SlideShare a Scribd company logo

Pay attention to that man behind the curtain: Current state of Hacking Back

X
x0rz x0rz

This document discusses the current state of "hacking back" in response to cyber attacks. It defines hacking back as active countermeasures that aim to limit an adversary's capabilities and/or identify the intruder. The document explores some motivations for hacking back such as neutralizing threats, characterizing attacks, and deterring hackers. It examines examples of hacking back throughout history from early cases in the 1980s to more recent operations. It also discusses some limits and challenges of hacking back related to technical issues, legal concerns, ethics, and collateral damage.

Presentations & Public Speaking
1 of 43
Downloaded 51 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Pay attention to that man behind the curtain Current state of Hacking Back 21/05/2018 ESE - @x0rz
What is ‘Hacking Back’? Any active countermeasure that aims to 1) limit the adversary’s capabilities and/or 2) identify the intruder. * Synonyms: - Counter-CNE - Riposte numérique (FR) - Contre-attaque numérique (FR) * Disclaimer: this is my own definition My comments are in yellow rectangles
Motivations 1. Neutralize the threat • LEA, botnet takedowns, … • CNA (disrupt, deny, degrade, or destroy) 2. Characterize the attack • Cyber Counterintelligence (Mandiant/APT1, FBI, …) • Damage Control (« what has been stolen ») • Counter Computer Network Exploitation (CCNE) • « Caught red-handed » - could serve as evidence in court 3. Deter • New doctrine: discourage hackers from entering your network because of fear of retaliation 4. Fourth-party collection • Stealing foreign intelligence and tools
Fourth party: done by intel agencies to monitor their adversaries
Pay attention to that man behind the curtain: Current state of Hacking Back
Is it something new?
Cliff Stoll (1987) LBL>telnet Nic.arpa Trying... Connected to 10.0.0.51. +-------------DDN Network Information Center--------------| | For TAG news, type: TACNEW8 <carriage return> | For user and host Information, type: WHOIS <carriage return> | For NIC Information, type: NIC <carriage return> +---------------------------------------------------------------| SBI-NIC, TOPS-20 Monitor 6.1(7341)-4 @Whois cia Central Intelligence Agency (CIA) Office of Data Processing Washington, DC 20505 These are 4 known members: Plschoff, J. (JF27) FISHOFF@A.ISI.EDU (703) 351-3305 Gresham, D. L (DLG33) GRESHAM@A.ISI.EDU (703) 351-8957 Manning, Edward J. (EM44) MANNDfG@BBN.ARPA (703) 281-6161 Ziegler, Mary (MZ9) MARY@NNS.ARPA (703) 351-8249 One of the earliest known case Some random hacker caught inside the Berkeley Lab network, browsing the ARPANET searching for the « CIA » keyword…Interdasting.
At the time every connection was made through the phone system. Tor wasn’t even a thing, but international calls were a PITA to trace back (because you needed search warrants…)
Passively, you could only establish some kind of profile using the calling patterns
At this point all he got was this histogram… does that ring any bell?
30 years later... Yes, we’re still using the same techniques
From a passive posture to an active hack back
lbl> who Astro Carter Fermi Meyers Microprobe Oppy5 Sdinet Sventek Turnchek Tompkins lbl> grep sdinet /etc/passwd Sdln8t:sx4sd34x2:user sdinet, files in /u4/sdinet, owner sdi network project lbl> cd /u4/sdinet lbl> ls file protection violation—you are not the owner. From passive to active. Let’s fight back in our own territory !
lbl> ls Connections Form-Letter Funding Mailing-Labels Pentagon-Request Purchase-Orders Memo-to-Gordon Rhodes-Letter SDI-computers SDI-networks SDI-Network-Proposal User-List World-Wide-Net Visitor-information Attacker were using a 0day to elevate and list files only *he* could read. If we plant a fake document here only him will get to read it.
