SlideShare ist ein Scribd-Unternehmen logo

Pay attention to that man behind the curtain: Current state of Hacking Back

X
x0rz x0rz

Current state of Hacking Back, talk at ESE, France

Präsentationen & Vorträge
1 von 43
Downloaden Sie, um offline zu lesen
Pay attention to that man behind the curtain Current state of Hacking Back 21/05/2018 ESE - @x0rz
What is ‘Hacking Back’? Any active countermeasure that aims to 1) limit the adversary’s capabilities and/or 2) identify the intruder. * Synonyms: - Counter-CNE - Riposte numérique (FR) - Contre-attaque numérique (FR) * Disclaimer: this is my own definition My comments are in yellow rectangles
Motivations 1. Neutralize the threat • LEA, botnet takedowns, … • CNA (disrupt, deny, degrade, or destroy) 2. Characterize the attack • Cyber Counterintelligence (Mandiant/APT1, FBI, …) • Damage Control (« what has been stolen ») • Counter Computer Network Exploitation (CCNE) • « Caught red-handed » - could serve as evidence in court 3. Deter • New doctrine: discourage hackers from entering your network because of fear of retaliation 4. Fourth-party collection • Stealing foreign intelligence and tools
Fourth party: done by intel agencies to monitor their adversaries
Is it something new?
Cliff Stoll (1987) LBL>telnet Nic.arpa Trying... Connected to 10.0.0.51. +-------------DDN Network Information Center--------------| | For TAG news, type: TACNEW8 <carriage return> | For user and host Information, type: WHOIS <carriage return> | For NIC Information, type: NIC <carriage return> +---------------------------------------------------------------| SBI-NIC, TOPS-20 Monitor 6.1(7341)-4 @Whois cia Central Intelligence Agency (CIA) Office of Data Processing Washington, DC 20505 These are 4 known members: Plschoff, J. (JF27) FISHOFF@A.ISI.EDU (703) 351-3305 Gresham, D. L (DLG33) GRESHAM@A.ISI.EDU (703) 351-8957 Manning, Edward J. (EM44) MANNDfG@BBN.ARPA (703) 281-6161 Ziegler, Mary (MZ9) MARY@NNS.ARPA (703) 351-8249 One of the earliest known case Some random hacker caught inside the Berkeley Lab network, browsing the ARPANET searching for the « CIA » keyword…Interdasting.
At the time every connection was made through the phone system. Tor wasn’t even a thing, but international calls were a PITA to trace back (because you needed search warrants…)
Passively, you could only establish some kind of profile using the calling patterns
At this point all he got was this histogram… does that ring any bell?
30 years later... Yes, we’re still using the same techniques
From a passive posture to an active hack back
lbl> who Astro Carter Fermi Meyers Microprobe Oppy5 Sdinet Sventek Turnchek Tompkins lbl> grep sdinet /etc/passwd Sdln8t:sx4sd34x2:user sdinet, files in /u4/sdinet, owner sdi network project lbl> cd /u4/sdinet lbl> ls file protection violation—you are not the owner. From passive to active. Let’s fight back in our own territory !
lbl> ls Connections Form-Letter Funding Mailing-Labels Pentagon-Request Purchase-Orders Memo-to-Gordon Rhodes-Letter SDI-computers SDI-networks SDI-Network-Proposal User-List World-Wide-Net Visitor-information Attacker were using a 0day to elevate and list files only *he* could read. If we plant a fake document here only him will get to read it.
SDI Network Project Lawrence Berkeley Lab Mail Stop 50-331 1 Cyclotron Road Berkeley. CA 94720 name name address address city city, state state, zip zip Dear Sir: Thank you for your Inquiry about SDINET. We are happy to comply with your request for more information about this network. The following documents are available from this office. Please state which documents you wish mailed to you: #37.6 SDINET Overview Description Document 19 pages, revised Sept, 1986 #41.7 Strategic Defense Initiative and Computer Networks: Plans and Implementations (Conference Notes) 287 pages, revised Sept, 1986 #46.2 Strategic Defense Initiative and Computer Networks: Plans and implementations (Conference Notes) 300 pages, June, 1986 #47.3 SDINET Connectivity Requirements 66 pages, revised April, 1986 #48.8 How to link into the SDINET 25 pages, July 1986 #49.1 X.25 and X.75 connections to SDINET (includes Japanese, European, and Hawaii nodes) 8 pages, December, 1986 #55.2 SDINET management plan for 1986 to 1988 47 pages, November 1986 #62.7 Unclassified SDINET membership list (includes major Milnet connections) 24 pages, November, 1986 #65.3 Classified SDINET membership list 9 pages, November, 1986 #69.1 Developments in SDINET and Sdi Disnet 28 pages, October, 1986 NUI Request Form This form is available here, but should be returned to the Network Control Center Other documents are available as well If you wish to be added to our mailing list, please request so. Because of the length of these documents, we must use the postal service. Please send your request to the above address, attention Mrs. Barbara Sherwin. The next high level review for SDINET Is scheduled for 20 February, 1987. Because of this, all requests for documents must be received by us no later than close of business on 11 February, 1987. Bequest received later than this date may be delayed. Sincerely yours, Mrs. Barbara Sherwin Documents Secretary SDINET Project Honeypot strategy: attacker need to send a postal letter to get more confidential data… hence leaking its source address if he ever send a letter (honeytoken)
KGB front office Yup, it works
Final target Intermediary target Bait / honeypot Neutralize Characterize There are different kinds of hack back scenarios
Dox Internal infrastructure External infrastructure takeover Single C2 takeover Active Defense (honeytokens + beacons) Passive Defense (IDS / antivirus / honeypot) The Pyramid of Pain, hack back edition • Ultimate goal (full pwnage) = cameras, PII (passport scan, real identities, …) • A step inside the attacker’s network: internal tools, TTPs, real-time tracking • Getting an extensive list of personas, cover e-mails addresses, infrastructure data (ORBs/proxies, …) • Single auxiliary C2, not much data except if opsec fail • Alerts when sensitives documents are read (where from) • Alerts when probed/scanned/infected (very noisy) Hard Easy How Deep Are You (back) In? Original Pyramid of Pain DFIR https://detect-respond.blogspot.fr/2013/03/the-pyramid-of-pain.html
