Hacking Back: Exploring a new option of cyber defense

Pierluigi Paganini
November 8, 2016 by
Pierluigi Paganini


The number of cyber-attacks across the years continue to increase, and the campaigns are becoming even more sophisticated.

With an increasing insistence, the IT security industry is invoking the active defense concept, which is the ability to act in anticipation to oppose a cyber-attack.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

This approach is not new, it the result of the frustration when dealing with blatant attackers who continue undeterred their own raids.

Early 2013 the threat intelligence firm CrowdStrike Company presented its offensive approach to cyber security. The company revealed details related to the takedown of thousands of nodes of the famous Kelihos botnet. In the same period, the company launched the Falcon platform, a system that leverages Big Data to carry out a number of "active defense" operations, including "real-time detection of adversary activities, attribution of the threat actors, the flexibility of response actions, and intelligence dissemination."

Law enforcement and intelligence agencies, private firms and security companies are publicly discussing the possibility to adopt a new approach to defending their assets from the attacks by hacking back the attackers.

Which does "offensive approach" mean for cyber security?

The numerous successfully cyber-attacks observed by security firms demonstrate that a defensive is no more effective to mitigate the risks of a cyber-attack.

Even more frequently, experts are evaluating the opportunity to hit the attackers with the same weapons they use to target businesses and government organization.

The offensive defense contemplates the possibility to hit attackers with malware that are able to neutralize or power DDoS attacks against control infrastructure.

Essential components of an offensive approach are the attribution of the attack through the collection of clues to track back to the hackers and the retribution, intended as the persuasion of attackers to choose a different conduct.

Stewart A. Baker, partner Steptoe & Johnson LLP, before the Judiciary Committee's Subcommittee on Crime and Terrorism in the paper "The Attribution Revolution: Raising the Costs for Hackers and Their Customers " described the actual defensive approach of cyber-security with the following metaphor:

"We are not likely going to defend our way out of this problem."

"In short, we can't defend our way out of this fix, any more than we could solve the problem of street crime by firing our police and making pedestrians buy better body armor every year." "I'm not calling for vigilantism, I'm not calling for lynch mobs. But we need to find a way to give the firms doing these investigations authority to go beyond their network."

"If we don't do that we will never get to the bottom of most of these attacks,"

Government and hacking back

One of the first governments that publicly announced the "hacking back" as part of its active defense strategy is the British one.

British experts believe that "old legacy IT systems used by many organizations in the UK" could be easily targeted by hackers causing serious problems.

The UK announced its intention to strike back against nation-state actors that will target critical national infrastructure.

Chancellor Philip Hammond unveiled a £1.9bn package designed to boost Government defenses against cyber threats as part of a five-year national cyber security strategy. He promised retaliatory countermeasures in response to state-sponsored attacks,

The strategy of the UK Government has a five-year plan and aims to "work to reduce the impact of cyber-attacks and to drive up security standards across public and private sectors."

Figure 1 - Chancellor Philip Hammond (Source The Telegraph)

The model of cyber defense that the UK intends to adopt includes hacking back operations against attackers threatening national security. Hammond explained that hack back is the unique alternative to a conflict, a proportional measure in response to the cyber-attacks of foreign hackers.

"Speaking before the launch, Hammond said Britain must "keep up with the scale and pace of the threats we face" and insisted that the new funding will "allow us to take even greater steps to defend ourselves in cyberspace and to strike back when we are attacked." reported The Guardian

"The money – which almost doubles the amount set out for a similar strategy in 2011 – will be used to improve automated defenses to safeguard citizens and businesses, support the cyber-security industry and deter attacks from criminals and 'hostile actors'."

Hammond highlighted the importance of securing nation's critical national infrastructure and businesses from nation-state hackers.

"We will deter those who seek to steal from us, or harm our interests," Hammond said at the Microsoft's Future Decoded conference in London recently. "We will strengthen law enforcement to raise cost and reduce rewards," he said of criminal attackers.

This is just a first step ahead in cyber security matter, he promised the UK would "continue to invest in cyber defense capabilities," in particular in the technology that could allow the British cyber army to trace and hack back the state-sponsored hackers.

"If we don't have the ability to respond in cyberspace to attack that takes down power networks or air traffic control systems we would be left with the impossible choice of turning the other cheek or resorting to a military response – that's a choice we don't want to face."

"No doubt the precursor to any state-on-state conflict would be a campaign of escalating cyber-attack. We will not only defend ourselves in cyberspace but will strike back in kind when attacked."

Hammond, who chairs the Cabinet's cross-department cyber-security committee, had also listed high-profile cyber-attacks against British critical infrastructure.

