strand was neither being sarcastic nor outing himself as a cybercrime enthusiast. Strand is a cybersecurity expert — and in a landscape where it seems no sector is safe from the depredations of professional cybercriminals, he has been a busy man.

The short list of the big names hit in the last year and a half or so include: mega-retailers like Target and Home Depot, mega-banks like JPMorgan Chase, and mega-health insurers like Anthem. Even the White House saw its systems successfully infiltrated and President Obama’s unpublished schedule went out the virtual door and landed in the hands of hackers. And then there was the OPM hack which not only compromised the personal information of government employees, including CIA operatives, but also fingerprints.

In 2014, over half of all Americans reported their data being compromised in some form or another during a data breach. All in, the estimated global cost of cybercrime last year was $400 billion.

That’s not all. Cybercrime, by all accounts, is a growth industry. According to a study by PricewaterhouseCoopers, detected cyberattacks rose 48 percent in 2014 and so far in 2015, signs don’t show things slowing down.

Not surprisingly, all that illegal activity led to a spending binge on security, as businesses across verticals arm themselves against the coming hacker army. Gartner predicts that businesses will spend almost $80 billion improving and enhancing their security this year and over $100 billion by 2019.

Much of that money is spent on either repelling criminals at the door, or shutting them down in the event that they bust through. Tokenization, P2PE, cognitive mapping and biometric authentication are a handful of many, many defensive strategies in the mix in the market.

However, another way of attacking the cybercrime problem is emerging. Amusingly enough, this method literally attacks the cybercriminal by leveraging  offensive, as opposed to defensive, measures against it.

It is called “active defense” and the very grateful security consultant quoted at the beginning of the article is among its proponents.

The idea? Attack the hackers.

Here’s your quick guide to hacking back, who it helps, how it hurts and whether it will work.

What Is Active Defense? (AKA Attack the Hackers)

The simple premise behind active defense is that it seeks to actively engage hackers instead of merely repelling or detecting them.

There are three primary ways of doing this — the three As of active defense: annoy, attribute and attack.

Annoy

Annoying entails leading a hacker down a false path through a series of traps into a “safe” destination like a dummy server. Hackers hang out and hack in the decoy server — built to look like the real deal with files and programs — while security experts watch them and study their behavior.

That study and controlled access to their hackers leads nicely into the second type of active cybercrime defense: attribution.

Attribution

The premise behind this is using tools to trace the hack back to a specific location or individual via one of two primary methods. The first is the “honey badger” tool, which finds an attacker via satellite imagery, or beacons — which are inserted into files and are used to track when and where data is accessed outside the system.

Attack

The third method of active defense is attack, which is just what it sounds like. The security provider essentially “hacks back” to gain access to the criminal’s computer so that they may delete their data and reap the sweet fruits of their revenge. (Maniacal cackling while engaging with the cybercrook is optional.)

The first two legs of the stool — annoyance and attribution — are both considered above board and are rapidly emerging, and consultancies that specialize in both appear to be gaining a little steam in the marketplace.

Reverse hacks or attack-based methods, at best, are in a legally gray area and at worst are totally and completely illegal in the U.S.

The Controversy

Taking over another person (or business’s) computer without their permission through “hacking” is not legal, and currently the law has no “eye for an eye” and/or “but they did it first” exception codified into it.

Translation: hacking is illegal for everyone, including people who want to hack hackers, who still retain their legal rights not to be hacked.

And this is not a trivial concern, noted security expert James Lyne, global head of research for Sophos (a Web security specialist), who said that simply tracking hackers back to a computer and unleashing Armageddon on their systems might often ensnare innocent users who themselves have been the victims of cybercrime.

“No lawyer is going to authorize offensive techniques to be used against the Web server of Joe Bloggs, the flower seller whose computer just happens to be distributing some nasty malware,” said Lyne, according to FT.

