Hacking Back: Revenge is Sweet, But is it Legal?

Hacking Back: Revenge is Sweet, But is it Legal?

Before you go ahead hack backing intruders, you should proceed with caution.

You may have heard the term “active cyber defense” lately and would like to know if it can help your business, particularly if you work in a sensitive sector like financial services. In theory, active cyber defense (or ACD) sounds like what you need: You want to do more than firewall your systems and instead, actively defend your company against hackers.

But before you go ahead hack backing intruders, you should proceed with caution. Many active cyber defense strategies are currently illegal for financial services and other private companies.

U.S. law around active cyber defense

Introduced as a bill to the U.S. House of Representatives in October by Rep. Tom Graves, the Active Cyber Defense Certainty Act (ACDCA) is still under consideration. Currently, the Computer Fraud and Abuse Act deems many active cyber defense methods to be illegal, including accessing a computer – such as a hacker’s computer – without authorization. ACDCA aims to address new cyber security norms, particularly ones unaddressed in the Computer Fraud and Abuse Act, which was passed as an amendment in 1986.

Ultimately, ACDCA wants to enable broader active cyber defense abilities to the private sector. The bill proposes “to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers.”

If the ACDCA passes, Symantec writes that private companies could participate in a two-year pilot program where their activities would be closely coordinated with the FBI. Doing so would empower these companies to employ certain ACD tactics such as hack backs and not face criminal repercussions – though not civil.

They claim companies could legally hack into a suspected intruder’s computer as part of an ACDCA program for the following reasons:

  • To get information that could demonstrate whether or not the suspect penetrated the company’s systems.
  • To block the intruder from entering the company’s systems, and;
  • To watch how the intruder is acting.

However, Symantec notes that destroying information on a suspect’s computer that doesn’t belong to the company, causing excessive physical or financial damage, hacking an intermediary’s computer, or causing a public health threat would not be allowed in an ACDCA-backed program.

As this U.S. regulation gets resolved, however, we can explain some common ACD strategies and the pros and cons – both legally and logistically – of using them.

Hack-backs

Let’s start with hack backs, since this at the crux of the ACDCA program. While an increasing number of politicians are advocating for hacking back, particularly in response to wide-scale cyber attacks, many security professionals are skeptical of hack backs’ efficacy. For example, because of the internet’s interconnected nature, it is difficult to ensure a hack back will only target one’s intended intruders. Sadly and not surprisingly, many hackers will realistically just become savvier about hiding their exploits because of ACDCA legislation. Legalizing hacking back may not fundamentally damage intruders’ abilities to penetrate critical systems.

Also, many private companies are too optimistic about their abilities to find the right intruder through hack backs and may think they have the right hacker through a hack back scheme, but don’t. Even with hack backs, it is very hard to attribute the correct intruder.

So, even if you can hack back your attacker, it may not be the wisest move.

Honeypots

Honeypots are an increasingly popular ACD method that are less aggressive than hack backs. Honeypots create decoys placed within one’s networks with fake information and simulated software that encourage hackers to infiltrate. Once a hacker enters a honeypot, they are used to gather information on the attacker.

They can be quite effective. However, they are also resource intensive and if employed on a WiFi network, can be difficult not to encourage others to fall for the decoy as well.

Beacons

While honeypots are good at identifying who is attacking a given system, it does not follow their behavior once they’ve left the honeypot. Here, beacons enter.

Deploying marketing techniques like cookies, a web beacon contains a web link that can be embedded in various real documents without probably being noticed. Once the intruder clicks on the web link, a company’s servers gather information about the hacker, including their IP address, operating system, and other important details.

Thankfully, beacons are also legal.

White worms

White worms bring the idea of beacons one level further: Malware (known as “white worms” for their beneficial purpose) is actually infected into an intruder’s systems. While a lot can be learned from deploying such malware, the consequences are significant, particularly if uninvolved individuals are affected. For this reason, white worms are not commonly implemented.

Address hopping

For private companies with a lot of cash at hand, address hopping is another effective and legal ACD strategy. As a security researcher at ETH Zurich details, a company’s IP address is changed on a regular and random basis while data is transmitted. This makes a hacker need to search for a company’s data packets constantly. It is a strategy adopted from military communications where radio frequencies were regularly changed to throw off enemy forces.

In short, beyond hack backs and white worms – which are largely illegal or problematic – private companies can deploy legal and effective ACD tactics such as honeypots, beacons, and address hopping. Even if the ACDCA passes, financial services companies may still prefer to use these strategies rather than hack back.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3