Identifying And Discouraging Determined Attackers
Enterprises are finding ways to identify targeted attackers and give them fits. Here's how
[The following is excerpted from "Identifying and Discouraging Determined Attackers," a new report posted this week on Dark Reading's Advanced Threats Tech Center.]
George S. Patton said, "Nobody ever defended anything successfully -- there is only attack and attack and attack some more." So, is it possible to strike back at your attackers? And more importantly, is it the sensible thing to do?
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- State of Cloud 2011: Time for Process Maturation
- Research: Federal Government Cloud Computing Survey
- Top Big Data Security Tips and Ultimate Protection for Enterprise Data
- Client Windows Migration: Expert Tips for Application Readiness
"Strike back," "active defense" and "hack back" are terms being used to describe an active response to continuous attacks and breaches. The nature of these responses -- and whether they should incorporate an offensive component -- is a gray area. These measures can range from reconfiguring defenses ahead of a predicted attack to sending threatening emails, filing lawsuits, operating cyber espionage campaigns and launching cyber attacks of your own.
No matter what the response, you have to first determine where attacks are originating from, who is behind them and what they are looking to achieve. However, the nature of cybercrime makes 100% accurate attribution virtually impossible. Knowing exactly who or what to "deter" is very difficult in cyberspace, as attackers use proxy servers and compromised computers to disguise the origins of their attacks.
Does fighting back make good business sense? Any form of threat deterrence should be evaluated just like any other business activity: You must weigh the costs involved against the damage and losses the organization is incurring from the attacks. Many organizations won't have the in-house skills needed to carry out this kind of intelligence, so outside experts will often need to be hired.
What are the longer-term benefits and risks? While disrupting an adversary's operations may give a temporary sense of satisfaction, there's no evidence as yet that it provides long-term protection for Internet-connected systems.
Indeed, accurately evaluating the possible benefits of threat deterrence is hampered by the lack of hard evidence that using aggressive tactics actually does stop hackers. Those who have implemented strike-back capabilities are unlikely to share their experiences, particularly if they are using potentially illegal methods. Also, the effectiveness of a particular approach will depend very much on the type of adversary faced, and any strike back may provoke further, more destructive attacks. Situations where retaliation and force are used have a tendency to escalate hostilities.
Sending emails warning of prosecution is unlikely to be effective, while sending malicious attachments is fraught with legal problems. There have been reports of physical violence being used, with one company claiming that its representatives visited perpetrators with baseball bats. This form of deterrence, even if it does occur, isn't really practical if the perpetrators are based, say, a 12-hour flight away. And an enterprise isn't really in a position to send heavies to visit the local Chinese Embassy.
A denial-of-service attack could occupy an attacker's human and physical resources, putting it on the defensive. Most organizations are short on IT resources already, though, even without taking on this kind of questionable activity. Strike back doesn't scale, either, as it would be exhausting to respond to each and every attack, while concentrating solely on one suspected adversary will leave network defenses undermanned to deal with attacks from elsewhere. Taking out a command and control server would hamper an attacker's ability to deliver and manage attacks, but C&C servers are usually compromised machines belonging to legitimate users and businesses.
Some enterprises believe that hacking back is an option as long as nobody finds out. The Commission on the Theft of American Intellectual Property even believes that if the damage from malicious hacking continues at current levels, the government should consider allowing American companies to counterattack. A survey of 181 delegates at Black Hat 2012 found that more than a third had already engaged in some form of retaliation against hackers. Concerns about cyber vigilantism haven't deterred financiers from investing in active defense firms, either; is a hacker really going to sue for unauthorized access?
Although cybercriminals can effectively hide behind the very laws they flout, legislation allowing companies to effectively build private cyber armies is unlikely. This means there is a real risk that certain types of counterattack cross the line between defending oneself and being a vigilante. Computer hacking is broadly defined as intentionally accessing a computer without authorization or exceeding authorized access, and laws covering computer crimes have been enacted in countries around the world.
Lack of attribution could easily lead to the equivalent of collateral damage -- an attack could take down important systems and cause more chaos and damage than any hacker.
To find out more about your options for active defense -- and what can be done legally to discourage determined attackers -- download the free report.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.