Hitting Back At Hackers: Why "Strikeback" Is Doomed To Fail

Guest author Corey Nachreiner, CISSP, is director of security strategy for WatchGuard Technologies.

Between agenda-pushing hacktivists, money-grubbing cyber criminals, and — more recently — belligerent nation states, there is no shortage of attackers breaking into networks, stealing trade secrets and generally wreaking havoc throughout IT infrastructure.

Even the U.S. government has noticed, with the latest National Intelligence Estimate (NIE) warning that the country is the target of a major cyber espionage campaign from China. In fact, network penetrations have become so commonplace that President Obama recently signed a cyber-security executive order in hopes of fortifying our defenses, and encouraging the government and critical private sector organizations to share intelligence.

(See also World War III Is Already Here - And We're Losing.)

Considering this deluge of aggressive and costly security breaches, it’s no wonder that some people are getting frustrated enough to contemplate striking back directly against our attackers. While giving cyber criminals a taste of their own medicine certainly sounds appealing, most forms of so-called "Strikeback" have no place in private business.

What Is Strikeback?

The idea of launching a counter attacks against cyber criminals is not new. Security geeks at information security conferences have been discussing counter-hacking and proactive defense for years.

After all, many in the cyber security community are just as capable of breaching systems as the enemy (if not more so). In fact, the “black hats” often leverage tools and code created by “white hat” security professionals. Lately, though, this idea of striking back against attackers has shifted from lighthearted fantasy to potentially disturbing reality - some that security companies have even begun offering strikeback solutions.

There are different ways companies have started approaching strikeback initiatives. They have loosely evolved into three general categories:

Legal Strikeback: This is the least offensive form of strikeback. It’s where organizations, in cooperation with the authorities, gather as much intelligence as possible about attackers — typically by following the money trail — and then use any legal maneuvering possible to try and prosecute attackers.

Passive Strikeback: This is essentially cyber entrapment. An organization installs a sacrificial system, baited with booby trapped files or Trojan-laced information an attacker might desire.

Active Strikeback: In this approach, an organization identifies an IP address from which the attack appears to be coming, and launches a direct counterattack.

What’s Wrong With Strikeback?

Unfortunately, direct strikeback measures have huge inherent risks:.

Targeting: The biggest problem with strikeback is that the Internet provides anonymity, making it very hard to know who’s really behind an attack. It's all too likely that strikebacks could impact innocent victims. For example, attackers have started to purposely plant false flags into their code, suggesting it came from another organization in order to sabotage that company.

Geography: Another key issue is that Internet crimes tend to pass through many geographies and legal jurisdictions. Domestic strikebacks invite potential legal problems, but cross-border actions have even wider ramifications.

Legal: Additionally, most strikeback activity is illegal. It is against the law for the average person to track down and punish a burglar who ransacked a house, and the same principles hold true for cybercrimes. If an organization uses a booby trapped document to install a Trojan on the attacker’s network, it is technically breaking the same type of computer fraud and abuse laws that the attacker broke to steal information in the first place.

Revenge: When it comes down to it, strikeback is simply revenge. If a network has already been breached, striking back against the attacker typically doesn’t recover stolen data or repair damage that has already been done. It's almost always better to pursue legal investigations and prosecutions through the proper channels.

Strikeback simply doesn’t belong in private business. It offers no real advantages to most organizations, and it carries serious risks that far outweigh the short-lived satisfaction of revenge. Instead, companies should focus their security strategies on well-implemented, carefully monitored, multi-layer defenses designed to keep cyber criminals from breaching their networks in the first place.

 

Image courtesy of Shutterstock.