Following the recent attacks against DYN (and Krebs, OVH and others) by the Merai botnet, there has been chatter about ‘hacking back’ as a means of active defense. If you missed the story or aren’t really sure what happened, there’s a good video on it here from Threatwire to get you up to speed but, with this post, I’d like to focus on the idea of ‘hacking back’. To keep the article short, I’ll just give some pros and cons below but welcome any feedback if I’ve missed anything. I’ve also included a link to the ThreatPost article discussing the ‘hacking back’ strategy to round things out.
First, the pros:
There have been a number of cases where law enforcement and vendors have teamed up in the past to take down malware networks (botnets and such). The takedown of Dridex and Citadel are two that come to mind. In both cases, this was an abrupt end to significant criminal botnets (a good thing). The difference here though is that the command and control (C2) was targeted, not the endpoints (bots, end users).
Now, the cons:
I’ll separate this into two sub-categories, government and non-government entities.
If we authorize government entities to ‘hack back’ against these botnets, how much (more) privacy are we giving up in the process? Are we simply granting the authority to break this one botnet or are we granting the authority to break this one and subsequent future ‘malicious’ things? If the latter, who defines ‘future malicious things’?
If we authorize non-government entities to ‘hack back’ against these bots, I see three potential downsides. First, the ‘active defenders’ draw the attention and ire of the attackers and with it, additional malice (rather than simply being a bot in a DDoS attack, the attacker breaches the network and does damage [steal or destroy data, etc.]). Second, the possibility of these ‘active defense’ tools being used by well-intentioned folks that may not fully understand them contributing to the problem rather than mitigating it (i.e., they damage themselves or others or somehow run afoul of the CFAA). The third is the possibly of an ever evolving enemy taking advantage of this ‘free downloadable tool’ to distribute additional malware (what better way to lure an admin into downloading and running malware [as administrator] than disguising it as a tool to attack the bad guys?).
The ideal solution would be for the manufacturers to be more vigilant about building secure products, and consumers to be more vigilant about demanding more secure products from their vendors. I wrote an article detailing some of these failures after the Krebs and OVH attacks.
Misc / Errata