SDI Network Project Lawrence Berkeley Lab Mail Stop 50-331 1 Cyclotron Road Berkeley. CA 94720 name name address address city city, state state, zip zip Dear Sir: Thank you for your Inquiry about SDINET. We are happy to comply with your request for more information about this network. The following documents are available from this office. Please state which documents you wish mailed to you: #37.6 SDINET Overview Description Document 19 pages, revised Sept, 1986 #41.7 Strategic Defense Initiative and Computer Networks: Plans and Implementations (Conference Notes) 287 pages, revised Sept, 1986 #46.2 Strategic Defense Initiative and Computer Networks: Plans and implementations (Conference Notes) 300 pages, June, 1986 #47.3 SDINET Connectivity Requirements 66 pages, revised April, 1986 #48.8 How to link into the SDINET 25 pages, July 1986 #49.1 X.25 and X.75 connections to SDINET (includes Japanese, European, and Hawaii nodes) 8 pages, December, 1986 #55.2 SDINET management plan for 1986 to 1988 47 pages, November 1986 #62.7 Unclassified SDINET membership list (includes major Milnet connections) 24 pages, November, 1986 #65.3 Classified SDINET membership list 9 pages, November, 1986 #69.1 Developments in SDINET and Sdi Disnet 28 pages, October, 1986 NUI Request Form This form is available here, but should be returned to the Network Control Center Other documents are available as well If you wish to be added to our mailing list, please request so. Because of the length of these documents, we must use the postal service. Please send your request to the above address, attention Mrs. Barbara Sherwin. The next high level review for SDINET Is scheduled for 20 February, 1987. Because of this, all requests for documents must be received by us no later than close of business on 11 February, 1987. Bequest received later than this date may be delayed. Sincerely yours, Mrs. Barbara Sherwin Documents Secretary SDINET Project Honeypot strategy: attacker need to send a postal letter to get more confidential data… hence leaking its source address if he ever send a letter (honeytoken)
KGB front office Yup, it works
Pay attention to that man behind the curtain: Current state of Hacking Back
Final target Intermediary target Bait / honeypot Neutralize Characterize There are different kinds of hack back scenarios
Dox Internal infrastructure External infrastructure takeover Single C2 takeover Active Defense (honeytokens + beacons) Passive Defense (IDS / antivirus / honeypot) The Pyramid of Pain, hack back edition • Ultimate goal (full pwnage) = cameras, PII (passport scan, real identities, …) • A step inside the attacker’s network: internal tools, TTPs, real-time tracking • Getting an extensive list of personas, cover e-mails addresses, infrastructure data (ORBs/proxies, …) • Single auxiliary C2, not much data except if opsec fail • Alerts when sensitives documents are read (where from) • Alerts when probed/scanned/infected (very noisy) Hard Easy How Deep Are You (back) In? Original Pyramid of Pain DFIR https://detect-respond.blogspot.fr/2013/03/the-pyramid-of-pain.html
CERT-GOV-GE (2012) http://dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf
Pay attention to that man behind the curtain: Current state of Hacking Back
Pain level: Dox Pain level: maximal, we got attacker’s face and full botnet compromise. Also, note that RU actors were searching for « CIA » keywords as well… things never change?
AIVD / APT29 (2014, publicly released in 2018) Pain level: Dox Interestingly, we can ask ourselves why this is leaking now? Could this serve some deterrence policy?
Daily (public) examples
Hacking Team (2015) Pain level: full compromise https://pastebin.com/0SNSvyjJ This isn’t a Counter-CNE ops, but it’s a very good example of asymmetry: a 0day vendor got breached with simple tools and bad password management. Hacking Team is a poorly shod shoemaker, like many others.
ZooPark (2018) Pain level: C2 takeover
WannaCry (2018) Pain level: DNS hijack • A few hours after the malware was detected, Marcus Hutchins (MalwareTech) registered the iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain name that was (supposedly) an anti-analysis feature • By doing this active countermeasure he prevented further infections (= neutralized) Actionable Intel: the list of IP addresses of infected machines Typical example that everybody can partake in hack back – even if you’re not the direct target,
ProtonMail (2017)
A hacker have tried to hack you. Read about phishing attacks and how to protect yourself from here: https://en.wikipedia.org/wiki/Phishing Best, A good person that protected you from this attempt http://www.sps-perbanas.ac.id/foto/rito/ikeman/protonmail/ Pain level: Single takeover
