Everyone's been talking about the hottest topic right now which is this recent story on the AP titled "Hacked companies fight back with controversial steps".
I encourage you to read the article first, then read my analysis otherwise you may miss a few of the finer points of this discussion.
The big attention-grabbing statement is this one right across the top of the story - "Frustrated by their inability to stop sophisticated hacking attacks or use the law to punish their assailants, an increasing number of U.S. companies are taking retaliatory action."
Now, if you read that statement and don't know any better, as is the case with about 90%+ of the readers of the Associated Press who aren't information security experts, you would think that these hacked companies are actually hiring hackers to go counter-hack their hackers. This all sounds very... James Bond'ish... doesn't it?
As a colleague pointed out in confidence to me the other day, we both know security professionals who are probably doing this kind of dirty-work, which (even though I am not an attorney and wish to offer no legal advice) is likely highly illegal and what's more - difficult to accomplish without collateral damage.
Where this article goes awry is the confusion it generates - confusing "active defense" with "strike back technology" as the author puts it. Those are, for those of us who are familiar with these concepts, completely different things.
Active defense, as the article tries to explain, is understood as... well... actively defending yourself. Using technology which can confuse the attacker, mislead them to spend time on worthless parts of an application, or slow the response rate of the network or application down... that's active defense. Actively dropping packets that are suspect, or malicious, that's active defense.
Striking back, as the story quotes the people from CrowdStrike (whom seem to be driving this silly story) seem to define it, involves actually going on the offensive and 'hacking the hackers'. How and to whom does this sound like a good idea, and a sound investment of time?
Luckily, there is a beacon of hope offered here in the form of an opinion ... ""There is no business case for it and no possible positive outcome," said John Pescatore, a National Security Agency and Secret Service veteran who leads research firm Gartner's Internet security practice."
This actually makes sense to me, as a rational and intelligent response... I can't even imagine the type of international incidents the potentially reckless type of "striking back" activity can cause!
Here it is in a nutshell folks, my personal opinion, focus on active defense if you're that advanced, but don't go on the offense... leave that up to the authorities who are legally allowed to track the bad guys.
This isn't the wild west, and remember you can't just go track down a hacker using your own hacking techniques... because then what? I can't imagine that evidence obtained by criminal means would be admissible in any court of law... right?
Be pragmatic. Be smart. Don't listen to confusing and sensational news stories driven by companies who want to make a name for themselves doing cool secret-agent work.
Cross-posted from Following the White Rabbit