Full Report
Are hacking victims "hacking back"? That question was recently posed in headlines like this one from Bloomberg: FBI Investigating Whether Companies Are Engaged in Revenge Hacking. The Marketplace reporter, Ben Johnson, speculated that 2015 might be the year of "hacking back" when he asked me about revenge hacking.
Analysis Summary
# Best Practices: Avoiding Illegal and Ineffective "Hacking Back" Cyber Defense Strategies
## Overview
These practices provide guidance on why organizations should avoid engaging in "hacking back" (retaliatory attacks against cyber adversaries) and instead focus on legally sound, defensive security measures classified as Active Defense and Active Deception within their own networks.
## Key Recommendations
### Immediate Actions
1. **Halt all planning or execution of retaliatory hacking activities** against external threat actors, as these actions are generally illegal and carry severe legal risks.
2. **Consult legal counsel immediately** regarding any current or planned security responses that involve accessing or manipulating systems outside of organizational control, obtaining written sign-off before any external action is taken.
3. **Immediately prioritize Active Deception techniques** within the private network environment to identify and slow down intruders who have already gained a foothold, as recommended by established Active Defense frameworks.
### Short-term Improvements (1-3 months)
1. **Implement Active Deception controls:** Identify and deploy techniques described in Active Defense literature designed to "identify and slow down attackers who have established pivot points into private networks before data exfiltration occurs."
2. **Assess counter-counter-attack readiness:** Verify that internal network defenses are robust enough to withstand any potential retaliatory action initiated by the original attacker following defensive maneuvers.
3. **Establish an internal pledge:** Formally mandate that no offensive security action will be taken externally until active deception has been tried, defensive countermeasures are verified, and legal counsel has provided documented approval.
### Long-term Strategy (3+ months)
1. **Advocate for systemic improvements:** Channel organizational resources and outrage into lobbying for stronger law enforcement responses and better regulatory enforcement against cybercrime, rather than attempting to outsource security aggression.
2. **Develop robust internal attribution capabilities:** Focus resources on forensic analysis and internal detection processes to accurately attribute attacks internally, acknowledging the high difficulty and risk associated with external attribution.
3. **Focus on primary security goals:** Recognize that hacking back does not solve the underlying security problem or contribute to a "well-ordered Internet governed by rules of behavior enforced by appropriate authorities."
## Implementation Guidance
### For Small Organizations
- **Strict Legal Adherence:** Given limited legal resources, strictly adhere to the illegality of accessing unauthorized systems; rely solely on strong perimeter defense and regulatory reporting.
- **Prioritize Free/Low-Cost Deception:** Focus implementation on simple internal deception techniques (e.g., deceptive file names, honeypots accessible only internally) referenced in beginner Active Defense whitepapers.
### For Medium Organizations
- **Formalize Legal Review Gateway:** Institute a mandatory sign-off process requiring both the CISO/Security Director and Corporate Counsel for any new proactive defense measure that touches external networks (even for monitoring).
- **Resource Allocation for Active Defense:** Dedicate a portion of the security budget specifically to tooling and training for active deception based on established SANS/industry best practices.
### For Large Enterprises
- **Develop Comprehensive Legal Policy:** Create a formal, documented policy detailing the strict conditions under which any "offensive" security activity (including active deception vs. active hack back) may be considered, ensuring all elements of the three-point pledge are auditable.
- **Avoid 'Reputation Warfare':** Structure defense strategy to assume threat actors are *not* rational actors, meaning deterrence via perceived retaliation is unreliable; instead, focus on making intrusions extremely costly and time-consuming for the attacker via layered defense and deception.
## Configuration Examples
*No specific technical configurations (like firewall rules or intrusion scripts) were provided in the context for external "hacking back." The focus shifts entirely to the *prohibition* of such actions.*
**Recommended Configuration Focus (Active Deception):**
* Deploy internal network sensors or systems specifically designed to engage detected intruders *within the private network* using well-documented, non-malicious methods intended only to slow detection and aid forensics (e.g., following documented Active Defense implementations).
## Compliance Alignment
- **Legal Compliance:** Adherence to all relevant national and international laws regarding unauthorized access, denial of service, and electronic surveillance. This implicitly avoids violations of statutes like the Computer Fraud and Abuse Act (CFAA) in the US, or equivalent laws internationally.
- **Best Practice Frameworks:** Alignment with principles emphasizing defense, detection, and response *within one's own boundaries* (e.g., NIST CSF Protect and Detect functions), rather than external aggression.
## Common Pitfalls to Avoid
- **Assuming Legal Immunity:** Believing that being a victim grants the right to conduct illegal counter-attacks ("Stuff the law, we won't get caught").
- **Underestimating Attribution Errors:** Proceeding with an external strike based on flawed or incomplete attribution, which can lead to attacking innocent parties or state-sponsored actors, worsening geopolitical risk.
- **Ignoring Collateral Damage:** Failing to anticipate the potential legal and financial repercussions resulting from unintended harm caused to third-party systems during a counterstrike.
- **Mistaking Deception for Hacking Back:** Confusing legal, controlled active deception within private networks with illegal external retaliation.
## Resources
- **Active Defense Research:** Review SANS white paper on implementing active defense systems on private networks for legally permissible internal engagement strategies. (Search Term: SANS active defense deception private networks)
- **Legal Review Documentation:** Require explicit, written documentation from corporate legal counsel for any security plan that involves interacting with systems outside organizational control.
- **Public Security Advocacy:** Channel efforts into supporting policies and funding for official law enforcement cybercrime response units.