Saturday, May 13, 2017

Hacking back: A viable strategy or a major risk?

I spent yesterday at a conference at the Kostas Research Center at Northeastern University.  

I don't normally spend my time in the midst of so many government folks anymore but I did yesterday. I gave my "Daily Show" talk —the talk of massive key logger exploitation in the Maritime space and sat a panel later in the afternoon. 

Yesterday morning however, something BIG happened —a massive ransomeware campaign #WannaCry ransomware was used in targeting healthcare and other industries in roughly a dozen countries around the world.

If you've heard me talk recently you know that one of the things I talk about are threats 3-5 years out… I call it my Futurist talk. What should we be thinking about beyond the end of next week? One of those things I talk about often are swarm attacks in cyberspace… the idea that massive computers can communicate swarm, and attack a target computer, system or network and insert code, drop systems, etc., taking any opportunity to implant something that denies, degrade, destroys, or simply embeds.

During the panel, one question came up —a question that always comes up.  A strong offense is often times better than a strong defense.  Should we be offensive in our defense?  Should we be hacking back?

I think about this a lot, especially as it relates to ideas that in three to five years, even the most mature security teams (in my opinion) will not be able to keep up with the overwhelming amount of data that will be needed to actively, in real time, defend from these swarm attacks, attacks that I call the nuclear option, and cyber laser guided bombs.

Anyway, we started on my right. The first panelist talked of legal issues. The second spoke of mis-targeting (the old.. what I hit the baby milk formula factory?!), the third? Heck I don't remember. When it was my turn, I gave the answer that I always give. I generally have two analogies:

  • "If I get into a bar fight, I'll make a decision to either talk it down, defend myself, or run…  depending on who's picking the fight, whether or not I'm outnumbered, surrounded, etc." Generally, the other guy doesn't know that I've been a black belt for years, and if he pushes to hard, well…  Maybe I'll buy the guy a beer to try and de-escalte the situation, but if that fails, if I think I can defend my self and win, I'll fight. If not? I'm asses and elbows outa there!
  • The second analogy? The one I used yesterday... "I live in New Hampshire. If someone break into my home in the middle of the night and attacks my family.. I'm going to shoot them dead ---and nobody is going to care. I was defending my family."

So why is it that in cyberspace, I'm not allowed to fight back?

Police aren't charged with, or equipped to protect you from cyber crime and the government isn't going to come to your rescue unless you're a member of a critical infrastructure, and even then, well....  So what are you to do?

Hackers often times learn their trade by sharing tactics and many times, hacking each other —for fun or profit —live… yet defenders are expected to build expensive labs, take training, follow process, be good citizens, and stay within the law.

At some point, the tables have to turn. I'm not saying this is an answer that everyone should pursue. I am saying that if you feel you can defend yourself —and win, go for it. There may be legal consequences, and you might get a cyber broken nose, but for those who believe that they have the skillsets to actively defend themselves, my feeling is, they should be able to do so without fear of prosecution. 

This is a topic of discussion that I both enjoy, and have talked about both inside Red Sky and in public. In fact, Wapack Labs publishes an intelligence product that we call the Targeteer(R) report --dossiers on bad guys that we've identified over the years that pose threats to our membership. We identify them through good old fashion research. These guys are the wolves closest to your sleds.

We want to know if someone is a threat, and when we find out, we want to know how they work, where they live, how they connect to the internet, where they operate from, etc.  Why would we not use this information to our advantage? It's good intelligence and it can be used for many things —hacking back, legal or HR, freezing credit cards, and more.  This is good intelligence work and we publish it to our Red Sky members.

Should you fight back? Probably not. Should you have the right to? Absolutely.

Interested in hearing my futurist talk? Drop me a note. We'll set something up.

Post a Comment