This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Strike back and you could strikeout

Share this article:
Strike back and you could strikeout
Strike back and you could strikeout

Between agenda-pushing hacktivists, financially-motivated cyber criminals and spying nation states, there is no shortage of attackers out there breaking into networks, stealing trade secrets and wreaking havoc.

With this constant deluge of aggressive and costly security breaches, it is no surprise that some people are frustrated enough to consider a countermeasure that has previously only been whispered about in back rooms: striking back directly against the attackers. But while giving cyber criminals a taste of their own medicine does sound pretty appealing, most forms of strike-back do not have a place in private business.

The idea of launching a counterattack against cyber criminals who launch an attack is not new. Counter hacking or proactive defence has been discussed at just about any security conference over the last few years. After all, many in the cyber security industry are as capable of breaching systems as the enemy.

In fact, the bad guys often leverage tools and code created by good guy security professionals. But recently, the idea of striking back against attackers has shifted from lighthearted fantasy to a potentially disturbing reality. Some security companies are even offering strike-back solutions. There are three ways companies have started approaching strike-back initiatives:

  • Legal strike-back – This is the least offensive form of strike-back. An organisation, in cooperation with the authorities, will gather as much intelligence as possible about attackers — typically by following the money trail — and then use any legal maneuvering possible to try and prosecute attackers.
  • Passive strike-back – This is essentially cyber entrapment. An organisation installs a sacrificial system, baited with booby trapped files or Trojan-laced information an attacker might desire.
  • Active strike-back – In this approach, an organisation identifies an IP address from which the attack appears to be coming and launches a direct counterattack.

Strike-back strategies and active measures have inherent risks associated with them, however. The biggest issue is that the anonymity the internet provides makes it very hard to know who is really behind an attack; so a strike-back measure could impact an innocent victim.

For example, attackers have started to purposely plant false flags into their code, suggesting the code came from another organisation in order to sabotage that company.

Another key issue is that internet crimes tend to pass through many geographies and legal jurisdictions. Not only are you inviting potential legal problems striking back against attackers in your own country; but when your actions cross borders there will be much wider ramifications.

Additionally, most strike-back activity is illegal. It is illegal for the average person to track down and punish a burglar who ransacked a house and the same is true for cyber crimes. If an organisation uses a booby trapped document to install a Trojan on the attacker's network, it is technically breaking the same type of computer fraud and abuse laws that the attacker broke to steal information in the first place.

When it comes down to it, strike-back is simply revenge. If a network has already been breached, striking back against the attacker doesn't recover stolen data or repair damage that has already been done. Time is better spent pursuing legal investigations and prosecutions through the proper channels.

Companies don't have to sink to a cyber criminal's level to protect themselves. First and foremost they need to implement a multi-layered security policy to increase the chances of catching hints of an advanced attack. For example, a zero-day browser exploit might sneak past an IPS system, but perhaps a proactive malware detection solution will catch the dropper file it uses as its payload.

Unfortunately, many companies are still just relying on legacy firewalls and old-school anti-virus rather than a comprehensive, multifaceted solution.

Just as important as implementing a comprehensive security policy is ensuring it is configured properly. A number of surveys suggest most network breaches are due to organisations either mis-configuring or not implementing basic and intermediate security controls. Security controls can't protect networks if they are not properly deployed and closely managed.

Also, most organisations focus almost exclusively on attack prevention. No matter how strong a company's preventative defences, its network could still get breached. It is important that security solutions should also focus on network and security visibility tools that will help identify and respond to anomalies.

Security professionals must keep in mind there is nothing wrong with actively blocking a user that is a suspected attacker. Some security controls have the capability of auto-blocking the source of suspected attacks, putting the source address of a particular port scan in a ‘time out' box, or blocking all its traffic.

Strike-back really offers no real advantages to normal organisations and is simply retaliation for a network breach. The potential risks are not worth it just to get revenge.

Instead, companies should focus their efforts on multi-layer defence that is correctly implemented and is monitored carefully to stop cyber criminals in their tracks.

Corey Nachreiner is director of security strategy at WatchGuard

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in Opinion

All your vulnerabilities belong to us: The rise of the exploit

All your vulnerabilities belong to us: The rise ...

The growing impact of web exploits isn't just limited to the enterprise market and must be countered on an industry-scale, says Pedro Bustamante.

Is your organisation ready for the next generation of millennials?

Is your organisation ready for the next generation ...

A different attitude to privacy and security among many new workplace entrants is a potential risk that has to be managed says Chris Sullivan.

Why we need a tighter framework for social engineering penetration testing

Why we need a tighter framework for social ...

Protect against real-world threats and test the most likely scenarios using relevant models, including low-tech, says Gavin Watson.