Pay attention to that man behind the curtain: Current state of Hacking Back
OPSEC First rule of the hackback club: do not talk about the hackback
20% of people think this was a bad idea… and they’re right! Because (see next slide)
Collateral damage First, you don’t know who you’re hacking back, and secondly you’re attacking computers in the neutral space – the user isn’t the owner (ex. threat actor using OVH)
A320-X DRM • Flight Simulator X addon developed by FlightSimLabs • Cost $100 • FSLabs_A320X_P3D_v2.0.1.231.exe > test.exe "Test.exe" is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally. – CEO Lefteris Kalamaras Prime example of what is WRONG to do. This company tried to make their own DRM using malware to ‘hack-back’ pirates.
A320-X DRM • FSLabs_A320X_P3D_v2.0.1.231.exe Pain level: code exec Actionable Intel: login/password of pirated-copy users
Failed attempt at ‘hacking back’ pirated copies users
Pervade Softwarehttps://motherboard.vice.com/en_us/article/newd88/this-uk-company-is-making-it-easier-for-private-companies-to-hack-back
What about other legitimate users on the same IP range? DDoS? Lame… it’s like using napalm in a dense urban environment, you’re going to get collateral damages for sure.
Limits • Technical • How does the adversary protects itself (opsec) • Fog of war: false flag & tool reuse (third-party) • Legal • What I have the right to do • Ethics • What is the right thing to do Fifty Shades of Grey Hat
Active Cyber Defense Certainty Act • US bill introduced on 10/12/2017 • (6) Congress determines that the use of active cyber defense techniques, when properly applied, can also assist in improving defenses and deterring cybercrimes. • (7) Congress also acknowledges that many private entities are increasingly concerned with stemming the growth of dark web based cyber-enabled crimes. The Department of Justice should attempt to clarify the proper protocol for entities who are engaged in active cyber defense in the dark web so that these defenders can return private property such as intellectual property and financial records gathered inadvertently. • (9) Computer defenders should also exercise extreme caution to avoid violating the law of any other nation where an attacker’s computer may reside. • (10) Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity. EXCLUSION FROM PROSECUTION FOR CERTAIN COMPUTER CRIMES FOR THOSE TAKING ACTIVE CYBER DEFENSE MEASURES. There are some good ideas there, but also a lot of miscomprehension from the law makers… they clearly are not getting what cyber is.
IANAL - self-defence French law (Article 122-5 du code pénal) N'est pas pénalement responsable la personne qui, devant une atteinte injustifiée envers elle-même ou autrui, accomplit, dans le même temps, un acte commandé par la nécessité de la légitime défense d'elle-même ou d'autrui, sauf s'il y a disproportion entre les moyens de défense employés et la gravité de l'atteinte. N'est pas pénalement responsable la personne qui, pour interrompre l'exécution d'un crime ou d'un délit contre un bien, accomplit un acte de défense, autre qu'un homicide volontaire, lorsque cet acte est strictement nécessaire au but poursuivi dès lors que les moyens employés sont proportionnés à la gravité de l'infraction. You can interrupt the execution of a crime or an offense against a you or a property (physical or digital) if Necessity of self-defense + seriousness of attack + proportionate In France we have a law called « Self-Defence » that could be interpreted in the cyber domain. Although it’s very difficult to prove the ‘necessity’ of a hack-back.
Key takeaways • Everybody serious about cyber does it consciously or unconsciously • If you do, don’t talk about it • Grey area – not regulated • High risk of collateral damage • In 90% of the cases you don’t know who you’re hacking back • We certainly need a legal framework for a right to actively defend yourself • If the collateral damage can be controlled/limited • Proportionate & fair • In France, PASSI-like certified hack backs? • 📈 Hot topic – increasing activity ?DE RIPOSTE
Open for discussion @x0rz