CERT-GOV-GE (2012) http://dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf
Pain level: Dox Pain level: maximal, we got attacker’s face and full botnet compromise. Also, note that RU actors were searching for « CIA » keywords as well… things never change?
AIVD / APT29 (2014, publicly released in 2018) Pain level: Dox Interestingly, we can ask ourselves why this is leaking now? Could this serve some deterrence policy?
Daily (public) examples
Hacking Team (2015) Pain level: full compromise https://pastebin.com/0SNSvyjJ This isn’t a Counter-CNE ops, but it’s a very good example of asymmetry: a 0day vendor got breached with simple tools and bad password management. Hacking Team is a poorly shod shoemaker, like many others.
ZooPark (2018) Pain level: C2 takeover
WannaCry (2018) Pain level: DNS hijack • A few hours after the malware was detected, Marcus Hutchins (MalwareTech) registered the iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain name that was (supposedly) an anti-analysis feature • By doing this active countermeasure he prevented further infections (= neutralized) Actionable Intel: the list of IP addresses of infected machines Typical example that everybody can partake in hack back – even if you’re not the direct target,
ProtonMail (2017)
A hacker have tried to hack you. Read about phishing attacks and how to protect yourself from here: https://en.wikipedia.org/wiki/Phishing Best, A good person that protected you from this attempt http://www.sps-perbanas.ac.id/foto/rito/ikeman/protonmail/ Pain level: Single takeover
OPSEC First rule of the hackback club: do not talk about the hackback
20% of people think this was a bad idea… and they’re right! Because (see next slide)
Collateral damage First, you don’t know who you’re hacking back, and secondly you’re attacking computers in the neutral space – the user isn’t the owner (ex. threat actor using OVH)
A320-X DRM • Flight Simulator X addon developed by FlightSimLabs • Cost $100 • FSLabs_A320X_P3D_v2.0.1.231.exe > test.exe "Test.exe" is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally. – CEO Lefteris Kalamaras Prime example of what is WRONG to do. This company tried to make their own DRM using malware to ‘hack-back’ pirates.
A320-X DRM • FSLabs_A320X_P3D_v2.0.1.231.exe Pain level: code exec Actionable Intel: login/password of pirated-copy users
Failed attempt at ‘hacking back’ pirated copies users
Pervade Softwarehttps://motherboard.vice.com/en_us/article/newd88/this-uk-company-is-making-it-easier-for-private-companies-to-hack-back
What about other legitimate users on the same IP range? DDoS? Lame… it’s like using napalm in a dense urban environment, you’re going to get collateral damages for sure.
Limits • Technical • How does the adversary protects itself (opsec) • Fog of war: false flag & tool reuse (third-party) • Legal • What I have the right to do • Ethics • What is the right thing to do Fifty Shades of Grey Hat
Active Cyber Defense Certainty Act • US bill introduced on 10/12/2017 • (6) Congress determines that the use of active cyber defense techniques, when properly applied, can also assist in improving defenses and deterring cybercrimes. • (7) Congress also acknowledges that many private entities are increasingly concerned with stemming the growth of dark web based cyber-enabled crimes. The Department of Justice should attempt to clarify the proper protocol for entities who are engaged in active cyber defense in the dark web so that these defenders can return private property such as intellectual property and financial records gathered inadvertently. • (9) Computer defenders should also exercise extreme caution to avoid violating the law of any other nation where an attacker’s computer may reside. • (10) Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity. EXCLUSION FROM PROSECUTION FOR CERTAIN COMPUTER CRIMES FOR THOSE TAKING ACTIVE CYBER DEFENSE MEASURES. There are some good ideas there, but also a lot of miscomprehension from the law makers… they clearly are not getting what cyber is.
IANAL - self-defence French law (Article 122-5 du code pénal) N'est pas pénalement responsable la personne qui, devant une atteinte injustifiée envers elle-même ou autrui, accomplit, dans le même temps, un acte commandé par la nécessité de la légitime défense d'elle-même ou d'autrui, sauf s'il y a disproportion entre les moyens de défense employés et la gravité de l'atteinte. N'est pas pénalement responsable la personne qui, pour interrompre l'exécution d'un crime ou d'un délit contre un bien, accomplit un acte de défense, autre qu'un homicide volontaire, lorsque cet acte est strictement nécessaire au but poursuivi dès lors que les moyens employés sont proportionnés à la gravité de l'infraction. You can interrupt the execution of a crime or an offense against a you or a property (physical or digital) if Necessity of self-defense + seriousness of attack + proportionate In France we have a law called « Self-Defence » that could be interpreted in the cyber domain. Although it’s very difficult to prove the ‘necessity’ of a hack-back.
Key takeaways • Everybody serious about cyber does it consciously or unconsciously • If you do, don’t talk about it • Grey area – not regulated • High risk of collateral damage • In 90% of the cases you don’t know who you’re hacking back • We certainly need a legal framework for a right to actively defend yourself • If the collateral damage can be controlled/limited • Proportionate & fair • In France, PASSI-like certified hack backs? • 📈 Hot topic – increasing activity ?DE RIPOSTE
Open for discussion @x0rz