The active defense model implemented by the UK Government includes a new generation software to detect and repel cyber-attacks and also the creation of dedicated cyber units.

Hammond pointed to the recent deployment of an application that was able to zero incidence of 50,000 fraudulent emails from crooks that pretend to be sent from Government offices.

The Chancellor also referenced the TalkTalk data breach that exposed details of 156,959 customers and that lead the Information Commissioner to fine the company £400,000.

"CEOs and boards must recognize they have a responsibility to manage cybersecurity," Hammond said.

Hammond stressed the adoption of a proper security posture also for private businesses that are a privileged target of hackers.

"Similarly, technology companies must take responsibility for incorporating the best possible security measures into the technology of their products. Getting this right will be crucial to keeping Britain at the forefront of digital security technology."

The British Government isn't the unique one that is urging an offensive approach when dealing with cyber-attacks powered by nation-state actors.

According to the PRC Cyber Security Law (Second Consultation Draft) ("2nd Draft"), the Government of Beijing is planning to freeze assets and take other actions against foreign hackers that will threaten the national infrastructure.

The Second draft of China's Cyber Security Law has been submitted for its third reading to the national congress.

The decision is a clear message to the foreign government that intend to move attacks from the cyber- space to the infrastructure of the country.

Among the principal adversaries for China, there is the US Government that over the years has collected evidence of Chinese hacking campaigns.

The tension between the two governments is high, especially when discussing the numerous espionage campaigns conducted by Chinese state-sponsored hackers against US government and businesses.

Anyway, the approach of the US Government is not less aggressive when approaching the concept of active defense.

In April, the US Supreme Court has approved amendments to Rule 41, which let U.S. judges issue search warrants for hacking into computers also located outside their jurisdiction.

Under the original Rule 41, a judge can only authorize the FBI to hack into computers in the same jurisdiction, but the changes introduce offer more power the US authorities.

A U.S. Justice Department spokesman clarified that the change did not authorize any new authorities not already permitted by law.

U.S. Chief Justice John Roberts transmitted the rules to Congress that can decide to apply modifications or totally reject it until December 1st. If the Congress doesn't express any judgment of the rules, they would take effect automatically.

The U.S. Justice Department explained that the changes have been introduced to modernize the criminal code for the digital age as reported by the Reuters.

"The U.S. Justice Department, which has pushed for the rule change since 2013, has described it as a minor modification needed to modernize the criminal code for the digital age, and has said it would not permit searches or seizures that are not already legal." states the Reuters.

The new Rules drastically expand the Federal Bureau of Investigation's ability to conduct hacking campaigns on computer systems located everywhere in the world.

The US authorities would use hacking tools, spyware and exploits to compromise computers worldwide to mitigate cyber threats and investigate potential threats to the Homeland Security.

According to the Democratic Senator Ron Wyden of Oregon, the modification to the rule will have "significant consequences for Americans' privacy."

"Under the proposed rules, the government would now be able to obtain a single warrant to access and search thousands or millions of computers at once; and the vast majority of the affected computers would belong to the victims, not the perpetrators, of a cybercrime," Wyden said.

A Justice Department spokesman confirmed that the new rules are the response of the authorities to the increased use of "anonymizing" technologies made by threat actors.

Time is running out, and now the US has a few weeks to stop the FBI getting its global license to hack computer worldwide in the name of the defense.

Anyway, the US government is working on systems for proactive defense since a lot of time.

In 2014, Edward Snowden highlighted the risks related to use of automated attacks in response to the offensive against the US. The popular whistleblower explained that the US Government was developing a system, codenamed as MonsterMind, that is able to reply to the cyber-attacks against its infrastructure automatically.

Of course, such kind of systems can fail in the attribution of the attacks with unpredictable consequences under diplomatic and technological perspective.

"The NSA whistleblower says the agency is developing a cyber defense system that would instantly and autonomously neutralize foreign cyberattacks against the US and could be used to launch retaliatory strikes as well. The program, called MonsterMind, raises fresh concerns about privacy and the government's policies around offensive digital attacks," states an article published by Wired Magazine.

Snowden did not provide information on the abilities of the MonsterMind platform specified neither the specified nature of the counterstrike. A 'hack back' could be performed launching malicious code against the attacking system, or simply disabling any malicious tools on the system to render them useless.

A similar defense program clearly has several drawbacks, an attack from a foreign government likely would be routed through proxies' infrastructure hosted in another state that isn't involved in the conflict. For example, attackers can use a botnet composed of machines located in an innocent country. A counterstrike could, therefore, target this innocent country with serious consequences.

