Corey Nachreiner, CISSP, Director of Security Strategy for WatchGuard Technologies, discusses the act of striking back against cyber criminals.
Between agenda-pushing hacktivists, money-grubbing cyber criminals, and—more recently— spying nation states, there is no shortage of attackers breaking into our networks, stealing our trade secrets, and generally wreaking havoc throughout IT infrastructure.
Considering this constant deluge of aggressive and financially costly security breaches, it’s no wonder that some people are getting frustrated enough to contemplate a countermeasure, previously only whispered about in secret: the idea of striking back directly against our attackers. While giving cyber criminals a taste of their own medicine might sound appealing, most forms of strikeback do not belong in private business.
What is strikeback?
The idea of launching a counter attack against cyber criminals who launch an attack is not a new one. If you’ve been to any information security conference in the past few years, you’ve probably, at least jokingly, discussed the ideas of counter-hacking or proactive defence with fellow security teams. After all, many in the cyber security community are just as capable at breaching systems as the enemy, if not more so. In fact, the “bad guys” often leverage tools and code created by “good guy” security professionals. However, lately this idea of striking back against attackers has shifted from the realm of light-hearted fantasy to potentially disturbing reality, to the point that security companies have even begun offering strikeback solutions.
There are different ways companies have started approaching strikeback initiatives. They have loosely evolved into three general categories:
- Legal strikeback – This is the least offensive form of strikeback. It’s where organisations, in cooperation with the authorities, gather as much intelligence as possible about attackers—typically by following the money trail—and then use any legal maneuvering possible to try and prosecute attackers.
- Passive strikeback – This is essentially cyber entrapment. An organisation installs a sacrificial system, baited with booby trapped files or Trojan-laced information that an attacker might desire.
- Active strikeback – In this approach, an organisation identifies an IP address from which the attack appears to be coming, and they launch a counter attack directly.
In general, strikeback strategies don’t belong in most private organisations, and direct strikeback measures have inherent risks associated with them.
The biggest issue with strikeback is that the Internet provides anonymity, making it very hard to know who’s really behind an attack, and a strikeback measure can affect innocent victims. For example, attackers have started to purposely plant false flags into their code, suggesting the code came from another organisation in order to sabotage that company.
Another key issue is that Internet crimes tend to pass through many geographies and legal jurisdictions. Not only are you inviting potential legal problems striking back against attackers in your own country, but when actions cross borders they bring with them much wider ramifications.
Additionally, most strikeback activity is illegal. It is illegal for the average person to track down and punish a burglar who ransacked a house, and such is the case for cyber crimes. If an organisation uses a booby trapped document to install a Trojan on the attacker’s network, it is technically breaking the same type of computer fraud and abuse laws that the attacker broke to steal information in the first place.
When it comes down to it, strikeback is simply revenge. If a network has already been breached, striking back against the attacker doesn’t recover stolen data or repair damage that has already been done. Time is better spent pursuing legal investigations and prosecutions through the proper channels.
If not strikeback, then what?
Organisations are frustrated and fearful of cyber attacks, which is why the idea of strikeback is gaining popularity. But companies don’t have to sink to a cyber criminal’s level to protect themselves.
First and foremost, organisations need to implement a multi-layered security policy to increase the chances of catching hints of an advanced attack. For example; a zero-day browser exploit might sneak past an IPS system, but perhaps a proactive malware detection solution will catch the dropper file it uses as its payload. Unfortunately, many companies are still just relying on legacy firewalls and old-school antivirus, rather than a comprehensive, multifaceted solution.
Just as important as implementing a comprehensive security policy is ensuring it is configured properly. A number of surveys suggest most network breaches are due to organisations either misconfiguring or not implementing basic and intermediate security controls. Security controls can’t protect networks well if they are not carefully deployed and closely managed.
Also, most organisations focus almost exclusively on attack prevention. No matter how strong a company’s preventative defences, its network could still get breached. It is important that security solutions also focus on network and security visibility tools that can help identify and respond to anomalies.
Security professionals should also keep in mind there is nothing wrong with actively blocking a user that is a suspected attacker. Some security controls have the capability of auto-blocking the source of suspected attacks, putting the source address of a particular port scan in a “time out” box, blocking all its traffic.
Let strikeback strikeout
In summary, strikeback doesn’t belong in private business. It offers no real advantages to normal organisations, and the risks are not worth the sense of revenge. Companies should focus their security strategies on multi-layer defence that is implemented well and monitored carefully to stop cyber criminals in their tracks, rather than planning retaliation for a network breach.