Current state of Hacking Back, talk at ESE, France

1. Pay attention to that man
behind the curtain
Current state of Hacking Back
21/05/2018 ESE - @x0rz

2. What is ‘Hacking Back’?
Any active countermeasure that aims to 1) limit
the adversary’s capabilities and/or 2) identify
the intruder. *
Synonyms:
- Counter-CNE
- Riposte numérique (FR)
- Contre-attaque numérique (FR)
* Disclaimer: this is my own definition
My comments are in
yellow rectangles

3. Motivations
1. Neutralize the threat
• LEA, botnet takedowns, …
• CNA (disrupt, deny, degrade, or destroy)
2. Characterize the attack
• Cyber Counterintelligence (Mandiant/APT1, FBI, …)
• Damage Control (« what has been stolen »)
• Counter Computer Network Exploitation (CCNE)
• « Caught red-handed » - could serve as evidence in court
3. Deter
• New doctrine: discourage hackers from entering your network because of fear of
retaliation
4. Fourth-party collection
• Stealing foreign intelligence and tools

4. Fourth party: done by intel agencies to monitor their adversaries

6. Is it something new?

7. Cliff Stoll (1987)
LBL>telnet Nic.arpa
Trying...
Connected to 10.0.0.51.
+-------------DDN Network Information Center--------------|
| For TAG news, type: TACNEW8 <carriage return>
| For user and host Information, type: WHOIS <carriage return>
| For NIC Information, type: NIC <carriage return>
+---------------------------------------------------------------|
SBI-NIC, TOPS-20 Monitor 6.1(7341)-4
@Whois cia
Central Intelligence Agency (CIA)
Office of Data Processing
Washington, DC 20505
These are 4 known members:
Plschoff, J. (JF27) FISHOFF@A.ISI.EDU (703) 351-3305
Gresham, D. L (DLG33) GRESHAM@A.ISI.EDU (703) 351-8957
Manning, Edward J. (EM44) MANNDfG@BBN.ARPA (703) 281-6161
Ziegler, Mary (MZ9) MARY@NNS.ARPA (703) 351-8249
One of the earliest known case
Some random hacker caught inside
the Berkeley Lab network, browsing
the ARPANET searching for the
« CIA » keyword…Interdasting.

8. At the time every connection was
made through the phone system.
Tor wasn’t even a thing, but
international calls were a PITA to
trace back (because you needed
search warrants…)

9. Passively, you could only
establish some kind of
profile using the calling
patterns

10. At this point all he got
was this histogram…
does that ring any bell?

11. 30 years later...
Yes, we’re still using the
same techniques

12. From a passive posture to an active hack back

13. lbl> who
Astro
Carter
Fermi
Meyers
Microprobe
Oppy5
Sdinet
Sventek
Turnchek
Tompkins
lbl> grep sdinet /etc/passwd
Sdln8t:sx4sd34x2:user sdinet, files in /u4/sdinet, owner sdi network project
lbl> cd /u4/sdinet
lbl> ls
file protection violation—you are not the owner.
From passive to active.
Let’s fight back in our
own territory !

14. lbl> ls
Connections
Form-Letter
Funding
Mailing-Labels
Pentagon-Request
Purchase-Orders
Memo-to-Gordon
Rhodes-Letter
SDI-computers
SDI-networks
SDI-Network-Proposal
User-List
World-Wide-Net
Visitor-information
Attacker were using a
0day to elevate and list
files only *he* could
read. If we plant a fake
document here only him
will get to read it.