Imagine that Russia decides to run a DDoS attack against US systems, but that the attacker is able to spoof the origin IP address of a different country or to route through its infrastructure the malicious traffic, then a retaliatory automated attack could hit the wrong country rather than Russia networks.

"These attacks can be spoofed. You could have someone sitting in China, for example, making it appear that one of these attacks is originating in Russia. And then we end up shooting back at a Russian hospital. What happens next?" asked Snowden.

The problem of attribution isn't unique problem related to the deployment of MonsterMind, Snowden added that an automatic system like this needs to receive in input a significant amount of data, including network traffic of all private communications coming into the US, representing for this a menace for the privacy of US citizens. MonsterMind needs this data to discriminate normal network traffic from anomalous or malicious traffic efficiently.

"If we're analyzing all traffic flows, that means we have to be intercepting all traffic flows. That means violating the Fourth Amendment, seizing private communications without a warrant, without probable cause or even a suspicion of wrongdoing. For everyone, all the time," he added.

Cryptographer Matt Blaze, an associate professor of computer science at the University of Pennsylvania, said that the algorithm which is implemented by automated scanning system Snowden describes are similar to the ones on which are based the  Einstein 2 (. pdf) and Einstein 3 (. pdf) programs developed by the Government. Both use a network sensor to identify malicious attacks.

From Information warfare to cybercrime – The "Hacking back" option

An active defense approach could be adopted against any kind of cyber threat whatever the motivation of the attackers.

Let's consider for example the Mirai botnet that was recently involved in the massive DDoS attack that targeted the Dyn DNS service a few weeks ago causing an Internet outage in the US.

Its source code was leaked on the popular criminal hacker forum Hackforum by a user with moniker "Anna-senpai" giving the opportunity to anyone to compile and customize its own version of the threat.

Experts who examined the code have discovered a weakness that could be exploited to shut down the botnet stopping it from flooding the targets with HTTP requests, in other words, it is possible to hack back the threat. The experts from Invincea discovered three vulnerabilities in the Mirai code, one of them, a stack buffer overflow, could be exploited to halt the DDoS attack powered by the botnet. The buffer overflow vulnerability affects the way Mirai parses responses from HTTP packets.

"Perhaps the most significant finding is a stack buffer overflow vulnerability in the HTTP flood attack code. When exploited it will cause a segmentation fault (i.e. SIGSEV) to occur, crash the process, and therefore terminate the attack from that bot. The vulnerable code has to do with how Mirai processes the HTTP location header that may be part of the HTTP response sent from an HTTP flood request." reported the analysis published by the security firm Invincea.

Figure 2 - Mirai Botnet infections

This kind of attacks against the Mirai bots would not have helped in the DNS-based DDoS attack against provider Dyn, but it would halt the Layer 7 attack capabilities of the Mirai botnet implemented in the coded leaked online.

The researchers at Invincea successfully tested a proof-of-concept exploit in a virtual environment setting up a debug instance of the Mirai bot, a command and control server and a target machine.

"This simple "exploit" is an example of active defense against an IoT botnet that could be used by any DDoS mitigation service to defend against a Mirai-based HTTP flood attack in real-time. While it can't be used to remove the bot from the IoT device, it can be used to halt the attack originating from that particular device. Unfortunately, it's specific to the HTTP flood attack so it would not help mitigate the recent DNS-based DDoS attack that rendered many websites inaccessible." explained the Scott Tenaglia, Research Director in the cyber capabilities team at Invincea Labs.

The method devised to halt the offensive power of the Mirai botnet is a classic example of active defense, Tenaglia remarked that the technique doesn't clean the compromised IoT devices, it could be only effective against HTTP flooding instead.

The method proposed by the researchers is a form of active defense that has important legal implications because anyway, who is defending its system from the attack power a response attack against the attacker's infrastructure.

We cannot forget that the practice of hacking back is illegal under the Computer Fraud and Abuse Act.

Hacking a bot means to make an unauthorized access to a computer system and such kind of operations have to be authorized by a court order.

The hack back could be a suitable option against cyber threats like the Mirai botnet or against any other attack powered by state-sponsored hackers.

One of the most interesting examples is offered by events related to the Presidential election and the alleged interference of Russian state-sponsored hackers.

The numerous attacks observed over the last months are triggering the response of the US.

For the first time, a member of the US Presidential Staff has treated another country of a cyber-attack response to the hacking campaigns that are targeting across the months the US politicians.