Empfohlen

Download It
Download ItDownload It
Download Itwebhostingguy
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackVladyslav Radetsky
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference
 
Digital forensics lessons
Digital forensics lessons Digital forensics lessons
Digital forensics lessons Amr Nasr
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsDefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsMichael Smith
 
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 

Empfohlen

Download It
Download ItDownload It
Download Itwebhostingguy
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackVladyslav Radetsky
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference
 
Digital forensics lessons
Digital forensics lessons Digital forensics lessons
Digital forensics lessons Amr Nasr
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsDefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsMichael Smith
 
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE
 
Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispag...
Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispag...Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispag...
Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispag...Chris Fernandez CEHv7, eCPPT, Linux Engineer
 
Cisel1 d
Cisel1 dCisel1 d
Cisel1 dchandu_sai
 
07security
07security07security
07securitydouglaslyon
 
Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavorSatria Ady Pradana
 
Sectools
SectoolsSectools
Sectoolssecuredome
 
aaa
aaaaaa
aaahungnhatban
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Some things about LAN device detection
Some things about LAN device detectionSome things about LAN device detection
Some things about LAN device detectionCanaan Kao
 
Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Angelill0
 
Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6FRSecure
 
Mist2012 panel discussion-ruo ando
Mist2012 panel discussion-ruo andoMist2012 panel discussion-ruo ando
Mist2012 panel discussion-ruo andoRuo Ando
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Network security
Network securityNetwork security
Network securityJarno Niemela
 
