Between agenda-pushing hacktivists, money-grubbing cyber criminals, and-more recently- spying nation states, there is no shortage of attackers breaking into our networks, stealing our trade secrets, and generally wreaking havoc throughout IT infrastructure. Even the government has noticed, with the latest National Intelligence Estimate (NIE) warning that the U.S. is the target of a major cyber espionage campaign from China. In fact, network penetrations have become so commonplace that President Obama recently signed a cyber security executive order in hopes of fortifying the defences, and encouraging the government and critical private sector organisations to share intelligence.
Considering this constant deluge of aggressive and financially costly security breaches, it's no wonder that some people are getting frustrated enough to contemplate a countermeasure we used to only whisper about in back rooms: the idea of striking back directly against our attackers. While giving cyber criminals a taste of their own medicine might sound appealing, most forms of strikeback do not belong in private business.
What is Strikeback?
The idea of launching counter attacks against cyber criminals who launch an attack is not a new one. If you've been to any information security conference in the past few years, you've probably, at least jokingly, discussed the ideas of counter hacking or proactive defence with your fellow security geeks. After all, many in the cyber security community are just as capable at breaching systems as the enemy (if not more so). In fact, the "bad guys" often leverage tools and code created by "good guy" security professionals. However, lately this idea of striking back against attackers has shifted from the realm of lighthearted fantasy to potentially disturbing reality to the point that security companies have even begun offering strikeback solutions.
There are different ways companies have started approaching strikeback initiatives. They have loosely evolved into three general categories:
- Legal strikeback - This is the least offensive form of strikeback. It's where organisations, in cooperation with the authorities, gather as much intelligence as possible about attackers-typically by following the money trail-and then use any legal maneuvering possible to try and prosecute attackers.
- Passive strikeback - This is essentially cyber entrapment. An organisation installs a sacrificial system, baited with booby trapped files or Trojan-laced information an attacker might desire.
- Active strikeback - In this approach, an organisation identifies an IP address from which the attack appears to be coming, and they launch a counter attack directly.
What's Wrong with Strikeback?
In general, strikeback strategies don't belong in most private organisations, and direct strikeback measures have inherent risk associated with them.
The biggest issue with strikeback is that the Internet provides anonymity, making it very hard to know who's really behind an attack, and a strikeback measure could impact an innocent victim. For example, attackers have started to purposely plant false flags into their code, suggesting the code came from another organisation in order to sabotage that company.
Sign up for CIO Asia eNewsletters.