15. SDI Network Project
Lawrence Berkeley Lab
Mail Stop 50-331
1 Cyclotron Road
Berkeley. CA 94720
name name
address address
city city, state state, zip zip
Dear Sir:
Thank you for your Inquiry about SDINET. We are happy to
comply with your request for more information about this
network. The following documents are available from this
office. Please state which documents you wish mailed to you:
#37.6 SDINET Overview Description Document
19 pages, revised Sept, 1986
#41.7 Strategic Defense Initiative and Computer Networks:
Plans and Implementations (Conference Notes)
287 pages, revised Sept, 1986
#46.2 Strategic Defense Initiative and Computer Networks:
Plans and implementations (Conference Notes)
300 pages, June, 1986
#47.3 SDINET Connectivity Requirements
66 pages, revised April, 1986
#48.8 How to link into the SDINET
25 pages, July 1986
#49.1 X.25 and X.75 connections to SDINET
(includes Japanese, European, and Hawaii nodes)
8 pages, December, 1986
#55.2 SDINET management plan for 1986 to 1988
47 pages, November 1986
#62.7 Unclassified SDINET membership list
(includes major Milnet connections)
24 pages, November, 1986
#65.3 Classified SDINET membership list
9 pages, November, 1986
#69.1 Developments in SDINET and Sdi Disnet
28 pages, October, 1986
NUI Request Form
This form is available here, but should
be returned to the Network Control Center
Other documents are available as well If you wish to be added to
our mailing list, please request so.
Because of the length of these documents, we must use the postal
service.
Please send your request to the above address, attention Mrs.
Barbara Sherwin.
The next high level review for SDINET Is scheduled for 20
February, 1987. Because of this, all requests for documents
must be received by us no later than close of business on
11 February, 1987. Bequest received later than this date may
be delayed.
Sincerely yours,
Mrs. Barbara Sherwin
Documents Secretary
SDINET Project
Honeypot strategy: attacker need to
send a postal letter to get more
confidential data… hence leaking its
source address if he ever send a
letter (honeytoken)

16. KGB front office Yup, it works

18. Final target Intermediary target
Bait / honeypot
Neutralize
Characterize
There are different kinds of hack back scenarios

19. Dox
Internal
infrastructure
External
infrastructure
takeover
Single C2 takeover
Active Defense
(honeytokens + beacons)
Passive Defense
(IDS / antivirus / honeypot)
The Pyramid of Pain, hack back edition
• Ultimate goal (full pwnage) = cameras, PII (passport scan, real identities, …)
• A step inside the attacker’s network: internal tools,
TTPs, real-time tracking
• Getting an extensive list of personas, cover e-mails addresses,
infrastructure data (ORBs/proxies, …)
• Single auxiliary C2, not much data except if opsec fail
• Alerts when sensitives documents are read (where from)
• Alerts when probed/scanned/infected (very noisy)
Hard
Easy
How Deep Are You (back) In?
Original Pyramid of Pain DFIR https://detect-respond.blogspot.fr/2013/03/the-pyramid-of-pain.html

20. CERT-GOV-GE (2012)
http://dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf

22. Pain level: Dox
Pain level: maximal, we got
attacker’s face and full botnet
compromise. Also, note that RU
actors were searching for « CIA »
keywords as well… things never
change?

23. AIVD / APT29 (2014, publicly released in 2018)
Pain level: Dox
Interestingly, we can ask ourselves
why this is leaking now? Could this
serve some deterrence policy?

24. Daily (public) examples

25. Hacking Team (2015)
Pain level: full compromise https://pastebin.com/0SNSvyjJ
This isn’t a Counter-CNE ops, but it’s
a very good example of asymmetry:
a 0day vendor got breached with
simple tools and bad password
management. Hacking Team is a
poorly shod shoemaker, like many
others.

26. ZooPark (2018)
Pain level: C2 takeover

27. WannaCry (2018)
Pain level: DNS hijack
• A few hours after the malware was detected, Marcus Hutchins (MalwareTech)
registered the iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
domain name that was (supposedly) an anti-analysis feature
• By doing this active countermeasure he prevented further infections (= neutralized)
Actionable Intel: the list of IP addresses of infected machines
Typical example that everybody can
partake in hack back – even if you’re
not the direct target,

28. ProtonMail (2017)

29. A hacker have tried to hack you. Read about phishing
attacks and how to protect yourself from
here: https://en.wikipedia.org/wiki/Phishing
Best,
A good person that protected you from this attempt
http://www.sps-perbanas.ac.id/foto/rito/ikeman/protonmail/
Pain level: Single takeover

31. OPSEC
First rule of the hackback club: do not talk
about the hackback

32. 20% of people think this was a bad
idea… and they’re right! Because
(see next slide)