Advanced Persistent Threats Cutting Through The Hype
Advanced Persistent Threats Cutting Through The HypeAdvanced Persistent Threats Cutting Through The Hype
Advanced Persistent Threats Cutting Through The HypeSymantec
 
Slide Deck CISSP Class Session 7
Slide Deck CISSP Class Session 7Slide Deck CISSP Class Session 7
Slide Deck CISSP Class Session 7FRSecure
 
CrowdSec A-Round Fundraising Deck
CrowdSec A-Round Fundraising DeckCrowdSec A-Round Fundraising Deck
CrowdSec A-Round Fundraising DeckCrowdSec
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingSteve Phillips
 
HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!F _
 
Rootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise DetectionRootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise Detectionamiable_indian
 
Nastiest Malware 2021
Nastiest Malware 2021Nastiest Malware 2021
Nastiest Malware 2021tsevier
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 

Weitere ähnliche Inhalte

Was ist angesagt?

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Some things about LAN device detection
Some things about LAN device detectionSome things about LAN device detection
Some things about LAN device detectionCanaan Kao
 
Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Angelill0
 
Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6FRSecure
 
Mist2012 panel discussion-ruo ando
Mist2012 panel discussion-ruo andoMist2012 panel discussion-ruo ando
Mist2012 panel discussion-ruo andoRuo Ando
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Advanced Persistent Threats Cutting Through The Hype
Advanced Persistent Threats Cutting Through The HypeAdvanced Persistent Threats Cutting Through The Hype
Advanced Persistent Threats Cutting Through The HypeSymantec
 
Slide Deck CISSP Class Session 7
Slide Deck CISSP Class Session 7Slide Deck CISSP Class Session 7
Slide Deck CISSP Class Session 7FRSecure
 

Was ist angesagt? (16)

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
 
Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispag...
Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispag...Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispag...
Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispag...
 
Cisel1 d
Cisel1 dCisel1 d
Cisel1 d
 
07security
07security07security
07security
 
Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavor
 
Sectools
SectoolsSectools
Sectools
 
aaa
aaaaaa
aaa
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
Some things about LAN device detection
Some things about LAN device detectionSome things about LAN device detection
Some things about LAN device detection
 
Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09
 
Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6
 
Mist2012 panel discussion-ruo ando
Mist2012 panel discussion-ruo andoMist2012 panel discussion-ruo ando
Mist2012 panel discussion-ruo ando
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Network security
Network securityNetwork security
Network security
 
Advanced Persistent Threats Cutting Through The Hype
Advanced Persistent Threats Cutting Through The HypeAdvanced Persistent Threats Cutting Through The Hype
Advanced Persistent Threats Cutting Through The Hype
 
Slide Deck CISSP Class Session 7
Slide Deck CISSP Class Session 7Slide Deck CISSP Class Session 7
Slide Deck CISSP Class Session 7
 

Ähnlich wie Pay attention to that man behind the curtain: Current state of Hacking Back

CrowdSec A-Round Fundraising Deck
CrowdSec A-Round Fundraising DeckCrowdSec A-Round Fundraising Deck
CrowdSec A-Round Fundraising DeckCrowdSec
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingSteve Phillips
 
HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!F _
 
Rootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise DetectionRootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise Detectionamiable_indian
 
Nastiest Malware 2021
Nastiest Malware 2021Nastiest Malware 2021
Nastiest Malware 2021tsevier
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 
Module 3 (scanning)
Module 3 (scanning)Module 3 (scanning)
Module 3 (scanning)Wail Hassan
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainErik Van Buggenhout
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
Ethical Hacking Overview
Ethical Hacking OverviewEthical Hacking Overview
Ethical Hacking OverviewSubhoneel Datta
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primeramiable_indian
 
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008eLiberatica
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1wharpreet
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its PreventionDinesh O Bareja
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Alexander Kot
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsRwik Kumar Dutta
 

Ähnlich wie Pay attention to that man behind the curtain: Current state of Hacking Back (20)

CrowdSec A-Round Fundraising Deck
CrowdSec A-Round Fundraising DeckCrowdSec A-Round Fundraising Deck
CrowdSec A-Round Fundraising Deck
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration Testing
 
HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!
 
Rootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise DetectionRootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise Detection
 
Nastiest Malware 2021
Nastiest Malware 2021Nastiest Malware 2021
Nastiest Malware 2021
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
 
Module 3 (scanning)
Module 3 (scanning)Module 3 (scanning)
Module 3 (scanning)
 
Honeypot Project
Honeypot ProjectHoneypot Project
Honeypot Project
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
 
Network Security
Network SecurityNetwork Security
Network Security
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
Ethical Hacking Overview
Ethical Hacking OverviewEthical Hacking Overview
Ethical Hacking Overview
 
ACTIVITY1 FCS.pptx
ACTIVITY1 FCS.pptxACTIVITY1 FCS.pptx
ACTIVITY1 FCS.pptx
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its Prospects
 

Kürzlich hochgeladen

PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.KathleenAnnCordero2
 
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringSebastiano Panichella
 
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxAnne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxnoorehahmad
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationNathan Young
 
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...Henrik Hanke
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comsaastr
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxCarrieButtitta
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRsarwankumar4524
 
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSimulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSebastiano Panichella
 
Genshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxGenshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxJohnree4
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMCharmi13
 
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYPHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYpruthirajnayak525
 
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...marjmae69
 
Early Modern Spain. All about this period
Early Modern Spain. All about this periodEarly Modern Spain. All about this period
Early Modern Spain. All about this periodSaraIsabelJimenez
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxmavinoikein
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸mathanramanathan2005
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRachelAnnTenibroAmaz
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxogubuikealex
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxaryanv1753
 

Kürzlich hochgeladen (20)

PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
 
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software Engineering
 
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxAnne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism Presentation
 
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptx
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
 
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSimulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
 
Genshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxGenshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptx
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEM
 
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYPHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
 
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
 
Early Modern Spain. All about this period
Early Modern Spain. All about this periodEarly Modern Spain. All about this period
Early Modern Spain. All about this period
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptx
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptx
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptx
 

