Is hacking back a valid security technique for companies?
We had this debate at our local OWASP chapter last night about whether a honeypot should strike back. We did talk about some legal and moral issues however decided it was not a good idea because:
- The majority of attacks are coming from dumb clients on botnets or through automated tools, so what are you actually achieving by taking out yet-another-dumb client?
- The focus of your business should be aligned to your business objectives - fighting cybercrime (unless you work for a police authority) should not form part of that.
- If the attack becomes serious and you need to go to court; evidence that you "struck back" would not look good and could work against you. If you are going to spend money in this topic then spend it on forensic tools so that it strengthens any legal action
- Circular attacks: consider if you accidentally strike back at another tool that has strike back capability? then you're just eating up bandwidth unnecessarily.
Despite you asking us to ignore the ethical and legal considerations, I'm not going to. I think that they're way too entrenched in this issue to be ignored, and approaching it from a purely fiscal perspective is misguided and pointless.
The law
The law in most countries is clear enough on this to say that there's no way to "hack back" in an effective manner without violating computer security laws. You're talking about gaining unauthorised access to a remote system. The question of whether that user is currently involved in a hack against you is moot - your actions are simply illegal regardless. In fact, you could end up getting in more trouble, since an attacker might be leveraging an innocent 3rd party's machine for the attack. Even if a law was passed to say that a hack-back was legal if you can prove that the source of the attack is definitely the hacker, you can never make that assertion.
The benefits
There are benefits to hack-back, but they're largely dependant on the situation. Here are a few things I can see being useful:
- Gaining intelligence on the attacker.
- Disabling or hindering the attacker.
- Increasing the risk for the attacker, thus preventing further attacks.
The drawbacks
Unfortunately, hacking back comes with a lot of drawbacks:
- Any intelligence gained cannot be used in court. You're compromising their system, which in turn makes anything on that system completely inadmissible.
- You might end up causing collateral damage during your hack, which you can be sued for. You might also hit the wrong target, as I mentioned earlier.
- The attacker may see it as a personal challenge, and become more destructive.
- Any hack-back law passed will be very difficult to comply with, since you cannot definitively say that a target machine accurately represents a personal asset of the attacker, rather than a 3rd party.
- Staff may be reluctant to participate in hack-back attacks, since their actions follow them for life, not just during their employment.
The costs
The financial perspective is pretty bland. If you hire a security officer, they're likely to be able to run pentests anyway. You can utilise this existing talent with no additional cost. The real cost comes with legal fees, which are likely to be crippling if you're found to have violated the law. Investment in any further resources doesn't seem to make much sense, since it's not particularly beneficial, and (for the moment) is highly illegal.
Without any consideration for the legal aspects, I think the simple fact that you would have to allow the attack to continue to avoid alerting the attacker is reason enough it is inadvisable, but I think it would depend on the situation. Even if the user appears to be stuck in a honeypot, leaving them able to explore the system is likely going to outweigh the potential benefits of the information you could gather.
If you were able to be configured in such a way that you had a high degree of confidence that they could not escape your cage and execute a meaningful attack, then, provided it was legal in your jurisdiction, I don't see what the harm would be in doing investigative counter-hacking to attempt to identify the attacker so long as you were non-destructive. Any destructive hacking would not be of benefit since the ultimate goal should be to identify the attacker and take legal action to stop it permanently, not merely harm them momentarily and possibly destroy evidence or alert them to their impending legal action. The nature of many attacks could benefit from being able to see one or more nodes back up the chain however since it would be useful to know where the command and control for a bot net is coming from.
That said, I think it would be very difficult to ensure there is no ongoing risk to your security so my general reaction would still be shut it down and let the authorities deal with it. The business purpose arguments were also a good one unless your business goals are served by helping bring down the hacker.