The Office of the Director of National Intelligence and the Department of Homeland Security have issued a joint security statement to accuse the Russian government of a series of intrusions into the networks of US organizations and state election boards involved in the Presidential Election.

"The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process" reads the statement.

"We will take action to protect our interests, including in cyberspace, and we will do so at a time and place of our choosing," a senior administration official told AFP.

"The public should not assume that they will necessarily know what actions have been taken or what actions we will take."

Two weeks ago, the US Vice President Joe Biden during an interview with NBC explained that "message" would be sent to Russian President Vladimir Putin over the alleged hacking.

It is a historical declaration, for the first time in a diplomatic context, a member of a government invokes a cyber-attack as a deterrent measure.

The NBC News revealed the CIA was preparing a retaliatory cyber-attack "designed to harass and 'embarrass' the Kremlin leadership." According to a senior intelligence official and top-secret documents obtained by the NBC News, the US hackers have already penetrated Russian electric grid, telecommunications networks and also the Russia's command systems.

"U.S. military hackers have penetrated Russia's electric grid, telecommunications networks, and the Kremlin's command systems, making them vulnerable to attack by secret American cyber-weapons should the U.S. deem it necessary, according to a senior intelligence official and top-secret documents reviewed by NBC News." reported the NBC News.

The documents confirm that the US Government is able to strike back Russia in response to the last wave of attacks against the Presidential election.

The US intelligence doesn't believe the Russian hackers will target critical national infrastructure instead it fears Russia could disrupt the presidential election by releasing fake documents or spreading misinformation with PSYops campaigns.

The NBC News confirmed the US Government is establishing a specific response team to prevent and repel any attack on the presidential election. Experts say it is an unprecedented effort, the US cyber army is ready to use its cyber weapons against any enemy that will try to interfere with the political appointment.

"U.S. military officials often say in general terms that the U.S. possesses the world's most advanced cyber capabilities, but they will not discuss details of highly classified cyber weapons." wrote the NBC News.

"James Lewis, a cyber expert at the Center for Strategic and International Studies, says that U.S. hacks into the computer infrastructure of adversary nations such as China, Russia, Iran and North Korea — something he says he presumes has gone on for years — is akin to the kind of military scouting that is as old as human conflict."

"This is just the cyber version of that," he said.

On the other end, the NSA justifies their approach to the active defense explaining that its hackers regularly penetrate foreign networks to gather intelligence.

"You'd gain access to a network, you'd establish your presence on the network and then you're poised to do what you would like to do with the network," Gary Brown, a retired colonel and former legal adviser to U.S. Cyber Command, told NBC News. "Most of the time you might use that to collect information, but that same access could be used for more aggressive activities too."

The senior US intelligence official confirmed that the U.S. could take action to shut down some Russian systems in case of Russian cyber-attacks.

"I think there're three things we should do if we see a significant cyber-attack," he said. "The first obviously is defending against it. The second is reveal: We should be publicizing what has happened so that any of this kind of cyber trickery can be unmasked. And thirdly, we should respond. Our response should be proportional." Retired Adm. James Stavridis told NBC News.


The active defense is one of the possible approach of governments and private organizations in response to the growing cyber threats.

Anyway, we cannot forget that cyberspace has no physical boundaries, a similar defensive conduct could have serious repercussions on any entity in this new domain.

Despite ethical and legal questions, governments are surely are a step ahead of the private industry when dealing with active defense.

I consider the choice to adopt a hacking back measure within an active defense model very dangerous despite the evident failures of the traditional defensive approach.

One of the major obstruction to the offensive defense culture is the leak of a broad agreement on what "hacking back" means, offensive security is a relatively young concept not yet regulated with a globally recognized law platform.

I don't exclude the adoption of an offensive approach in some contexts, but I fear an indiscriminate diffusion in the private industry.

Let me close with the point of view of Zulfikar Ramzan, CTO, RSA:

"It's important to note that active defense and hack back are not synonymous with each other, even though the two concepts often get conflated. Hack back is merely one tactic in the active defense playbook. It treads down a slippery slope. Aside from legal considerations, it's easy to make a mistake when hacking back and accidentally going after the wrong resource. In the process, you might also be effectively poking the bear and risk having to face serious retaliation. Ultimately, hack back takes the eyes off the prize of understanding how the attackers got in and what you can differently moving forward.

Organizations would do well to consider active deception techniques instead. These techniques not only slow attackers down considerably, but they also allow you to see firsthand how attackers might be exploiting weaknesses in your IT infrastructure, which can enable you to take intelligent decisions to address the corresponding issues. We live in a world where we can't just work hard to stop the bad guys; instead, we have to work smart."


















FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.


Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.