Pay attention to that man behind the curtain: Current state of Hacking Back

  • 1. Pay attention to that man behind the curtain Current state of Hacking Back 21/05/2018 ESE - @x0rz
  • 2. What is ‘Hacking Back’? Any active countermeasure that aims to 1) limit the adversary’s capabilities and/or 2) identify the intruder. * Synonyms: - Counter-CNE - Riposte numérique (FR) - Contre-attaque numérique (FR) * Disclaimer: this is my own definition My comments are in yellow rectangles
  • 3. Motivations 1. Neutralize the threat • LEA, botnet takedowns, … • CNA (disrupt, deny, degrade, or destroy) 2. Characterize the attack • Cyber Counterintelligence (Mandiant/APT1, FBI, …) • Damage Control (« what has been stolen ») • Counter Computer Network Exploitation (CCNE) • « Caught red-handed » - could serve as evidence in court 3. Deter • New doctrine: discourage hackers from entering your network because of fear of retaliation 4. Fourth-party collection • Stealing foreign intelligence and tools
  • 4. Fourth party: done by intel agencies to monitor their adversaries
  • 5.
  • 7. Cliff Stoll (1987) LBL>telnet Nic.arpa Trying... Connected to 10.0.0.51. +-------------DDN Network Information Center--------------| | For TAG news, type: TACNEW8 <carriage return> | For user and host Information, type: WHOIS <carriage return> | For NIC Information, type: NIC <carriage return> +---------------------------------------------------------------| SBI-NIC, TOPS-20 Monitor 6.1(7341)-4 @Whois cia Central Intelligence Agency (CIA) Office of Data Processing Washington, DC 20505 These are 4 known members: Plschoff, J. (JF27) FISHOFF@A.ISI.EDU (703) 351-3305 Gresham, D. L (DLG33) GRESHAM@A.ISI.EDU (703) 351-8957 Manning, Edward J. (EM44) MANNDfG@BBN.ARPA (703) 281-6161 Ziegler, Mary (MZ9) MARY@NNS.ARPA (703) 351-8249 One of the earliest known case Some random hacker caught inside the Berkeley Lab network, browsing the ARPANET searching for the « CIA » keyword…Interdasting.
  • 8. At the time every connection was made through the phone system. Tor wasn’t even a thing, but international calls were a PITA to trace back (because you needed search warrants…)
  • 9. Passively, you could only establish some kind of profile using the calling patterns
  • 10. At this point all he got was this histogram… does that ring any bell?
  • 11. 30 years later... Yes, we’re still using the same techniques
  • 12. From a passive posture to an active hack back
  • 13. lbl> who Astro Carter Fermi Meyers Microprobe Oppy5 Sdinet Sventek Turnchek Tompkins lbl> grep sdinet /etc/passwd Sdln8t:sx4sd34x2:user sdinet, files in /u4/sdinet, owner sdi network project lbl> cd /u4/sdinet lbl> ls file protection violation—you are not the owner. From passive to active. Let’s fight back in our own territory !
  • 15. SDI Network Project Lawrence Berkeley Lab Mail Stop 50-331 1 Cyclotron Road Berkeley. CA 94720 name name address address city city, state state, zip zip Dear Sir: Thank you for your Inquiry about SDINET. We are happy to comply with your request for more information about this network. The following documents are available from this office. Please state which documents you wish mailed to you: #37.6 SDINET Overview Description Document 19 pages, revised Sept, 1986 #41.7 Strategic Defense Initiative and Computer Networks: Plans and Implementations (Conference Notes) 287 pages, revised Sept, 1986 #46.2 Strategic Defense Initiative and Computer Networks: Plans and implementations (Conference Notes) 300 pages, June, 1986 #47.3 SDINET Connectivity Requirements 66 pages, revised April, 1986 #48.8 How to link into the SDINET 25 pages, July 1986 #49.1 X.25 and X.75 connections to SDINET (includes Japanese, European, and Hawaii nodes) 8 pages, December, 1986 #55.2 SDINET management plan for 1986 to 1988 47 pages, November 1986 #62.7 Unclassified SDINET membership list (includes major Milnet connections) 24 pages, November, 1986 #65.3 Classified SDINET membership list 9 pages, November, 1986 #69.1 Developments in SDINET and Sdi Disnet 28 pages, October, 1986 NUI Request Form This form is available here, but should be returned to the Network Control Center Other documents are available as well If you wish to be added to our mailing list, please request so. Because of the length of these documents, we must use the postal service. Please send your request to the above address, attention Mrs. Barbara Sherwin. The next high level review for SDINET Is scheduled for 20 February, 1987. Because of this, all requests for documents must be received by us no later than close of business on 11 February, 1987. Bequest received later than this date may be delayed. Sincerely yours, Mrs. Barbara Sherwin Documents Secretary SDINET Project Honeypot strategy: attacker need to send a postal letter to get more confidential data… hence leaking its source address if he ever send a letter (honeytoken)
  • 16. KGB front office Yup, it works
  • 17.
  • 18. Final target Intermediary target Bait / honeypot Neutralize Characterize There are different kinds of hack back scenarios
  • 19. Dox Internal infrastructure External infrastructure takeover Single C2 takeover Active Defense (honeytokens + beacons) Passive Defense (IDS / antivirus / honeypot) The Pyramid of Pain, hack back edition • Ultimate goal (full pwnage) = cameras, PII (passport scan, real identities, …) • A step inside the attacker’s network: internal tools, TTPs, real-time tracking • Getting an extensive list of personas, cover e-mails addresses, infrastructure data (ORBs/proxies, …) • Single auxiliary C2, not much data except if opsec fail • Alerts when sensitives documents are read (where from) • Alerts when probed/scanned/infected (very noisy) Hard Easy How Deep Are You (back) In? Original Pyramid of Pain DFIR https://detect-respond.blogspot.fr/2013/03/the-pyramid-of-pain.html