33. Collateral damage
First, you don’t know who you’re
hacking back, and secondly you’re
attacking computers in the neutral
space – the user isn’t the owner (ex.
threat actor using OVH)

34. A320-X DRM
• Flight Simulator X addon developed by FlightSimLabs
• Cost $100
• FSLabs_A320X_P3D_v2.0.1.231.exe
> test.exe
"Test.exe" is part of the DRM and is only targeted against specific pirate
copies of copyrighted software obtained illegally. – CEO Lefteris Kalamaras
Prime example of what is WRONG
to do. This company tried to make
their own DRM using malware to
‘hack-back’ pirates.

35. A320-X DRM
• FSLabs_A320X_P3D_v2.0.1.231.exe
Pain level: code exec
Actionable Intel: login/password of pirated-copy users

36. Failed attempt at ‘hacking back’ pirated copies users

37. Pervade Softwarehttps://motherboard.vice.com/en_us/article/newd88/this-uk-company-is-making-it-easier-for-private-companies-to-hack-back

38. What about other legitimate users on the same IP range?
DDoS? Lame… it’s like using napalm
in a dense urban environment,
you’re going to get collateral
damages for sure.

39. Limits
• Technical
• How does the adversary protects itself (opsec)
• Fog of war: false flag & tool reuse (third-party)
• Legal
• What I have the right to do
• Ethics
• What is the right thing to do
Fifty Shades of Grey Hat

40. Active Cyber Defense Certainty Act
• US bill introduced on 10/12/2017
• (6) Congress determines that the use of active cyber defense techniques, when
properly applied, can also assist in improving defenses and deterring cybercrimes.
• (7) Congress also acknowledges that many private entities are increasingly concerned
with stemming the growth of dark web based cyber-enabled crimes. The Department
of Justice should attempt to clarify the proper protocol for entities who are engaged
in active cyber defense in the dark web so that these defenders can return private
property such as intellectual property and financial records gathered inadvertently.
• (9) Computer defenders should also exercise extreme caution to avoid violating the
law of any other nation where an attacker’s computer may reside.
• (10) Congress holds that active cyber defense techniques should only be used by
qualified defenders with a high degree of confidence in attribution, and that extreme
caution should be taken to avoid impacting intermediary computers or resulting in an
escalatory cycle of cyber activity.
EXCLUSION FROM PROSECUTION FOR CERTAIN COMPUTER CRIMES
FOR THOSE TAKING ACTIVE CYBER DEFENSE MEASURES.
There are some good ideas there, but also a lot
of miscomprehension from the law makers…
they clearly are not getting what cyber is.

41. IANAL - self-defence
French law (Article 122-5 du code pénal)
N'est pas pénalement responsable la personne qui, devant une atteinte injustifiée envers elle-même ou
autrui, accomplit, dans le même temps, un acte commandé par la nécessité de la légitime défense
d'elle-même ou d'autrui, sauf s'il y a disproportion entre les moyens de défense employés et la gravité
de l'atteinte.
N'est pas pénalement responsable la personne qui, pour interrompre l'exécution d'un crime ou d'un
délit contre un bien, accomplit un acte de défense, autre qu'un homicide volontaire, lorsque cet acte est
strictement nécessaire au but poursuivi dès lors que les moyens employés sont proportionnés à la
gravité de l'infraction.
You can interrupt the execution of a crime or an offense
against a you or a property (physical or digital)
if
Necessity of self-defense + seriousness of attack + proportionate
In France we have a law called « Self-Defence »
that could be interpreted in the cyber domain.
Although it’s very difficult to prove the
‘necessity’ of a hack-back.

42. Key takeaways
• Everybody serious about cyber does it consciously or unconsciously
• If you do, don’t talk about it
• Grey area – not regulated
• High risk of collateral damage
• In 90% of the cases you don’t know who you’re hacking back
• We certainly need a legal framework for a right to actively defend
yourself
• If the collateral damage can be controlled/limited
• Proportionate & fair
• In France, PASSI-like certified hack backs?
• 📈 Hot topic – increasing activity
?DE RIPOSTE

43. Open for discussion
@x0rz