The United States government is planning on adapting a new approach to discourage hackers and other malicious actors from attacking government and military agencies: they will capture the malware and send it back at the attacker.
The hack back strategy was presented by Lieutenant General Vincent Stewart of the U.S. Defense Intelligence Agency (DIA)—an organization specializing in defense and military intelligence—during the US Department of Defense Intelligence Information Systems (DoDIIS) conference in Missouri.
"Once we've isolated malware, I want to re-engineer it and prep to use it against the same adversary who sought to use against us," Stewart said while speaking at the conference. "We must disrupt to exist."
The DoDIIS conference was attended by members of the FBI, CIA, National Security Agency (NSA), the National Geospatial-Intelligence Agency and the Office of the Director of National Intelligence. Companies including Microsoft, Xerox, the NFL, FireEye and DataRobot also attended the event.
It was clear from the event that the DIA was interested in taking a more aggressive approach to fighting back against attackers. In addition to Stewart’s suggestion that the organization could reconfigure malware and return it to its sender, the chief information officer for the agency also advocated for going on the offensive in response to attacks.
“In the past, we have looked inward, focusing on improving our internal processes, business practices and integration, Janice Glover-Jones said. “Today we are looking outward, directly at the threat. The adversary is moving at a faster pace than ever before, and we must continue to stay one step ahead.”
Who may be on the receiving end of such an attack is hard to say. As Commander William Marks of the U.S. Navy pointed out while speaking at the conference, “Threats are no longer constrained by international borders, economics or military might. They have no borders, age limits or language barriers, or identity.”
Marks said an attack against the military or government could come from just about anywhere. It could be launched by “a large nation-state or a 12-year-old hacking our network from a small, isolated country.”
The approach raises a number of questions, including the very problem raised by Commander Marks. An attack can come from just about anywhere. Should the response be the same for a 12-year-old miscreant as it is for a nation-state actor with more malicious intentions?
Additionally, attribution is an incredibly difficult task. While many experts can say with some assurance where they believe an attack originated from, it can be hard to make such a judgement with 100 percent certainty. Misattributing an attack and responding in an offensive matter against a bystander could create larger problems.
Ben Johnson, chief technology officer and co-founder of Obsidian Security and a former computer scientist at the NSA, said that it's important to understand adversarial techniques in order to disrupt attack campaigns, but said "if the discussion blends into the actual offensive counter-measures to strike back, that is where most security experts begin to walk away."
According to Johnson, hacking back carries with it a number of risks that make such a strategy often inadvisable. "The challenge with hacking back is how to truly know the attribution of your target, of how to limit collateral damage, and how to have a proportioned response," he said. "The average organization, even in the federal space, has a tough enough time defending against and investigating breaches. What would make any of us think they could surgically conduct counter attacks that wouldn't cause problems or take down critical infrastructure?"
He also warned that using offensive tools against an attacker can result in disclosing how certain attacks and payloads are used and deployed, effectively handing those methods over to adversaries.
"This, much like WannaCry, could lead to national-level capabilities being commonplace among the non-sophisticated nuisance groups, therefore accelerating the cyber arms race. I applaud the DIA and other organizations for attempting to disrupt adversarial capabilities, but this is also an instance where we need to clearly define what disrupt means,” Johnson said.
It’s worth noting that when legislation that would allow U.S. companies to hack back against attackers was presented before Congress, U.S. Cyber Command chief Admiral Mike Rogers warned that such initiatives could create unintended consequences, creating additional risks and potentially muddying attempts at pinpointing the source of cyber attacks.
“My concern is, be leery of putting more gunfighters out on the street in the Wild West,” Rogers told a House Armed Services subcommittee earlier this year.