To hack back or not to hack back
Keith Buzzard, Chief Security Architect
Discussions around ‘hacking back’ are increasing proportionately with the rate and scale of disruptive hostile cyber action on large corporate organisations. The concept of a corporate organisation ‘hacking back’—i.e. retaliating against those who attack our systems as both a disruptive response and a deterrent against further attacks—is fascinating. It represents an innate personal and corporate need to respond to an active threat that is causing business damage, and a deep frustration about what is perceived as a national inability to prevent these attacks from happening in the first place. It also represents a ‘truth’ of life; ‘conflicts’—whether those are corporate or national wars—are not won entirely through purely defensive actions. Therefore, a logical solution seems to be to counterattack those who attempt to exploit our vulnerabilities and threaten our businesses. Sadly, this fails to reflect reality.
Initially—if we ignore the hi-tech mode of delivery—we’d be harking back to an age where each organisation (or let’s imagine a Baron or Duke) garnered their own personal assets to provide an active defence against their enemies. This invariably caused political turmoil and led to such assets being used against rivals, as well as enemies, to gain a competitive edge.
This is largely why many countries no longer allow private armies to operate and we generally trust our government to provide this type of ‘offensive defence’ and ‘deterrent’ we need. And at a law enforcement level, its why vigilantes remain largely illegal and why we trust national law enforcement to pursue and prosecute criminals of behalf of society as a whole.
Considering the modern challenges of cyber security, industry is becoming frustrated at the disproportionate burden it appears to be carrying as both government and law enforcement struggle to get to grips with their respective societal responsibilities. This is understandable. However, the consequences of organisations taking the law into their own hands, as well as carrying high societal risk, is simply not a commercially viable solution.
Finding the correct target
If we follow this thought process through, the next problem is that these organisations—once they are trained, equipped and prepared to launch ‘defensive cyber-attacks’—require a legitimate target for their efforts. And it’s not that easy; few self-respecting hostile cyber attackers make direct or personal attribution obvious. Taking anonymity one step further, adoption of ‘false flag operations’ are frequently carried out with the aim of deliberately implicating others. Accurate attribution of an attack is therefore difficult and fraught with errors.
But let us assume that accurate and undisputable attribution was possible and there was enabling legislation to facilitate such an activity. Let us also place to one side the moral and ethical concerns of allowing a private organisation to make these decisions independently.
Even then, do the management of industrial and commercial organisations have the awareness, training and in-depth understanding of the cause and effect of such issues, to be able to confidently make a right call over rules of engagement? In the 21st Century we see that, even with the correct training, military personnel face court martial or legal proceedings if something goes wrong, individual police officers are held personally liable for exceeding operating guidelines, and members of the public are prosecuted when self-defence has crossed the threshold to assault or even manslaughter.
In a scenario where a CEO has authorised a retaliatory cyberattack that has the wrong, or even unforeseen, consequences, are they content to hold corporate and personal liability for such actions? And are the Board and Shareholders happy for the company to undertake this type of action?
Are there actually any benefits?
How would an organisation actually benefit from attacking back? Even if the correct attribution was made, targeting those who launched attacks against an organisation would likely only be partially successful, forcing the attackers to take the same defensive actions as their victims.
And given that the adversary is almost completely constituted of highly competent technical operators, who attack assets for a living, their cost of defending a counterattack is significantly smaller, as is their ability to escalate the confrontation yet further – faster, harder and wider.
As such, striking back at the attacker is unlikely to have any significantly positive results, will expend man-power effort and cost, and is likely to be futile at best or will create even more retaliatory damage and cost at worst. This is particularly relevant if thinking moves towards the concept of a pre-emptive strike being used to prevent the launch of a cyberattack known to be imminent. This then becomes a question of intelligence collection and long-term surveillance and monitoring, which quickly falls back into a sphere of operations best delivered by intelligence agencies and governments.
The wider implications
Therefore, maintaining such a hugely expensive apparatus for the purpose of monitoring and retaliatory offensive cyber, for little commercial benefit, doesn’t generally provide a good return on investment. But more significantly, it begins to create a culture where aggressive cyber operations become more acceptable and normal within a corporate culture. And ‘normalisation’ of such activity leads us down a path where dragons lie.
