Hacking back simply a bad idea

As the topic of hacking back continues to resurface among elected officials, those of us in the cybersecurity community are scratching our heads over why this concept refuses to die. After digging deeper, one can see that there are many misperceptions regarding what the terms "hacking back" and "active cyber defense" (ACD) actually mean. General frustration and misinformation are driving the interest, but the mixing of definitions is fueling confusion.

Let’s start with the Active Cyber Defense Certainty (ACDC) Act, which was introduced to Congress by Rep. Tom Graves (R-Ga.) and Rep. Kyrsten Sinema (D-Ariz.) in March 2017 (updated in October 2017) as legislation that would give companies the right to hack back after a "persistent unauthorized intrusion." The bill’s name itself generates confusion.


Hacking follows a very methodical approach, often referred to as the "kill chain." This defines a hacker’s actions from initial compromise, escalation, lateral movement, to exfiltration. Hacking back would require a reverse traversal of the kill chain (with heavy modification) in order to understand the attack, adversary, and attribution. The danger with uninformed companies hacking back is that they typically won’t have well-defined strategies or methods for their actions. There are also many issues regarding what hacking back would achieve. It is likely that companies could gain some threat intelligence but less likely that they could recover their data.

ACD is a specific approach for gathering intel (internal-external), assessing risks and threats, developing a tech plan to lure and misdirect in-network attackers, and implementing a consistent operational strategy. Fundamentally, ACD consists of cyber intelligence, deterrence, and defense-in-depth strategies to create a comprehensive, proactive defensive posture.

Recently, the issue of hacking back resurfaced at the federal level in a Judiciary Committee hearing, when Sen. Sheldon Whitehouse (D-R.I.) weighed the merits of hacking back during a broader discussion on more open disclosure of digital threats and breaches as well as security stress testing. Whitehouse advocated for creating a more transparent process for private companies to seek guidelines for hacking back, noting, "We ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression."

While promoting a forum for discussion is smart, doing anything that advances this idea forward — like setting guidelines for hacking back — is dangerous. Organizations must know how to establish a proactive cyber defense, but counter-hacking exposes many practical, ethical, and legal concerns that most are ill-equipped to address. It also creates the risk for unintended consequences that could have adverse effects.

Although the concept of an "eye for an eye" may seem appealing to some, Whitehouse is correct that we must carefully consider the implications and consequences of what might happen if hacking back is allowed. We should also seek to understand and embrace new technologies that empower a proactive defense and new compliance standards for legacy and innovative technologies that present high security risks.

Organizations should pick the best perimeter defenses their budgets and resources can afford, understanding that with human error and advanced targeting, nothing can be 100% bulletproof. Companies shouldn’t stay passive, instead leveraging their home-field advantage by adding proactive security measures and focusing on threat models that affect the organization the most. They should also adopt active defense tools, such as deception, that change an attack’s asymmetry, gather threat intelligence, and use the attacker’s behavior for strengthening proactive cybersecurity behavior. Consider this a chess match where traps are used to manipulate adversaries and trick them into making mistakes, ultimately leading to their loss.

While organizations should have the support, rights, and permission to defend themselves from a cyberattack, conducting a retaliatory attack isn’t the answer. Legislation will also not solve the problems of cyberattacks. Instead, adoption of proactive cyber operations will drastically minimize the impact of a breach, and ultimately eliminate the need to retaliate. As a wise person once said, "the best revenge is massive success."

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register. Carolyn Crandall is a technology executive with over 25 years of experience in building emerging technology markets in security, networking, and storage industries. She has a demonstrated track record of successfully taking companies from pre-IPO through to … View Full Bio