Is hacking back a wise decision?

What exactly is Hack Back? 

In a nutshell Hack Back is essentially taking intrusive action against a cyber attacker on their assets. It is exactly what it sounds like, hacking the hackers back. This action is generally illegal in countries that have anti-hacking laws.  

It is easy to understand the appeal of Hack Back. Organisations are constantly subjected to varied threats and costly attacks, usually from cyber criminals with no fear of consequence or prosecution due to the existence of safe-haven states that either can’t or won’t crack down on their activities. The scales are firmly stacked in favour of the cyber criminals and it’s understandable that organisations want to shift the balance of power and give threat actors a reason to think twice before targeting them. Arguments in favour of hacking back tend to justify it in a number of ways, for instance the recovery of lost data or understanding the nature of an attack. 

Impracticalities and Consequences 

Some people liken hacking back to homeowners defending their house from intruders, evoking images of attackers armed and ready to break into your house while you do what you can to defend it. In reality it is more akin to standing outside your house spraying rounds of bullets into the street and hoping to get lucky and hit an attacker. Such an approach, even if you do manage to hit an attacker, can lead to massive amounts of collateral damage as well. 

If you take actions targeting a specific threat actor or group of threat actors it would be extremely difficult to ensure that action won’t unintentionally have negative impacts on people who are innocent. This should be an incentive to reconsider taking action to retaliate. The potential damage of a Hack back gone wrong could have far reaching consequences. 

Organisations that believe they can avoid negative outcomes the majority of the time need to be aware of the costly damage that even just one or two errors could cause.   If an error resulted in the compromise of another company, the hack backer could see themselves tied up in expensive legal proceedings, reputational damage, and loss of trust.  

3 Reasons Why Hacking Back is Inadvisable 

• Most companies lack the skills to take on expert assailants - Few people have the knowhow and expertise necessary to carry out a hack in a controlled fashion 
• It’s difficult to know for sure who is behind a cyber attack - Hackers are masters of obfuscation and covering their tracks. It is hard to determine whether a computer that appears to be behind an attack hasn’t also been breached 
• Private Organisations could find themselves confronting nation-states - Countries such as Russia and Iran are thought to be behind some of the biggest cyber threats facing organisations and it certainly wouldn’t be wise for a single company to take them on 

An example of a Hack Back that ended badly is the story of Blue Security. Blue Security was an Israeli security company that developed a software bug called ‘Blue Frog’. The program was designed to spam spammers if the spammers refused to stop sending spam to Blue Security’s customers. Their efforts were successful for a while until one spammer decided to fight back. This spammer targeted Blue Security so much that the company had to shut down because of the damage caused and the threat of more to come.  

The key point to take away here is that if you are unprepared for a digital war then you shouldn’t take the unnecessary risk of ruffling the feathers of cyber criminals who likely not only have more experience in hacking but are also more able to cause damage. Don’t try to send a message to hackers by targeting them if you’ve been the victim of an attack, make sure you have proper defences in place and contact authorities if you have been targeted by cyber criminals.