More Related Content

PPT
Download It
webhostingguy
 
PPTX
ShadyRAT: Anatomy of targeted attack
Vladyslav Radetsky
 
PPT
Anti-Forensic Rootkits
amiable_indian
 
PDF
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference
 
PPTX
Digital forensics lessons
Amr Nasr
 
PDF
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
Michael Smith
 
PPT
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin
 
PPTX
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
Download It
webhostingguy
 
ShadyRAT: Anatomy of targeted attack
Vladyslav Radetsky
 
Anti-Forensic Rootkits
amiable_indian
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference
 
Digital forensics lessons
Amr Nasr
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
Michael Smith
 
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin
 
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 

What's hot (16)

PDF
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE
 
PDF
Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispag...
Chris Fernandez CEHv7, eCPPT, Linux Engineer
 
PDF
Cisel1 d
chandu_sai
 
PPT
07security
douglaslyon
 
PPTX
Dracos forensic flavor
Satria Ady Pradana
 
PPT
Sectools
securedome
 
PPT
aaa
hungnhatban
 
PDF
Keynote fx try harder 2 be yourself
DefconRussia
 
PDF
Some things about LAN device detection
Canaan Kao
 
PDF
Rootkit&honeypot aalonso-dcu-dec09
Angelill0
 
PDF
Slide Deck CISSP Class Session 6
FRSecure
 
PPT
Mist2012 panel discussion-ruo ando
Ruo Ando
 
PPTX
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
ODP
Network security
Jarno Niemela
 
PDF
Advanced Persistent Threats Cutting Through The Hype
Symantec
 
PDF
Slide Deck CISSP Class Session 7
FRSecure
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE
 
Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispag...
Chris Fernandez CEHv7, eCPPT, Linux Engineer
 
Cisel1 d
chandu_sai
 
07security
douglaslyon
 
Dracos forensic flavor
Satria Ady Pradana
 
Sectools
securedome
 
aaa
hungnhatban
 
Keynote fx try harder 2 be yourself
DefconRussia
 
Some things about LAN device detection
Canaan Kao
 
Rootkit&honeypot aalonso-dcu-dec09
Angelill0
 
Slide Deck CISSP Class Session 6
FRSecure
 
Mist2012 panel discussion-ruo ando
Ruo Ando
 
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
Network security
Jarno Niemela
 
Advanced Persistent Threats Cutting Through The Hype
Symantec
 
Slide Deck CISSP Class Session 7
FRSecure
 

Similar to Pay attention to that man behind the curtain: Current state of Hacking Back (20)

PDF
OSINT for Attack and Defense
Andrew McNicol
 
ODP
BSides Columbus: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
PDF
Exp r35
SelectedPresentations
 
ODP
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
PPT
Hacking 1224807880385377-9
Geoff Pesimo
 
ODP
BSides Cincy: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
PPT
31.ppt
KarmanChandi
 
PPT
presentation of professionalism harwares.ppt
JayPatil820512
 
ODP
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
ThreatReel Podcast
 
ODP
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
PPT
Ethical hacking is a based on computer hacking
sxkkjbzq2k
 
PDF
Incident response, Hacker Techniques and Countermeasures
Jose L. Quiñones-Borrero
 
PDF
Honeypots for Active Defense
Greg Foss
 
PDF
CYBER AWARENESS
EDUJIE DOMINIC IGHODALO
 
PDF
HITB2013AMS Defenting the enterprise, a russian way!
F _
 
PDF
Cyber espionage - Tinker, taylor, soldier, spy
b coatesworth
 
PPTX
Introduction to the Ethical hacking.pptx
SahilSwe
 
PPT
All about Hacking
Madhusudhan G
 
PPT
How to become Hackers .
Greater Noida Institute Of Technology
 
PDF
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
Muhammad FAHAD
 
OSINT for Attack and Defense
Andrew McNicol
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
Exp r35
SelectedPresentations
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
Hacking 1224807880385377-9
Geoff Pesimo
 
