How hard do you hack back?

Protecting against intrusions has traditionally been a passive game of setting up defences and hoping they’ll hold against attackers.

If they do, great, but if not, should you retaliate and hack back?

Even if you feel like “hell yeah, retribution time!” against the incessant hordes of more or less evil digital miscreants, is it ethical, legal or even helpful to hack back?

The so called "active defences" and their consequences have been debated for a while now but the boundaries as to what’s appropriate are still being worked out.

On the one hand, using honeypots as an early warning intrusion detection system means taking an active defence stance, combined with hiding valuable data or planting bogus files, would seem a standard approach.

Similarly, you could kick it up a notch and deploy solutions that aim to identify attackers and report them to law enforcement. But beware, attacks are often hard to pinpoint accurately and misattribution of offender and intent could lead to inaccurate reports and land your organisation in hot water.

The crux here seems to be the level of aggression in the retaliation measures and, more importantly, if collateral damage is inflicted.

Things start to get more dubious with programs like the National Security Agency’s MonsterMind as revealed by its former contractor Edward Snowden in last month's big interview with him in Wired. 

MonsterMind can analyse malware attacks and, according to Snowden, hack back in retaliation. No human involvement is needed, MonsterMind will automatically determine that an attack has occurred, identify where it believes it came from and fire back.

“Firing back” wasn’t defined in the leaked documents so it’s unclear what MonsterMind does against attackers. It would be good to know if it can understand scenarios such as one nation state launching an attack against the United States while fingering another country (technically, easy to do).

The reason why that’s a good thing can be found in the latest NATO IT and network security and warfare manual [PDF]. The manual categorises cases where a cyber attack could be seen as an act of war, meaning a real war - the response may be to fire real guns, drop bombs, even invade countries.

Information security reseacher Matt “scriptjunkie” Weeks has come up with a hack-back strategy that is at the alternate end of the scale.

[Update] An earlier version of this story referred to Mr Weeks as Mike Wall. We apologise for the error.

Weeks took aim at the “Microsoft tech support” scammers who are relentlessly preying on naiive computer users with social engineering, often ripping them off to the tune of hundreds of dollars while infesting their computers with malware or remote control software.

He had a strong motive as his grandparents fell victim to tech support scammers who infected their computer.

Weeks approach to turn the tables on the scammers was to write a zero-day exploit.

There’s little doubt you don't want to be on the wrong side of Weeks. His blog outlines how he developed the remote exploit against Ammyy Admin.

The impressive program took Weeks several days worth of effort and thinking.The result is a “a metasploit module that will generate a plaintext transcript to send to the remote end” and exploit the end point trying to take over the target computer.

Leaving aside the question of legality, there are several reasons why releasing a zero-day is wrong and could possibly backfire.

First, Ammyy Admin is a legitimate commercial software that is being abused by scammers. Publishing a zero-day for the Ammyy Admin program without notification will hurt the company’s reputation. Although that wasn't Weeks’ motivation it’s pretty blindingly obvious that it could be a consequence.

Second, Weeks said: “I don’t normally release zero-day exploits, but I made an exception in this case because, given the reporting and usage of Ammyy Admin, I consider it highly unlikely to be used to compromise innocent victims.”

Highly unlikely doesn’t negate the option that it won’t ever happen but, fingers crossed, that Weeks’ zero-day won’t be abused through some ways he hadn’t considered.

Don’t get me wrong, I have no sympathy for scammers and other abusers and it would be marvellous to strike back. Doing it vigilante style, instead of cooperating and following process, carries the risk of going badly and potentially creating an even bigger mess that could be harder to solve.