Should Companies Launch Counterattacks Against Hackers?

I bet plenty of IT security folks have had the following thought, at least once: “I wish I could screw around with these hackers the way they’re trying to screw around with me.” Who the hell wants to play defense all day every day, right?

According to Reuters, some companies are now hacking back. But just because you have the desire and means to do something doesn’t mean it’s a good idea. So let’s look at some of the pros and cons. (For more on retaliatory cyber attacks and how they affect the U.S. government’s efforts to pass cyber weapons treaties, read “Corporate Cyber Attacks Slow Weapons Treaty Progress.”)

Kevin Fogarty, who writes the CoreIT column for IT World, has a very good overview of counter strikes:

“One tactic is to set up honey pots and repositories of fake data that can give attackers the idea they’ve hit the mother lode, only to realize later they’ve been mining pyrite instead. Another is to let hackers take documents faked or booby-trapped in ways that will identify the thieves later, or reveal information about the location, ownership and possible vulnerabilities of the hackers’ machines.

“Counterstrikes, which are almost always covert due to the potential for the victimized company to break the same laws as their attackers, are still controversial among security pros. They raise the stakes of an attack, inviting more serious counterattack, which is a losing game if the attacker is a national security agency rather than an organized crime gang.”

So why even try? Well, because you’ve got to try something, that’s why.

“The internet today is in some ways the Wild West,” says Dominique Karg, founder and chief hacking officer at security company AlienVault. “There is an element of ‘You shoot me, I shoot you. You steal my horse, I hang you.’ More weapons than lawmen, if you will. In this Wild West scenario, though, we face an even bigger problem. Our companies are often being attacked by people backed up by their own governments, i.e. they aren’t doing anything that can be punished by our laws and they don’t fear any legal consequences. “

Unlike a lot of IT security types, Karg is pro-counterattack. Continuing with the Wild West idea he thinks companies might eventually form “a global network of ‘vigilantes’ to be able to take down things where governments and police don’t and should not have access.”

However companies should only “hack back” if they have the necessary resources. Once you counter-attack–sorry, practice “active defense”–you have to assume you’ll be subject to further attacks. And businesses should keep in mind that they could be up against the security services of a certain unnamed nation with the largest population of any country on the planet.

So, don’t try this at home unless you are a professional. In James Crumley’s great detective novel The Last Good Kiss someone asks the sheriff why he doesn’t carry a pistol. “If someone wants to shoot me they’re going to have to bring their own gun,” he replies. Same rule applies here.  

Even if you do decide to carry a gun, you should have rules of engagement for what you will and won’t do. Karg suggests, “Do not allow direct network attacks to IP addresses, since many attackers will bounce through the networks of unknowing organizations or other innocent proxies to attack third parties. But, do allow someone to reverse any type of code and/or “poison” responses to data capture devices that may corrupt/deny operation of the collecting software and other similar low-collateral-damage-counterattacks.”

Hmmm, rules in a knife fight? That didn’t work out so well in Butch Cassidy and the Sundance Kid. Also, it is the nature of combat to escalate, and escalation always means increasing the number of non-combatants who are at risk.

According to Amichai Shulman, CTO of Imperva, “Deliberately introducing viral code into end-points is a one of these things that will only end in tears. Any misconfiguration or vulnerability in the ‘protection’ code will allow attackers to efficiently introduce their code into each end point in the organization.”

This is why it’s sometimes better to avoid a fight in the first place. That doesn’t mean corporation have to be passive, though. “Passive defense hasn’t worked,” says David Koretz, vice president and general manager at Mykonos Software. “Companies are looking for ways to take a more active security posture, instead of having to react after an attack is well underway. We have to change the economics of hacking.”

Koretz is a proponent of the “If you can’t beat ‘em into submission, fool ‘em” school of response. In other words, camouflage and deception techniques. This is by far the most popular approach with IT Security types.

“Hackers can easily use automated tools to identify and exploit vulnerabilities in websites with tremendous reach and scale,” he says. “By taking a proactive approach using intrusion deception technology, companies can deceive attackers into revealing actionable intelligence on their methods, ultimately, making hacking more expensive and time consuming. By blocking the effectiveness of their automated tools and neutralizing threats as they occur, companies can prevent loss of data and save potentially millions of dollars from prevention of fraud or lost revenue.”

What do you think? Is it ever time for companies to break out the shotguns? Or are they better off trying to make fools of the bad guys? Post a comment below or drop me a line here.