BSides Cincy: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
31.ppt
KarmanChandi
 
presentation of professionalism harwares.ppt
JayPatil820512
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
ThreatReel Podcast
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
Ethical hacking is a based on computer hacking
sxkkjbzq2k
 
Incident response, Hacker Techniques and Countermeasures
Jose L. Quiñones-Borrero
 
Honeypots for Active Defense
Greg Foss
 
CYBER AWARENESS
EDUJIE DOMINIC IGHODALO
 
HITB2013AMS Defenting the enterprise, a russian way!
F _
 
Cyber espionage - Tinker, taylor, soldier, spy
b coatesworth
 
Introduction to the Ethical hacking.pptx
SahilSwe
 
All about Hacking
Madhusudhan G
 
How to become Hackers .
Greater Noida Institute Of Technology
 
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
Muhammad FAHAD
 

Recently uploaded (20)

PDF
natwest.pdf company description and business model
palakbakshi13
 
PPTX
An Unlikely Response 08 10 2025.pptx
FamilyWorshipCenterD
 
PPT
First Aid Training Presentation Slides.ppt
WilliamMigoya
 
PPTX
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
iamsrinjandatta
 
PPTX
Module_4_Updated_Presentation CORRUPTION AND GRAFT IN THE PHILIPPINES.pptx
MagnificoDionicio
 
PPTX
Lesson-7-Gas. -Exchange_074636.pptx
riesiscar2
 
PPTX
AcademyNaturalLanguageProcessing-EN-ILT-M02-Introduction.pptx
nguyenhung549091
 
PDF
Presentation1 [Autosaved].pdf diagnosiss
moibrahim20044
 
PDF
Module 7 guard mounting of security pers
MagnificoDionicio
 
PDF
_Nature and dynamics of communities and community development .pdf
RedART01
 
DOCX
Action plan to easily understanding okey
JustineMaluma
 
PPTX
Introduction-to-Food-Packaging-and-packaging -materials.pptx
pragyanlahkar16
 
PPTX
FINAL TEST 3C_OCTAVIA RAMADHANI SANTOSO-1.pptx
itsvialalalla
 
PDF
IKS PPT.....................................
karanmjangid
 
PPTX
Phylogeny and disease transmission of Dipteran Fly (ppt).pptx
tasnimsume
 
PPTX
Research Process - Research Methods course
2357011035
 
DOCX
"Project Management: Ultimate Guide to Tools, Techniques, and Strategies (2025)"
Myplanningtemplates
 
PPTX
PurpoaiveCommunication for students 02.pptx
RaizaMarquez
 
PPTX
Sustainable Forest Management ..SFM.pptx
HameedNazeer
 
PPTX
ANICK 6 BIRTHDAY....................................................
Raju RJ
 
natwest.pdf company description and business model
palakbakshi13
 
An Unlikely Response 08 10 2025.pptx
FamilyWorshipCenterD
 
First Aid Training Presentation Slides.ppt
WilliamMigoya
 
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
iamsrinjandatta
 
Module_4_Updated_Presentation CORRUPTION AND GRAFT IN THE PHILIPPINES.pptx
MagnificoDionicio
 
