Hack back doesn’t need to be a dirty word. According to security startup Cymmetria, organizations and individuals can employ a number of attack tools to disrupt attacker operations, as long as the security teams stay within their own network. There is no need to go after attacker infrastructure on foreign servers when the attackers set shop right in the organization’s infrastructure.
“I can’t attack the attacker where he lives, but I don’t have to. I can stop him while he is in my network,” said Gadi Evron, founder and CEO of Cymmetria.
Cymmetria has added “legal hack back” tools to its deception technology platform MazeHunter and published a framework that security professionals can use to discuss with their legal teams the what types of actions and tools can be performed. Security teams can perform actions such as delivering a payload, wiping data, and setting up a beacon to see what attackers are doing next.
Hack back is a controversial topic among security professionals, because so much can go wrong and the massive collateral damage that can result. Going after attacker infrastructure isn’t as straightforward as grabbing IP addresses and domain names; attackers regularly commandeer machines belonging to other individuals and launch attacks without the owners’ knowledge.
It’s an open secret that some companies already hack back. However, hacking back can impact these innocent users more than the attackers themselves. Attribution is extremely hard, and there is no room for getting it wrong in a hack back scenario. Even if the security team gets it right, hacking back can escalate the situation, with attackers responding with more advanced payloads.
Hack back as incident response
Evron said there is a middle ground between not going after the attackers and what the industry calls hack back, and that middle ground has to do with where the security defenders engage with the attackers. Most hack back operations involve security teams tracking down the attack servers and wiping data originally stolen from their servers, probing the attack infrastructure for weaknesses to exploit, disabling the systems controlling malware, looking for information about the attackers to use in attribution, and launching distributed denial-of-service attacks to slow down criminal operations.
Cymmmetria’s MazeHunter will let security teams perform any of these actions, but the activities are restricted to systems within the organization’s the attackers had compromised as part of their operations. There is less chance of collateral damage, since the incident responders know without a doubt that a machine, which belongs to the organization, is being used in the attack. “Hacking back is actually incident response,” Evron said. “It’s not hacking if I am in my network and on my computer. I am closing the hole the attacker used.”
Sign up for CIO Asia eNewsletters.