There has been endless discussion among security professionals about the ethics, propriety, legality, and effectiveness of corporations “hacking back” against attackers. On the other hand, there is no hesitation on the part of attackers to hack back against threat intelligence researchers who are investigating them. Identification and retaliation are a constant risk for anyone probing the darkest back alleys of the internet.
There are two paths criminals use to attack investigators: they can try to compromise the investigator’s computer directly, or they can identify and attack the organization behind the investigation. Many techniques can protect against both paths.
What’s at Risk
Attacks on the organization are the more potentially damaging risk. By properly hiding your identity during your investigations, the target will not know who to attack. Attacks on your organization can manifest in many ways, including DDOS, phishing, and hacking. In some cases, the counter-attack can be against the investigating organization’s reputation. I worked with a toy company that discovered that some of its products were appearing in adult videos. In the course of their unprotected research, they were identified. The adult video website then publicized the fact that the toy company personnel were frequent visitors to the website, causing the company significant embarrassment.
Covering Your Tracks
As the Russian DNC hackers showed, it is not easy to maintain your anonymity. The first step is to ensure that your visible IP address is not associated with your organization. That means not only that it should not be a company IP, but that it can’t be a coffee shop in the building or any other address which could easily be connected with the organization. Because many protocols can leak identifying information, take care to ensure that all communications from your desktop go out through your chosen IP.
It is critical to hide your identity from the very beginning, and each and every time after. The Russian hackers only forgot to turn on their VPN once, exposing their real IP address. From that one mistake, all of their activities could be attributed back to the GRU.
Hiding your Fingerprint
After hiding your IP, you need to take care of all the other ways an attacker can identify your computer. Your browser fingerprint, cookies, and super cookies can all quickly expose your organization. Conducting all of your investigations inside a clean virtual machine, used only for this purpose, can be very effective at protecting your identity. Even seemingly innocuous activities can expose you. Any personal browsing, searching, or social media use within the virtual machine can leak identifying information to a savvy opponent.
Carefully isolating the virtual machine from your real desktop can go a long way toward preventing damage from any direct counter-attacks while investigating. Any malware they sneak past your scanners will be destroyed when the virtual machine is rolled back. Restricting all network traffic to only flow over a VPN to your chosen exit point ensures that malware can’t scan your local network for vulnerable targets or identifying device names.
Actively investigating and infiltrating criminal groups online is not “hacking back,” but it may provoke that as a response. Taking proper care during your online activities can ensure that you get the information you need without putting yourself at risk.
Related: Considering The Complexities of Hack Back Laws
Related: FireEye Denies Hacking Back Against Chinese Cyberspies