Between agenda-pushing hactivists, money-grubbing cybercriminals and -- more recently -- spying nation-states, there is no shortage of attackers breaking into our networks, stealing our trade secrets and generally wreaking havoc throughout IT infrastructure.
Even the government has noticed, with the latest National Intelligence Estimate (NIE) warning that the U.S. is the target of a major cyber-espionage campaign from China. In fact, network penetrations have become so commonplace that President Obama recently signed a cybersecurity executive order in hopes of fortifying our defenses and encouraging the government and critical private sector organizations to share intelligence.
Considering this constant deluge of aggressive and financially costly security breaches, it's no wonder that some people are getting frustrated enough to contemplate a countermeasure we used to only whisper about in back rooms: the idea of striking back directly against our attackers. While giving cybercriminals a taste of their own medicine might sound appealing, most forms of strikeback do not belong in private business.
What is strikeback?
The idea of launching counterattacks against cybercriminals is not a new one. If you've been to any information security conference in the past few years you've probably, at least jokingly, discussed the ideas of counter-hacking or proactive defense with your fellow security geeks. After all, many in the cybersecurity community are just as capable at breaching systems as the enemy (if not more so).
In fact, the "bad guys" often leverage tools and code created by "good guy" security professionals. However, lately this idea of striking back against attackers has shifted from the realm of lighthearted fantasy to potentially disturbing reality to the point that security companies have even begun offering strikeback solutions.
There are different ways companies have started approaching strikeback initiatives. They have loosely evolved into three general categories:
- Legal strikeback: This is the least offensive form of strikeback. It's where organizations, in cooperation with the authorities, gather as much intelligence as possible about attackers -- typically by following the money trail -- and then use any legal maneuvering possible to try and prosecute attackers.
- Passive strikeback: This is essentially cyber-entrapment. An organization installs a sacrificial system, baited with booby-trapped files or Trojan-laced information an attacker might desire.
- Active strikeback: In this approach, an organization identifies an IP address from which the attack appears to be coming, and launches a counterattack directly.
What's wrong with Strikeback?
In general, strikeback strategies don't belong in most private organizations, and direct strikeback measures have inherent risk associated with them.
The biggest issue with strikeback is that the Internet provides anonymity, making it hard to know who's really behind an attack, and a strikeback measure could impact an innocent victim. For example, attackers have started to purposely plant false flags into their code, suggesting the code came from another organization in order to sabotage that company.
Sign up for CIO Asia eNewsletters.