Friday, November 2, 2012

"Hacking Back" is a Bad Idea

Yesterday at Hacker Halted in Miami, FL, David Willson, an attorney from Titan Info Security Group, presented a talk titled, "Hacking Back In Self-Defense: How Can I Do It Legally?". While not a new subject, there has been a lot of discussion recently about responding to attacks by "hacking back". To a degree this is understandable. Offensive security is fun and the desire for payback is a natural human reaction. With that said, there are several reasons why "hacking back" is not a good idea:

Legal Repercussions - An attack does not grant the victim a license to break the law. By taking an "eye for an eye" you are potentially exposing yourself to the same legal repercussions that the attacker is subject to.

Friendly Fire - Any attacker worth their salt (or who has watched the 1995 movie "Hackers") is not going to attack you from their home with a computer they own (it's "universally stupid"). Attribution is a serious concern.  Even if you can identify the origin of the attack, any retaliation will likely be targeted at an innocent bystander whose machine was compromised.

You're Not That Good - If you have the skills necessary to successfully compromise the attacker, why were these skills not used to identify the issues in your environment? After all, as a defender, this is why your employer gives you a paycheck. Which leads me to my next point...

You Have Better Things To Do - "Hacking back" implies that you have been compromised. Your efforts are better spent executing your incident response plan, reviewing lessons learned and taking steps to ensure that it doesn't happen again.

Escalation - Hypothetically, let’s say you have successfully compromised your attacker. Now what? You are performing a job, but to the attacker it has now become personal. You go home at the end of the day, they do not. "Hacking back" only provides additional motivation for the attacker to redouble their efforts. Even worse, if you truly are the target of real a state sponsored attack, retaliation might spark an international incident which could potentially lead to physical retaliation.

There will always be someone knocking on your door and jiggling the door handles. The best course of action is to appropriately secure your environment and continue to implement effective controls as your company changes and grows. In many cases, if an attacker cannot compromise your systems they will eventually move on to an easier target.