2021 has been a banner year in terms of the frequency and diversity of cybersecurity breaking news events, with ransomware being the clear headline-winner. While the DarkSide group (now, in theory, retired) may have captured the spotlight early in the year due to the Colonial Pipeline attack, REvil — the ransomware-as-a-service group that helped enable the devastating Kaseya mass ransomware attack in July — made recent headlines as they were summarily shuttered by the FBI in conjunction with Cyber Command, the Secret Service, and like-minded countries.
This was a well-executed response by government agencies with the proper tools and authority to accomplish a commendable mission. While private-sector entities may have participated in this effort, they will have done so through direct government engagement and under the same oversight.
More recently, the LockBit and Marketo ransomware groups suffered distributed denial of service (DDoS) attacks, as our colleagues at IntSights reported, in retaliation for their campaigns: one targeting a large US firm, and another impacting a US government entity.
The former of these two DDoS attacks falls into a category known colloquially as “hack back." Our own Jen Ellis did a deep dive on hacking back earlier this year and defined the practice as “non-government organizations taking intrusive action against a cyber attacker on technical assets or systems not owned or leased by the person taking action or their client."
The thorny path of hacking back
Hack back, as used by non-government entities, is problematic for many reasons, including:
- Group attribution is hard, and most organizational cybersecurity teams are ill-equipped to conduct sufficiently thorough research to gain a high enough level of accuracy to ensure they know who the source really is/was.
- Infrastructure used to conduct attacks is often compromised assets of legitimate organizations, and taking direct action against them can cause real harm to other innocent victims.
- It is very likely illegal in most jurisdictions.
As our IntSights colleagues noted, the LockBit and Marketo DDoS hack-back attacks did take the groups offline for weeks and temporarily halted ransomware campaigns associated with their infrastructure. But the groups are both back online, and they — along with other groups — appear to be going after less problematic targets, a (hopefully) unexpected, unintended, but very real consequence of these types of cyber vigilante actions.
Choosing a more productive path
While the temptation may be strong to inflict righteous wrath upon those who have infiltrated and victimized your organization, there are ways to channel your reactions into active defense strategies that can help you regain a sense of control, waste attackers' time (a precious resource for them), contribute to the greater good, and help change the economics of attacks enough to effect real change. Here are 3 possible alternative routes to consider.
1. Improve infrastructure visibility
You can only effect change in environments that have been instrumented for measurement. While this is true for cybersecurity defense in general, it is paramount if you want to take the step into contributing to the community efforts to reduce the levels and impacts of cybercrime (more on that later).
You have to know what assets are in play, where they are, the state they are in, and the activity happening on and between them. If you aren't outfitted for that now, thankfully it's the holiday season, and you still have time to get your shopping list to Santa (a.k.a. your CISO/CFO). If you're strapped for cash, open-source tools and communities such as MISP provide a great foundation to build upon.
2. Invest in information sharing and analysis
There are times when it feels like we may be helpless in the face of so many adversaries and the daily onslaught of attacks. However, we protectors have communities and resources available that can help us all become safer and more resilient. If your organization isn't part of at least one information sharing and analysis organization (ISAO), that is your first step into both regaining a sense of control and giving you and your cybersecurity teams active, positive steps you can take on a daily basis to secure our entire ecosystem. An added incentive to join one or more these groups is that many of them gain real-time cross-vendor insights via the Cyber Threat Alliance, a nonprofit that is truly leveling up protectors across the globe.
These groups share tools, techniques, and intelligence that enable you to level up your organization's defenses and can help guide you through the adoption of cutting-edge, science-driven frameworks such as MITRE's ATT&CK and D3FEND.
3. Consider the benefits of deception technology
"Oh! What a tangled web we weave when first we practice to deceive!"
Sir Walter Scott may not have had us protectors in mind when he penned that line, but it is a vital component of modern organizational cyber defenses. Deception technology can provide rich intelligence on attacker behavior (which you can share with the aforementioned ISAOs!), keep attackers in a playground safe from your real assets, and — perhaps most importantly — waste their time.
While we have some thoughts and offerings in the cyber deception space — and have tapped into the knowledge of other experts in the field — there are plenty of open-source solutions you can dig into, or create your own! Some of the best innovations come from organizations' security teams.
Remember: You are not alone
Being a victim of a cyberattack of any magnitude is something we all hope to help our organizations avoid. Even if you're a single-person "team" overseeing cybersecurity for your entire organization, you don't have to go it alone, and you definitely do not have to give in to the thought of hacking back to "get even" with your adversaries.
As we've noted, there are many organizations who are there to help you channel your energies into building solid defenses and intelligence gathering practices to help you and the rest of us be safer and more resilient. Let's leave the hacking back to the professionals we've tasked with legal enforcement and focus on protecting what's in our purview.