  • 21.
  • 22. Pain level: Dox Pain level: maximal, we got attacker’s face and full botnet compromise. Also, note that RU actors were searching for « CIA » keywords as well… things never change?
  • 23. AIVD / APT29 (2014, publicly released in 2018) Pain level: Dox Interestingly, we can ask ourselves why this is leaking now? Could this serve some deterrence policy?
  • 25. Hacking Team (2015) Pain level: full compromise https://pastebin.com/0SNSvyjJ This isn’t a Counter-CNE ops, but it’s a very good example of asymmetry: a 0day vendor got breached with simple tools and bad password management. Hacking Team is a poorly shod shoemaker, like many others.
  • 27. WannaCry (2018) Pain level: DNS hijack • A few hours after the malware was detected, Marcus Hutchins (MalwareTech) registered the iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain name that was (supposedly) an anti-analysis feature • By doing this active countermeasure he prevented further infections (= neutralized) Actionable Intel: the list of IP addresses of infected machines Typical example that everybody can partake in hack back – even if you’re not the direct target,
  • 29. A hacker have tried to hack you. Read about phishing attacks and how to protect yourself from here: https://en.wikipedia.org/wiki/Phishing Best, A good person that protected you from this attempt http://www.sps-perbanas.ac.id/foto/rito/ikeman/protonmail/ Pain level: Single takeover
  • 30.
  • 31. OPSEC First rule of the hackback club: do not talk about the hackback
  • 32. 20% of people think this was a bad idea… and they’re right! Because (see next slide)
  • 33. Collateral damage First, you don’t know who you’re hacking back, and secondly you’re attacking computers in the neutral space – the user isn’t the owner (ex. threat actor using OVH)
  • 34. A320-X DRM • Flight Simulator X addon developed by FlightSimLabs • Cost $100 • FSLabs_A320X_P3D_v2.0.1.231.exe > test.exe "Test.exe" is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally. – CEO Lefteris Kalamaras Prime example of what is WRONG to do. This company tried to make their own DRM using malware to ‘hack-back’ pirates.
  • 35. A320-X DRM • FSLabs_A320X_P3D_v2.0.1.231.exe Pain level: code exec Actionable Intel: login/password of pirated-copy users
  • 36. Failed attempt at ‘hacking back’ pirated copies users
  • 38. What about other legitimate users on the same IP range? DDoS? Lame… it’s like using napalm in a dense urban environment, you’re going to get collateral damages for sure.
  • 39. Limits • Technical • How does the adversary protects itself (opsec) • Fog of war: false flag & tool reuse (third-party) • Legal • What I have the right to do • Ethics • What is the right thing to do Fifty Shades of Grey Hat
  • 40. Active Cyber Defense Certainty Act • US bill introduced on 10/12/2017 • (6) Congress determines that the use of active cyber defense techniques, when properly applied, can also assist in improving defenses and deterring cybercrimes. • (7) Congress also acknowledges that many private entities are increasingly concerned with stemming the growth of dark web based cyber-enabled crimes. The Department of Justice should attempt to clarify the proper protocol for entities who are engaged in active cyber defense in the dark web so that these defenders can return private property such as intellectual property and financial records gathered inadvertently. • (9) Computer defenders should also exercise extreme caution to avoid violating the law of any other nation where an attacker’s computer may reside. • (10) Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity. EXCLUSION FROM PROSECUTION FOR CERTAIN COMPUTER CRIMES FOR THOSE TAKING ACTIVE CYBER DEFENSE MEASURES. There are some good ideas there, but also a lot of miscomprehension from the law makers… they clearly are not getting what cyber is.
  • 41. IANAL - self-defence French law (Article 122-5 du code pénal) N'est pas pénalement responsable la personne qui, devant une atteinte injustifiée envers elle-même ou autrui, accomplit, dans le même temps, un acte commandé par la nécessité de la légitime défense d'elle-même ou d'autrui, sauf s'il y a disproportion entre les moyens de défense employés et la gravité de l'atteinte. N'est pas pénalement responsable la personne qui, pour interrompre l'exécution d'un crime ou d'un délit contre un bien, accomplit un acte de défense, autre qu'un homicide volontaire, lorsque cet acte est strictement nécessaire au but poursuivi dès lors que les moyens employés sont proportionnés à la gravité de l'infraction. You can interrupt the execution of a crime or an offense against a you or a property (physical or digital) if Necessity of self-defense + seriousness of attack + proportionate In France we have a law called « Self-Defence » that could be interpreted in the cyber domain. Although it’s very difficult to prove the ‘necessity’ of a hack-back.
  • 42. Key takeaways • Everybody serious about cyber does it consciously or unconsciously • If you do, don’t talk about it • Grey area – not regulated • High risk of collateral damage • In 90% of the cases you don’t know who you’re hacking back • We certainly need a legal framework for a right to actively defend yourself • If the collateral damage can be controlled/limited • Proportionate & fair • In France, PASSI-like certified hack backs? • 📈 Hot topic – increasing activity ?DE RIPOSTE