And apart from collateral damage, most critics of attack hacking complain that it creates an untenable security situation in cyberspace.

“In the Wild West, it was common to fight your own battles because you were afraid of the sheriff. But at some point that is not a scalable way to preserve justice,” said David Cowan, an investor in security startups at Bessemer Venture Partners.

Proponents, on the other hand, note that placing strict restriction on attack-hacking as a tool are essentially asking legitimate businesses to fight cybercrime with one hand behind its back.

“The offensive side is never thinking about legality, but the defensive side has loads of lawyers saying, ‘You can’t do that, you can’t do that, you can’t do that,’” noted Brookings Institution senior fellow Ben Wittes in an interview with the FT. “In an environment in which you cannot reliably turn to government to protect you, the law should be relatively more permissive of reasonable steps you take to protect yourselves.”

Wittes further noted that because legal lines might be difficult to draw in this case, it might be maximally efficient to simply leave anti-hacking measures on the books with an informal agreement to turn a blind eye to violations by security firms that skirt the edges of the law by having offshore partners do their counterhacking from places that have more flexible laws about digital security.

“If we didn’t have the restrictive laws we have, I expect the banks would have been much more aggressively attacking the sources of their threats. I’ve seen situations where vendors [outside the U.S.] have, as a courtesy, attacked hackers on behalf of their [U.S.] clients without charging for it,” Bessemer’s Cowan noted.

So, Does It Work?

Active defense as a sub-category of cybersecurity is fairly new, which means there is relatively little data available out there as to how effective it actually is. This is particularly true of attack- hacking with its legally questionable status. Even if companies in the U.S. are doing it, they aren’t putting out much in the way of data about its efficacy.

There is, however, a concern worth noting. The first is that counterattacking cybercriminals relies on being able to more effectively leverage destructive and damaging tech than people who professionally deploy destructive tech and who spend most of their time connected to an ever-growing marketplace of highly specialized cutting edge tools for being destructive.

As CEO and Founder of cybersecurity firm Forter Michael Reitblat noted in a recent interview with MPD CEO Karen Webster, cybercrime has evolved from being the domain of individual actors who build all their own tools, scout their own leads and do all of their own heavy lifting.

“Now [the cybercriminals] are becoming more institutionalized or organized, but not in the ‘Godfather’ sense of the phrase, but in the online ecosystem sense,” Reitblat explained. “There are people who are only building cybercrime tools and selling them and that is literally all they do. There is now cybercrime as a service. You can have a botnet built for $2 an hour. This is why collectively, the cybercriminals have become so much better.”

Cybercriminals are good at cybercrime and have been in some cases markedly better than the security firms that try to use their own tactics against them.

Israeli firm Blue Security attempted such counterhacking some years ago by attempting to stop spam emails by responding with an overwhelming amount of electronic traffic created to disrupt their attackers.

Unfortunately for Blue Security, they didn’t overwhelm their opponent, they just provoked them and found themselves at the receiving end of a massive denial of service attack that took them offline. The firm never recovered and ultimately had to shut down.

That was 10 years ago, and it is safe to assume that the counterattackers have gotten more skilled over that period of time. But then again, so did the hackers — quite a bit better if recent history is any indication.

So perhaps the most useful question to ask about active security isn’t about its regulation, but about how to manage in the very gray areas in which this places companies who are being attacked. And, whether or not it works is just one dimension of the litmus test. In the low tech world of fraud and theft, victims don’t get to break into the home of a thief to steal back their things, and engaging with them actively can be dangerous. That’s why we have laws and law enforcement officers. In the cyberworld, enforcement of laws that forbid these kinds of attacks is tricky, given the inability to prosecute cybercriminals who operate in countries where we lack extradition capabilities. It’s not surprising that some have taken to “fighting back” in a world where they feel that there is no such thing as “fair play.” But as we’ve also seen, sometimes poking that hornet’s nest is a nuclear option that can go very wrong.