Home Hitting Back At Hackers: Why “Strikeback” Is Doomed To Fail

Hitting Back At Hackers: Why “Strikeback” Is Doomed To Fail

Guest author Corey Nachreiner, CISSP, is director of security strategy for WatchGuard Technologies.

Between agenda-pushing hacktivists, money-grubbing cyber criminals, and — more recently — belligerent nation states, there is no shortage of attackers breaking into networks, stealing trade secrets and generally wreaking havoc throughout IT infrastructure.

Even the U.S. government has noticed, with the latest National Intelligence Estimate (NIE) warning that the country is the target of a major cyber espionage campaign from China. In fact, network penetrations have become so commonplace that President Obama recently signed a cyber-security executive order in hopes of fortifying our defenses, and encouraging the government and critical private sector organizations to share intelligence.

(See also World War III Is Already Here – And We’re Losing.)

Considering this deluge of aggressive and costly security breaches, it’s no wonder that some people are getting frustrated enough to contemplate striking back directly against our attackers. While giving cyber criminals a taste of their own medicine certainly sounds appealing, most forms of so-called “Strikeback” have no place in private business.

What Is Strikeback?

The idea of launching a counter attacks against cyber criminals is not new. Security geeks at information security conferences have been discussing counter-hacking and proactive defense for years.

After all, many in the cyber security community are just as capable of breaching systems as the enemy (if not more so). In fact, the “black hats” often leverage tools and code created by “white hat” security professionals. Lately, though, this idea of striking back against attackers has shifted from lighthearted fantasy to potentially disturbing reality – some that security companies have even begun offering strikeback solutions.

There are different ways companies have started approaching strikeback initiatives. They have loosely evolved into three general categories:

Legal Strikeback: This is the least offensive form of strikeback. It’s where organizations, in cooperation with the authorities, gather as much intelligence as possible about attackers — typically by following the money trail — and then use any legal maneuvering possible to try and prosecute attackers.

Passive Strikeback: This is essentially cyber entrapment. An organization installs a sacrificial system, baited with booby trapped files or Trojan-laced information an attacker might desire.

Active Strikeback: In this approach, an organization identifies an IP address from which the attack appears to be coming, and launches a direct counterattack.

What’s Wrong With Strikeback?

Unfortunately, direct strikeback measures have huge inherent risks:.

Targeting: The biggest problem with strikeback is that the Internet provides anonymity, making it very hard to know who’s really behind an attack. It’s all too likely that strikebacks could impact innocent victims. For example, attackers have started to purposely plant false flags into their code, suggesting it came from another organization in order to sabotage that company.

Geography: Another key issue is that Internet crimes tend to pass through many geographies and legal jurisdictions. Domestic strikebacks invite potential legal problems, but cross-border actions have even wider ramifications.

Legal: Additionally, most strikeback activity is illegal. It is against the law for the average person to track down and punish a burglar who ransacked a house, and the same principles hold true for cybercrimes. If an organization uses a booby trapped document to install a Trojan on the attacker’s network, it is technically breaking the same type of computer fraud and abuse laws that the attacker broke to steal information in the first place.

Revenge: When it comes down to it, strikeback is simply revenge. If a network has already been breached, striking back against the attacker typically doesn’t recover stolen data or repair damage that has already been done. It’s almost always better to pursue legal investigations and prosecutions through the proper channels.

Strikeback simply doesn’t belong in private business. It offers no real advantages to most organizations, and it carries serious risks that far outweigh the short-lived satisfaction of revenge. Instead, companies should focus their security strategies on well-implemented, carefully monitored, multi-layer defenses designed to keep cyber criminals from breaching their networks in the first place.

Image courtesy of Shutterstock.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.