Several times in the last couple of months I’ve heart frustrated security folk saying something along the lines of “We should just identify the hackers and then hack back!” And superficially it might make sense: perhaps hacking back against the perpetrators of APTs would yield new information. Perhaps it would discourage them… OK, I did say “might”.
Hacking back is a profoundly stupid idea. Here are several reasons why:
- The guy you’re hacking back at is either
- A security expert, well equipped to identify / avoid you OR
- Some poor sucker who made the mistake of clicking on some random URL and getting pwn3d as a result.
- Hacking back is complicated, hard, time consuming and expensive. And you have better things to do with your scarce security expertise – for example shoring up your perimeter or endpoint defenses, or even knowing more about what’s going on in your network right now. Almost surely there is evidence in your network of an attack of which you were unaware – and finding and blocking it ought to be your highest priority
- Hacking back faces massive legal challenges, no matter what the experts say.
- You can’t “get your data back”. Once it’s gone, it’s gone and could have been cloned an infinite number of times
- If you’re just starting to think like this, then you start a decade behind the state of the art.
- Oh, and the US is pretty good at creating and taking advantage of a group of writers.
I understand that you’re annoyed that someone stole your data. How can you make it better? Get over it, and make it 10,000-100,000 times harder the next time. Take great satisfaction that the attacker will face an economic model that quite simply doesn’t scale. Make the price of a zero-day move from ~$10K to ~$10M. The only way to do this, I believe, is to ensure that the simplicity of micro-virtualization can be easily adopted as a core systems technology. Beyond that, each practitioner will be able to contrast the subtleties of approach A vs B. as a catalyst for your own adoption of deeper “defense in depth” strategies, appropriately informed by many cloud services and other tools. So a core mission at Bromium is to develop a platform that can be consumed by industry partners, integrators and customers alike – a potentially harrowing experience from either the customer – but also fundamental to the ability of young companies ability to scale globally without necessarily having “feet on the street”.
Finally, it’s worth pointing out that many of the systems that attack our infrastructure are pretty vulnerable – illegal OS copies etc. And that the appropriate way to take advantage of this is not by you creating your own attack but by relying on a co-ordinated national effort run by those considering a national or global threat.