Lesson-7-Gas. -Exchange_074636.pptx
riesiscar2
 
AcademyNaturalLanguageProcessing-EN-ILT-M02-Introduction.pptx
nguyenhung549091
 
Presentation1 [Autosaved].pdf diagnosiss
moibrahim20044
 
Module 7 guard mounting of security pers
MagnificoDionicio
 
_Nature and dynamics of communities and community development .pdf
RedART01
 
Action plan to easily understanding okey
JustineMaluma
 
Introduction-to-Food-Packaging-and-packaging -materials.pptx
pragyanlahkar16
 
FINAL TEST 3C_OCTAVIA RAMADHANI SANTOSO-1.pptx
itsvialalalla
 
IKS PPT.....................................
karanmjangid
 
Phylogeny and disease transmission of Dipteran Fly (ppt).pptx
tasnimsume
 
Research Process - Research Methods course
2357011035
 
"Project Management: Ultimate Guide to Tools, Techniques, and Strategies (2025)"
Myplanningtemplates
 
PurpoaiveCommunication for students 02.pptx
RaizaMarquez
 
Sustainable Forest Management ..SFM.pptx
HameedNazeer
 
ANICK 6 BIRTHDAY....................................................
Raju RJ
 

Pay attention to that man behind the curtain: Current state of Hacking Back

  • 1. Pay attention to that man behind the curtain Current state of Hacking Back 21/05/2018 ESE - @x0rz
  • 2. What is ‘Hacking Back’? Any active countermeasure that aims to 1) limit the adversary’s capabilities and/or 2) identify the intruder. * Synonyms: - Counter-CNE - Riposte numérique (FR) - Contre-attaque numérique (FR) * Disclaimer: this is my own definition My comments are in yellow rectangles
  • 3. Motivations 1. Neutralize the threat • LEA, botnet takedowns, … • CNA (disrupt, deny, degrade, or destroy) 2. Characterize the attack • Cyber Counterintelligence (Mandiant/APT1, FBI, …) • Damage Control (« what has been stolen ») • Counter Computer Network Exploitation (CCNE) • « Caught red-handed » - could serve as evidence in court 3. Deter • New doctrine: discourage hackers from entering your network because of fear of retaliation 4. Fourth-party collection • Stealing foreign intelligence and tools
  • 4. Fourth party: done by intel agencies to monitor their adversaries
  • 7. Cliff Stoll (1987) LBL>telnet Nic.arpa Trying... Connected to 10.0.0.51. +-------------DDN Network Information Center--------------| | For TAG news, type: TACNEW8 <carriage return> | For user and host Information, type: WHOIS <carriage return> | For NIC Information, type: NIC <carriage return> +---------------------------------------------------------------| SBI-NIC, TOPS-20 Monitor 6.1(7341)-4 @Whois cia Central Intelligence Agency (CIA) Office of Data Processing Washington, DC 20505 These are 4 known members: Plschoff, J. (JF27) FISHOFF@A.ISI.EDU (703) 351-3305 Gresham, D. L (DLG33) GRESHAM@A.ISI.EDU (703) 351-8957 Manning, Edward J. (EM44) MANNDfG@BBN.ARPA (703) 281-6161 Ziegler, Mary (MZ9) MARY@NNS.ARPA (703) 351-8249 One of the earliest known case Some random hacker caught inside the Berkeley Lab network, browsing the ARPANET searching for the « CIA » keyword…Interdasting.
  • 8. At the time every connection was made through the phone system. Tor wasn’t even a thing, but international calls were a PITA to trace back (because you needed search warrants…)
  • 9. Passively, you could only establish some kind of profile using the calling patterns
  • 10. At this point all he got was this histogram… does that ring any bell?
  • 11. 30 years later... Yes, we’re still using the same techniques
  • 12. From a passive posture to an active hack back
  • 13. lbl> who Astro Carter Fermi Meyers Microprobe Oppy5 Sdinet Sventek Turnchek Tompkins lbl> grep sdinet /etc/passwd Sdln8t:sx4sd34x2:user sdinet, files in /u4/sdinet, owner sdi network project lbl> cd /u4/sdinet lbl> ls file protection violation—you are not the owner. From passive to active. Let’s fight back in our own territory !
