Offensive Defense: A Really Bad Idea Proposed By Charlatans And Zealots
Offense: It’s All the rage!
Over the latter half of last week and into this weekend my Twitter feed was filled with talk of “Offensive Defense” talk. What I mean by Offensive Defense is the idea that a company has the right and the legal ability to hack back against those who may have attacked them and or taken their property such as “IP” Since the advent of companies like Crowdstrike, there has been a din of chatter and a dearth of commons sense on this issue. Personally I have determined that as a rule this is a horrible idea filled with epic hubris that if acted upon by companies out there will eventually lead to much more damage to their business than some IP being stolen. I fear that in the end it will unleash a series of cascading events leading to outright lawlessness and vigilantism on the Internet.
So, from the discourse that was had on Twitter with Rafallos to the continuing speculative and vaporwear like cries by Crowdstrike and it’s founders to this blog post, I hope to once and for all set forth that in no uncertain terms that this is a bad idea. This activity should not be an offering by any company as a service and to even float the idea is an exercise is near charlatan like behavior. The new snake oil my friends is the idea that it’s ok to hack back against those you “perceive” as having hacked you.
Firstly, lets look at the issues of attribution. I have written about this in the past and thought it was pretty clear. Attribution is never 100% and never will be unless you can prove in a court of law someone did something. Yes, that’s right a court of law kids. The words you are groping for are “Without reasonable doubt” If you cannot make your case in court what makes you really think you are clear to hack/attack some infrastructure because you think they did something? It’s just one of the most stupid and extralegal ideas I have ever heard and I have heard some whoppers in my time believe me.
Let me put it to you simply.. If there is no legal finding of attribution then there is no attribution other than hearsay. It’s as simple as that. You see, if you can prove it in court then you have hopefully had the benefit of proper forensics and findings. What gets everyone’s goat now is that many of these crimes cannot be taken to court because there is no law perhaps against what was done in some cases. In others, it turns out that due to the nature of computing and sometimes the nature of the poorly configured networks out there in use, that there is no evidence to be had to point to anyone doing anything. This is what really sticks in the craws of those who advocate the hacking back. They feel powerless and think that they are some super secret intelligence unit outside of the purview of the law or the government. (looking at you Crowdstrike) *squint* So, a key factor here is attribution that frankly, many times cannot be held up in court. So instead, lets get a kangaroo court instead and just have frontier justice huh?
So what makes you more right than say Anonymous here?
On another level, lets look at the idea that Anonymous has been and is a “vigilante” organization. Their attribution has been less than sparkling over the years here as well. What makes your company any less the vigilante or like Anonymous for acting upon suppositions that you have and hacking another company? For that matter, hacking company A while in fact it was company B who did the hacking in the first place using company A’s assets? It’s a false assumption that you are actually getting back at the culprits when you perform these types of operations and in fact, you may be committing crimes by hacking back at the wrong infrastructure in the first place. Of course there is the idea firstly that hacking in and of itself is a crime right? So if you take part in this, pay for this service, partake at all in it, you have already committed a crime by laws on the books.
Do you really think that you are then holding the moral high ground here? What happens when someone hacks your infrastructure because they thought you had hacked them? What recourse do you have then once crossing that threshold into the dark territory of hacking back? The cry from so many companies of late after being hacked by LulzSec and others really is quite pointless if you start taking up the position of deputizing yourselves and others to take the law into your own hands.
You are no better than those who attacked you to start and yes, you have no legal leverage at all once you do so. It’s flawed logic if any logic is being used at all here.
Are there any returns on investment here?
Lets say you have decided to engage hackers or some company of them to hack back against someone you think attacked you. What if anything logically do you hope to gain from this? Your data perhaps? Well, data can be copies numerous times in various places and are you in fact sure you got the only point of exfil from the company to start? If you get the data back how do you know that you are the only ones who have it once its been in the open? You don’t, and thus what gain is there? Oh sure maybe you can gain some intel on your attacker, their modus operandi maybe but really what do you get here?
The same goes for hacking back and destroying infrastructure etc. What is there to gain? Once again are you even sure the systems you are attacking are in fact those of the real attacker or just some proxy who has no idea what the hell is going on? Really, what’s the point? Some might say you will gain intelligence on your attacker. Well sure maybe but its just as likely there will be nothing of worth there as well so where is the ROI here? You will have been paying hackers to do things for I am sure, a lot of money so really do you win if they get into the systems you want them to? Please consider just what its really worth as opposed to what you will lose if things go wrong, and they will, and it all makes the news.
Once again, it’s a losing proposition I think….
Alright, we hacked in and we took the data back but look! They have some tasty data here.. Who’s to know that we took it?
Ok, so we hacked back and we got the data back! YAY! But hey, look, while we were looking we also saw this other data.. It belongs to another company and, well, they are a competitor. Lets just have a look shall we? Now that is a slippery slope huh? Really I think this will happen and it will also be no good. Once again we are on the fast track to bad things and the reality is that it is bound to be something that companies will then justify as “competitive intelligence” ya know, like they do today right? Look at all of the private intelligence firms out there today who not only sweep for bugs in your corporate offices, but also have been known to install them as well in the oppositions as well.
Corporations are now in fact of law “entities or people” according to politics and campaign finance. How is it they aren’t when it comes to spying on other companies or their employees? Just a thought….
How long until we have a pre-emptive strike doctrine for the corporate sector?
This brings me to one of the more scary ideas to come from this whole debacle. All of this really will likely come down to preemptive strikes against other companies or entities because they have heard chatter about an offensive to come. No, I am not being too dark or melodramatic here. This I believe is already taking place within the communities today. Industrial espionage is not only about stealing secrets. It’s also about denying your competition the advantage. In fact there was a story today about how “poor little Coke” was attacked by the nasty China. What does not get told in such stories is that Coke and other megacorps like them also use private intel firms as well to spy on others and perform dirty tricks. So none of them are lilly white here but using this argument of hacking back as “defense” only tries to legitimize the whole thing in the network sphere.
Mark my words, there will be preemptive attacks if there already haven’t been…
False Flags and Merc’s
Lastly, once again I shall trot out the idea of false flags and add the mercenaries angle for the cyberverse. Any companies offering these services (hacking back/Offensive Defense) should be on the look out as to becoming the unwitting pawns in these games. They should also be aware that not only corporations will use them but also “cutout” corporations as well that are in fact fronts for the CIA and others who want plausible deniability. Think on that… Do you want to be a part of this? Would you like to be on the receiving end of the attacks? Talk about APT and your “militias” huh? It’s all just bad idea after bad idea and will amount to nothing good or fruitful at all.
All of this tough talk is just that. It’s trying to sell a service and make people feel empowered but in the end it will only serve to muddy the waters. From the perspectives of ethics and morality to law or just right and wrong, all of this smacks of bravado and hubris. The private companies of the world already have their toes in the pool, but advocating it be done through hacking as “defense” is just the cherry on top of a shit sundae.
Everyone just stop. All you offering the services or touting the ideas should just sit back down and shut up. Everyone cries now that the government is encroaching on their rights with regard to privacy and you all want to just push that bar even further out with offensive defense actions?