Having these discussions with the legal team at the onset is critical because hacking back is illegal in the United States under the Computer Fraud and Abuse Act (CFAA) and other countries have similar laws on the books.
Okay under CFAA?
Cymmetria’s legal hack back approach doesn’t run afoul of the CFAA forbidding purposely accessing a computer without proper authorization because the organization — by definition — is authorized to do what it wants with a machine on its network. Just because the attacker has compromised it doesn’t mean the organization no longer owns that machine. As part of incident response, the security team can interact with the attacker on that machine, feed phony data, deliver their own payload, or access the attack tools on the machine to thwart other attacks.
The security team can’t jump from this machine to another machine it is connecting to if that machine is on the attacker’s network. It can, however, block traffic going to that machine by launching its own payload, encrypting the data before it can be transferred to that machine, or any number of other activities.
If the attacker spun up a new virtual machine or another instance while moving laterally through the organization’s infrastructure, that system would still be considered to belong to the organization. This is where the framework is useful, because it also looks at third-party contracts and corporate policies to help identify which systems are in scope and which systems cannot be touched.
Not the hack back you know
Cymmetria’s legal hack back announcement comes at an interesting time, as a recently introduced bill in the US House of Representatives proposes amending the CFAA to allow organizations and individuals to make limited retaliatory attacks after a breach or compromise. If passed, the Active Cyber Defense Certainty Act (ACDC) would allow defenders to venture outside their networks to access the attacker servers, delete the stolen data, bombard their servers to interrupt the attack, or deploy “beaconing technology” to identify the attacker’s physical location. ACDC is severely limited, as it restricts hacking back to computers only on American soil, which means attackers using overseas systems to launch their attacks don’t have to worry.
"The certainty the bill provides will empower individuals and companies use new defenses against cybercriminals,” said Rep. Tom Graves (R-GA), the bill’s co-sponsor. “I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders.”
It’s not just US lawmakers considering letting organizations go after attackers in limited retaliatory attacks. German intelligence officials recently asked German lawmakers for the authority to hack back in the event of a nation-state attack. They requested authority to take actions such as infecting foreign servers with spying software to monitor other operations against German servers or to collect information about the attackers, and destroying data found on foreign servers which had originally been stolen from German servers. The intelligence officials emphasized that these activities aren’t intended to destroy foreign servers, but to prevent attackers from using the stolen data.
Sign up for CIO Asia eNewsletters.