  • 15. SDI Network Project Lawrence Berkeley Lab Mail Stop 50-331 1 Cyclotron Road Berkeley. CA 94720 name name address address city city, state state, zip zip Dear Sir: Thank you for your Inquiry about SDINET. We are happy to comply with your request for more information about this network. The following documents are available from this office. Please state which documents you wish mailed to you: #37.6 SDINET Overview Description Document 19 pages, revised Sept, 1986 #41.7 Strategic Defense Initiative and Computer Networks: Plans and Implementations (Conference Notes) 287 pages, revised Sept, 1986 #46.2 Strategic Defense Initiative and Computer Networks: Plans and implementations (Conference Notes) 300 pages, June, 1986 #47.3 SDINET Connectivity Requirements 66 pages, revised April, 1986 #48.8 How to link into the SDINET 25 pages, July 1986 #49.1 X.25 and X.75 connections to SDINET (includes Japanese, European, and Hawaii nodes) 8 pages, December, 1986 #55.2 SDINET management plan for 1986 to 1988 47 pages, November 1986 #62.7 Unclassified SDINET membership list (includes major Milnet connections) 24 pages, November, 1986 #65.3 Classified SDINET membership list 9 pages, November, 1986 #69.1 Developments in SDINET and Sdi Disnet 28 pages, October, 1986 NUI Request Form This form is available here, but should be returned to the Network Control Center Other documents are available as well If you wish to be added to our mailing list, please request so. Because of the length of these documents, we must use the postal service. Please send your request to the above address, attention Mrs. Barbara Sherwin. The next high level review for SDINET Is scheduled for 20 February, 1987. Because of this, all requests for documents must be received by us no later than close of business on 11 February, 1987. Bequest received later than this date may be delayed. Sincerely yours, Mrs. Barbara Sherwin Documents Secretary SDINET Project Honeypot strategy: attacker need to send a postal letter to get more confidential data… hence leaking its source address if he ever send a letter (honeytoken)
  • 16. KGB front office Yup, it works
  • 18. Final target Intermediary target Bait / honeypot Neutralize Characterize There are different kinds of hack back scenarios
  • 19. Dox Internal infrastructure External infrastructure takeover Single C2 takeover Active Defense (honeytokens + beacons) Passive Defense (IDS / antivirus / honeypot) The Pyramid of Pain, hack back edition • Ultimate goal (full pwnage) = cameras, PII (passport scan, real identities, …) • A step inside the attacker’s network: internal tools, TTPs, real-time tracking • Getting an extensive list of personas, cover e-mails addresses, infrastructure data (ORBs/proxies, …) • Single auxiliary C2, not much data except if opsec fail • Alerts when sensitives documents are read (where from) • Alerts when probed/scanned/infected (very noisy) Hard Easy How Deep Are You (back) In? Original Pyramid of Pain DFIR https://detect-respond.blogspot.fr/2013/03/the-pyramid-of-pain.html
  • 22. Pain level: Dox Pain level: maximal, we got attacker’s face and full botnet compromise. Also, note that RU actors were searching for « CIA » keywords as well… things never change?
  • 23. AIVD / APT29 (2014, publicly released in 2018) Pain level: Dox Interestingly, we can ask ourselves why this is leaking now? Could this serve some deterrence policy?
  • 25. Hacking Team (2015) Pain level: full compromise https://pastebin.com/0SNSvyjJ This isn’t a Counter-CNE ops, but it’s a very good example of asymmetry: a 0day vendor got breached with simple tools and bad password management. Hacking Team is a poorly shod shoemaker, like many others.
  • 27. WannaCry (2018) Pain level: DNS hijack • A few hours after the malware was detected, Marcus Hutchins (MalwareTech) registered the iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain name that was (supposedly) an anti-analysis feature • By doing this active countermeasure he prevented further infections (= neutralized) Actionable Intel: the list of IP addresses of infected machines Typical example that everybody can partake in hack back – even if you’re not the direct target,
  • 29. A hacker have tried to hack you. Read about phishing attacks and how to protect yourself from here: https://en.wikipedia.org/wiki/Phishing Best, A good person that protected you from this attempt http://www.sps-perbanas.ac.id/foto/rito/ikeman/protonmail/ Pain level: Single takeover
