Hacking Back: Revenge is Sweet, But is it Legal?

Hacking Back: Revenge is Sweet, But is it Legal?

Before you go ahead hack backing intruders, you should proceed with caution.

You may have heard the term “active cyber defense” lately and would like to know if it can help your business, particularly if you work in a sensitive sector like financial services. In theory, active cyber defense (or ACD) sounds like what you need: You want to do more than firewall your systems and instead, actively defend your company against hackers.

But before you go ahead hack backing intruders, you should proceed with caution. Many active cyber defense strategies are currently illegal for financial services and other private companies.

U.S. law around active cyber defense

Introduced as a bill to the U.S. House of Representatives in October by Rep. Tom Graves, the Active Cyber Defense Certainty Act (ACDCA) is still under consideration. Currently, the Computer Fraud and Abuse Act deems many active cyber defense methods to be illegal, including accessing a computer – such as a hacker’s computer – without authorization. ACDCA aims to address new cyber security norms, particularly ones unaddressed in the Computer Fraud and Abuse Act, which was passed as an amendment in 1986.

Ultimately, ACDCA wants to enable broader active cyber defense abilities to the private sector. The bill proposes “to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers.”

If the ACDCA passes, Symantec writes that private companies could participate in a two-year pilot program where their activities would be closely coordinated with the FBI. Doing so would empower these companies to employ certain ACD tactics such as hack backs and not face criminal repercussions – though not civil.

They claim companies could legally hack into a suspected intruder’s computer as part of an ACDCA program for the following reasons:

  • To get information that could demonstrate whether or not the suspect penetrated the company’s systems.
  • To block the intruder from entering the company’s systems, and;
  • To watch how the intruder is acting.

However, Symantec notes that destroying information on a suspect’s computer that doesn’t belong to the company, causing excessive physical or financial damage, hacking an intermediary’s computer, or causing a public health threat would not be allowed in an ACDCA-backed program.

As this U.S. regulation gets resolved, however, we can explain some common ACD strategies and the pros and cons – both legally and logistically – of using them.

Hack-backs

Let’s start with hack backs, since this at the crux of the ACDCA program. While an increasing number of politicians are advocating for hacking back, particularly in response to wide-scale cyber attacks, many security professionals are skeptical of hack backs’ efficacy. For example, because of the internet’s interconnected nature, it is difficult to ensure a hack back will only target one’s intended intruders. Sadly and not surprisingly, many hackers will realistically just become savvier about hiding their exploits because of ACDCA legislation. Legalizing hacking back may not fundamentally damage intruders’ abilities to penetrate critical systems.

Also, many private companies are too optimistic about their abilities to find the right intruder through hack backs and may think they have the right hacker through a hack back scheme, but don’t. Even with hack backs, it is very hard to attribute the correct intruder.

So, even if you can hack back your attacker, it may not be the wisest move.

Honeypots

Honeypots are an increasingly popular ACD method that are less aggressive than hack backs. Honeypots create decoys placed within one’s networks with fake information and simulated software that encourage hackers to infiltrate. Once a hacker enters a honeypot, they are used to gather information on the attacker.

They can be quite effective. However, they are also resource intensive and if employed on a WiFi network, can be difficult not to encourage others to fall for the decoy as well.

Beacons

While honeypots are good at identifying who is attacking a given system, it does not follow their behavior once they’ve left the honeypot. Here, beacons enter.

Deploying marketing techniques like cookies, a web beacon contains a web link that can be embedded in various real documents without probably being noticed. Once the intruder clicks on the web link, a company’s servers gather information about the hacker, including their IP address, operating system, and other important details.

Thankfully, beacons are also legal.

White worms

White worms bring the idea of beacons one level further: Malware (known as “white worms” for their beneficial purpose) is actually infected into an intruder’s systems. While a lot can be learned from deploying such malware, the consequences are significant, particularly if uninvolved individuals are affected. For this reason, white worms are not commonly implemented.

Address hopping

For private companies with a lot of cash at hand, address hopping is another effective and legal ACD strategy. As a security researcher at ETH Zurich details, a company’s IP address is changed on a regular and random basis while data is transmitted. This makes a hacker need to search for a company’s data packets constantly. It is a strategy adopted from military communications where radio frequencies were regularly changed to throw off enemy forces.

In short, beyond hack backs and white worms – which are largely illegal or problematic – private companies can deploy legal and effective ACD tactics such as honeypots, beacons, and address hopping. Even if the ACDCA passes, financial services companies may still prefer to use these strategies rather than hack back.

Featured

  • It's Show Time

    I am one of those people that likes to see things get bigger and better. As advertised, ISC West is going to be bigger (more exhibitors) and better (more attendees). It’s show time in Las Vegas. Read Now

    • Industry Events
    • ISC West
  • SIA Releases New Report on Operational Security Technology

    The Security Industry Association (SIA) has released an impactful new resource – Operational Security Technology: Principles, Challenges and Achieving Mission-Critical Outcomes Leveraging OST. Read Now

  • Cyber Overconfidence Is Leaving Your Organization Vulnerable

    The increased sophistication of cyber threats pumped by the relentless use of AI and machine learning brings forth record-breaking statistics. Cyberattacks grew 44% YoY in 2024, with a weekly average of 1,673 cyberattacks per organization. While organizations up their security game to help thwart these attacks, a critical question remains: Can employees identify a threat when they come across one? A Confidence Gap survey reveals that 86% of employees feel confident in their ability to identify phishing attempts. But things are not as rosy as they appear; the more significant part of the report finds this confidence misplaced. Read Now

  • Mission 500 Debuts Refreshed Identity Ahead of Security 5K/2K at ISC West

    Mission 500, the security industry’s nonprofit charity dedicated to supporting children in need across the US, Canada, and Puerto Rico, has unveiled a refreshed brand identity ahead of ISC West. The charity’s new look includes a modernized logo with refined messaging to reinforce Mission 500’s nearly decade-long commitment to serving the needs of children and families in crisis. Read Now

    • Industry Events

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.