I bet plenty of IT security folks have had the following thought, at least once: \u201cI wish I could screw around with these hackers the way they\u2019re trying to screw around with me.\u201d Who the hell wants to play defense all day every day, right?\n\tAccording to Reuters, some companies are now hacking back. But just because you have the desire and means to do something doesn\u2019t mean it\u2019s a good idea. So let\u2019s look at some of the pros and cons. (For more on retaliatory cyber attacks and how they affect the U.S. government's efforts to pass cyber weapons treaties, read "Corporate Cyber Attacks Slow Weapons Treaty Progress.")\n\tKevin Fogarty, who writes the CoreIT column for IT World, has a very good overview of counter strikes:\n\t\n\t\t"One tactic is to set up honey pots and repositories of fake data that can give attackers the idea they've hit the mother lode, only to realize later they've been mining pyrite instead. Another is to let hackers take documents faked or booby-trapped in ways that will identify the thieves later, or reveal information about the location, ownership and possible vulnerabilities of the hackers' machines.\n\n\t\n\t\t"Counterstrikes, which are almost always covert due to the potential for the victimized company to break the same laws as their attackers, are still controversial among security pros. They raise the stakes of an attack, inviting more serious counterattack, which is a losing game if the attacker is a national security agency rather than an organized crime gang."\n\n\tSo why even try? Well, because you\u2019ve got to\u00a0try something, that\u2019s why.\n\t"The internet today is in some ways the Wild West,\u201d says Dominique Karg, founder and chief hacking officer at security company AlienVault. \u201cThere is an element of 'You shoot me, I shoot you. You steal my horse, I hang you.' More weapons than lawmen, if you will. In this Wild West scenario, though, we face an even bigger problem. Our companies are often being attacked by people backed up by their own governments, i.e. they aren't doing anything that can be punished by our laws and they don't fear any legal consequences. \u201c\n\tUnlike a lot of IT security types, Karg is pro-counterattack. Continuing with the Wild West idea he thinks companies might eventually form \u201ca global network of \u2018vigilantes\u2019 to be able to take down things where governments and police don't and should not have access."\n\tHowever\u00a0companies should only "hack back" if\u00a0they have the necessary resources. Once you counter-attack--sorry, practice \u201cactive defense\u201d--you have to assume you'll be subject to further attacks.\u00a0And\u00a0businesses\u00a0should keep in mind that they\u00a0could be up against the security services of a certain unnamed nation\u00a0with the largest population of any country on the planet.\n\tSo, don\u2019t try this at home unless you are a professional. In James Crumley\u2019s great detective novel The Last Good Kiss someone asks the sheriff why he doesn\u2019t carry a pistol. \u201cIf someone wants to shoot me they\u2019re going to have to bring their own gun,\u201d he replies. Same rule applies here. \u00a0\n\tEven if you do decide to carry a gun, you should have rules of engagement for what you will and won\u2019t do.\u00a0Karg suggests, \u201cDo not allow direct network attacks to IP addresses, since many attackers will bounce through the networks of unknowing organizations or other innocent proxies to attack third parties. But, do allow someone to reverse any type of code and\/or "poison" responses to data capture devices that may corrupt\/deny operation of the collecting software and other similar low-collateral-damage-counterattacks.\u201d\n\tHmmm, rules in a knife fight?\u00a0That didn't work out so well in\u00a0Butch Cassidy and the Sundance Kid. Also, it is the nature of combat to escalate, and escalation always means increasing the number of non-combatants who are at risk.\n\tAccording to Amichai Shulman, CTO of Imperva, \u201cDeliberately introducing viral code into end-points is a one of these things that will only end in tears. Any misconfiguration or vulnerability in the \u2018protection\u2019 code will allow attackers to efficiently introduce their code into each end point in the organization.\u201d\n\tThis is why it's sometimes better to avoid a fight in the first place. That doesn\u2019t mean corporation have to be passive, though. \u201cPassive defense hasn\u2019t worked,\u201d says David Koretz, vice president and general manager at Mykonos Software. \u201cCompanies are looking for ways to take a more active security posture, instead of having to react after an attack is well underway. We have to change the economics of hacking.\u201d\n\tKoretz is a proponent of the \u201cIf you can\u2019t beat \u2018em into submission, fool \u2018em" school of response. In other words, camouflage and deception techniques. This is by far the most popular approach with IT Security types.\n\t\u201cHackers can easily use automated tools to identify and exploit vulnerabilities in websites with tremendous reach and scale,\u201d he says. \u201cBy taking a proactive approach using intrusion deception technology, companies can deceive attackers into revealing actionable intelligence on their methods, ultimately, making hacking more expensive and time consuming. By blocking the effectiveness of their automated tools and neutralizing threats as they occur, companies can prevent loss of data and save potentially millions of dollars from prevention of fraud or lost revenue.\u201d\n\tWhat do you think? Is it ever time\u00a0for companies to\u00a0break out the shotguns?\u00a0Or are they better off trying to make\u00a0fools of the bad guys?\u00a0Post a comment below or drop me a line here.