This path leads to a world where every organisation must be big enough to maintain a private cyber militia, performing both defensive and offensive actions. It becomes a world where ‘defensively offensive’ cyber activity is ‘normal’ and leads to a dilution of the interpretation of corporate risk from a cyber threat. Maintaining an expensive capability in such a world can inevitably lead to some organisations using that otherwise idle capability against rival organisations who represent an aggressive business threat.
Extreme? If we look at the massive societal cultural shift and establishment of new norms of behaviour in today’s technology enabled world – this is not as unlikely as it may at first seem.
This has far wider social implications than can be easily discussed in a blog post, but demonstrates that what appears, at first glance, to be a relatively small policy change would soon have profound impacts.
Of course, being able to hack back would be gratifying, and satisfy our inner need for revenge and justice. But regardless of ethics, it is a route to commercial ruin, where the liability, cost and risk far, far outweigh any sense of business benefit.
What you can do instead?
So, in the same way as countering all other pervasive illegal threats that organisations face, the primary corporate effort must be to reduce the risk of it happening and/or limiting the damage if it does happen. In our experience, this falls to two things:
- Mature, proportionate defence to protect themselves against what is a commercial and societal threat.
- Information sharing to improve the ability of those who can legitimately, legally and constitutionally pursue the perpetrators, through the most appropriate means available.
Understanding how hackers can find their way into your organisation’s systems is the first step in building your defences (so you don’t need to think about gathering your own cyber militia). Here are some easy steps to get started:
Cyber Maturity Model – Most organisations are better equipped than they realise and already have the basic tools to apply against this threat. Equally, others know they need to invest in their defences but don’t know where to invest most effectively to reduce the risk they face. A Cyber Maturity Model clearly informs an organisation of their current level of defensive maturity against the level they need to achieve. In short: clear, concise cyber security investment direction.
Online Hostile Reconnaissance – This mirrors the exact steps that an attacker (of any type) would take to gather the necessary publicly available material on an organisation before planning their attack. This will then inform the organisation how to reduce the ready availability of such material. Read further: Social engineering
Training – Nearly all attacks—of all types of sophistication—exploit a user as a starting point – most often via phishing campaigns. Even with the best spam filter, or other perimeter protection, money can buy, the end user (us) is likely to open up an organisation to compromise – usually accidentally. Training staff in how to operate safely and securely in a 21st Century technically-enabled environment remains the most effective risk reduction measure.
Penetration testing/Red team testing – Finding the chink in your armour and resolving it strengthens your defences further. Penetration and red team testers will take on the role of a hacker and do their best to identify where your technical, human, procedural and physical defences are weak without compromising your operations. They will also provide concise, prioritised remediation advice. Read further: Red Team activities
Implementing information security management – An information management system simply provides end-to-end management of the whole cyber security risk. It evolves and adapts with the nature of the threat and allows the organisation’s own risk management tolerances to be applied. These management systems can be fully certified (such as Cyber Essentials, ISO 27001) or simply developed in line with the same principles without the additional overhead of formal certification.
Supply chain management – Regulations, such as GDPR and NISD, as well as those imposed by individual sector regulators have placed increased focus on the security management of an organisation’s supply chain. This is not just because it is often the easiest route into an organisation for attackers, but also because regulatory compliance cannot be simply handed off to the supply chain itself. Providing compliant governance around the information security of a supply chain is a relatively straightforward process, when sensible risk management principles are applied.
How PGI can help
Although, perhaps, implementing pure defence is not as much fun or as satisfying as striking back, it is certainly a more commercially viable option. Also, there is at least some satisfaction in denying attackers access, and being confident that your defences are appropriate to the standards that are expected – in a way most of your competitors aren’t.
Our team of cyber experts can help your organisation build your cyber defences in the right places, proportionate to the risk faced and ensure your information is as secure as is reasonable to expect. Talk to us about how we can assist: firstname.lastname@example.org or via phone +44 (0) 845 600 4403