  • 31. OPSEC First rule of the hackback club: do not talk about the hackback
  • 32. 20% of people think this was a bad idea… and they’re right! Because (see next slide)
  • 33. Collateral damage First, you don’t know who you’re hacking back, and secondly you’re attacking computers in the neutral space – the user isn’t the owner (ex. threat actor using OVH)
  • 34. A320-X DRM • Flight Simulator X addon developed by FlightSimLabs • Cost $100 • FSLabs_A320X_P3D_v2.0.1.231.exe > test.exe "Test.exe" is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally. – CEO Lefteris Kalamaras Prime example of what is WRONG to do. This company tried to make their own DRM using malware to ‘hack-back’ pirates.
  • 35. A320-X DRM • FSLabs_A320X_P3D_v2.0.1.231.exe Pain level: code exec Actionable Intel: login/password of pirated-copy users
  • 36. Failed attempt at ‘hacking back’ pirated copies users
  • 38. What about other legitimate users on the same IP range? DDoS? Lame… it’s like using napalm in a dense urban environment, you’re going to get collateral damages for sure.
  • 39. Limits • Technical • How does the adversary protects itself (opsec) • Fog of war: false flag & tool reuse (third-party) • Legal • What I have the right to do • Ethics • What is the right thing to do Fifty Shades of Grey Hat
  • 40. Active Cyber Defense Certainty Act • US bill introduced on 10/12/2017 • (6) Congress determines that the use of active cyber defense techniques, when properly applied, can also assist in improving defenses and deterring cybercrimes. • (7) Congress also acknowledges that many private entities are increasingly concerned with stemming the growth of dark web based cyber-enabled crimes. The Department of Justice should attempt to clarify the proper protocol for entities who are engaged in active cyber defense in the dark web so that these defenders can return private property such as intellectual property and financial records gathered inadvertently. • (9) Computer defenders should also exercise extreme caution to avoid violating the law of any other nation where an attacker’s computer may reside. • (10) Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity. EXCLUSION FROM PROSECUTION FOR CERTAIN COMPUTER CRIMES FOR THOSE TAKING ACTIVE CYBER DEFENSE MEASURES. There are some good ideas there, but also a lot of miscomprehension from the law makers… they clearly are not getting what cyber is.
  • 41. IANAL - self-defence French law (Article 122-5 du code pénal) N'est pas pénalement responsable la personne qui, devant une atteinte injustifiée envers elle-même ou autrui, accomplit, dans le même temps, un acte commandé par la nécessité de la légitime défense d'elle-même ou d'autrui, sauf s'il y a disproportion entre les moyens de défense employés et la gravité de l'atteinte. N'est pas pénalement responsable la personne qui, pour interrompre l'exécution d'un crime ou d'un délit contre un bien, accomplit un acte de défense, autre qu'un homicide volontaire, lorsque cet acte est strictement nécessaire au but poursuivi dès lors que les moyens employés sont proportionnés à la gravité de l'infraction. You can interrupt the execution of a crime or an offense against a you or a property (physical or digital) if Necessity of self-defense + seriousness of attack + proportionate In France we have a law called « Self-Defence » that could be interpreted in the cyber domain. Although it’s very difficult to prove the ‘necessity’ of a hack-back.
  • 42. Key takeaways • Everybody serious about cyber does it consciously or unconsciously • If you do, don’t talk about it • Grey area – not regulated • High risk of collateral damage • In 90% of the cases you don’t know who you’re hacking back • We certainly need a legal framework for a right to actively defend yourself • If the collateral damage can be controlled/limited • Proportionate & fair • In France, PASSI-like certified hack backs? • 📈 Hot topic – increasing activity ?DE RIPOSTE