A recent Reuters report claims that some companies are retaliating against hackers who target their systems.
Tired of simply trying to keep the attackers at bay, these businesses apparently believe that they can strike back against hackers in the hopes of preventing future attacks.
There are even companies such as CrowdStrike that are advising their clients on ways to engage in an active response to cyber attacks.
Unfortunately, businesses that go down this path are likely to run into technical and legal problems.
Let’s examine some of the possible outcomes:
- The business decides to launch a denial of service attack against hosts it believes are involved in attacks against its systems. First, this is a violation of US and other laws and could result in criminal penalties. Second, most attackers use compromised systems to launch their attacks. The owners of these systems rarely know that their systems are being used as part of the attack and therefore become collateral damage in this tit-for-tit cyber feud.
- The business decides to plant false information in an effort to confuse attackers. While this may slow down the attackers, it is likely not going to stop them. Once they realize that they are being fed misinformation, they will change tactics and likely dig deeper into the networks of their victims for the real information. Second, it is likely that staff within the organization may get confused themselves as to which information is real and which is fake, potentially leading to bad business decisions.
- The business decides to setup a honeypot to keep attackers occupied, slow down the attacks and waste their time and resources. While this may seem like a good plan, it takes a lot of resources and technical know-how to do this properly. Most businesses would be better off using the money they would spend on this in shoring up their defenses. I would argue that this should be one of the last counter measures that organizations should use to combat cyber attacks.
- The business decides to infiltrate the systems being used by the attackers in order to gain information that could lead to the discovery and arrest of those involved. This is a particularly bad idea for the same reasons noted in bullet #1. Do not do this!
Being the victim of an attack is not fun and it is easy to understand why businesses would like to take a more active stance against the attackers. However, organizational resources are much better spent on defensive techniques such as:
- Establishing a robust threat and vulnerability management program to address threats and remediate vulnerabilities.
- Establishing a program to monitor system logs and network activity so that suspicious activity can be quickly discovered and addressed.
- Maintaining an active incident response plan that details exactly how the business will respond to incidents.
- Implementing strong access controls and the use of strong authentication where appropriate.
- Performing regular risk assessments to ensure that the most critical data is identified and proper counter measures are in place to protect it.
- Maintaining good forensic capabilities so that evidence gathered during an investigation can be used to prosecute the attackers in the future if so desired.
These common sense measures will help raise the bar for attackers to be successful in their attacks and will help ensure that when a successful attack does occur, the organization can detect it and respond quickly.
Cross-posted from InfosecStuff.com