Between agenda-pushing hacktivists, financially-motivated cyber criminals and spying nation states, there is no shortage of attackers out there breaking into networks, stealing trade secrets and wreaking havoc.
With this constant deluge of aggressive and costly security breaches, it is no surprise that some people are frustrated enough to consider a countermeasure that has previously only been whispered about in back rooms: striking back directly against the attackers. But while giving cyber criminals a taste of their own medicine does sound pretty appealing, most forms of strike-back do not have a place in private business.
The idea of launching a counterattack against cyber criminals who launch an attack is not new. Counter hacking or proactive defence has been discussed at just about any security conference over the last few years. After all, many in the cyber security industry are as capable of breaching systems as the enemy.
In fact, the bad guys often leverage tools and code created by good guy security professionals. But recently, the idea of striking back against attackers has shifted from lighthearted fantasy to a potentially disturbing reality. Some security companies are even offering strike-back solutions. There are three ways companies have started approaching strike-back initiatives:
- Legal strike-back – This is the least offensive form of strike-back. An organisation, in cooperation with the authorities, will gather as much intelligence as possible about attackers — typically by following the money trail — and then use any legal maneuvering possible to try and prosecute attackers.
- Passive strike-back – This is essentially cyber entrapment. An organisation installs a sacrificial system, baited with booby trapped files or Trojan-laced information an attacker might desire.
- Active strike-back – In this approach, an organisation identifies an IP address from which the attack appears to be coming and launches a direct counterattack.
Strike-back strategies and active measures have inherent risks associated with them, however. The biggest issue is that the anonymity the internet provides makes it very hard to know who is really behind an attack; so a strike-back measure could impact an innocent victim.
For example, attackers have started to purposely plant false flags into their code, suggesting the code came from another organisation in order to sabotage that company.
Another key issue is that internet crimes tend to pass through many geographies and legal jurisdictions. Not only are you inviting potential legal problems striking back against attackers in your own country; but when your actions cross borders there will be much wider ramifications.
Additionally, most strike-back activity is illegal. It is illegal for the average person to track down and punish a burglar who ransacked a house and the same is true for cyber crimes. If an organisation uses a booby trapped document to install a Trojan on the attacker's network, it is technically breaking the same type of computer fraud and abuse laws that the attacker broke to steal information in the first place.
When it comes down to it, strike-back is simply revenge. If a network has already been breached, striking back against the attacker doesn't recover stolen data or repair damage that has already been done. Time is better spent pursuing legal investigations and prosecutions through the proper channels.
Companies don't have to sink to a cyber criminal's level to protect themselves. First and foremost they need to implement a multi-layered security policy to increase the chances of catching hints of an advanced attack. For example, a zero-day browser exploit might sneak past an IPS system, but perhaps a proactive malware detection solution will catch the dropper file it uses as its payload.
Unfortunately, many companies are still just relying on legacy firewalls and old-school anti-virus rather than a comprehensive, multifaceted solution.
Just as important as implementing a comprehensive security policy is ensuring it is configured properly. A number of surveys suggest most network breaches are due to organisations either mis-configuring or not implementing basic and intermediate security controls. Security controls can't protect networks if they are not properly deployed and closely managed.
Also, most organisations focus almost exclusively on attack prevention. No matter how strong a company's preventative defences, its network could still get breached. It is important that security solutions should also focus on network and security visibility tools that will help identify and respond to anomalies.
Security professionals must keep in mind there is nothing wrong with actively blocking a user that is a suspected attacker. Some security controls have the capability of auto-blocking the source of suspected attacks, putting the source address of a particular port scan in a ‘time out' box, or blocking all its traffic.
Strike-back really offers no real advantages to normal organisations and is simply retaliation for a network breach. The potential risks are not worth it just to get revenge.
Corey Nachreiner is director of security strategy at WatchGuard