Strike back, strike out

Corey Nachreiner examines the rise in cyberattacks and advises against striking back

There has been a veritable deluge of costly security breaches publicised, so it is perhaps no surprise that people get frustrated enough to consider a counterattack. Giving cybercriminals a taste of their own medicine may sound appealing, but most forms of strikeback do not have a place in private business.

Counter-hacking or proactive defence has been discussed at just about every security conference over the past few years. After all, many in the cybersecurity industry are as capable of breaching systems as the enemy. In fact, the bad guys often use tools and code created by security professionals.

Recently, though, there has been a shift from speculative discussion to a more disturbing reality - and some security companies are even offering "strike-back" solutions.

Legal strike-back can be described as the least offensive form of strike-back. An organisation, in co-operation with the authorities, simply gathers as much intelligence as possible about the attackers, and then uses any legal manoeuvring possible to try to prosecute them.

Then there's passive strike-back. This is essentially cyber entrapment. An organisation installs a sacrificial system, baited with booby-trapped files or Trojan-laced information. For example, this year at Blackhat a researcher hid malicious JavaScript in his honeypot to infect any attackers who visited it. While effective, this act could technically break local laws.

In active strike-back, an organisation identifies an IP address from which the attack appears to be coming and launches a direct counterattack.

Strike-back strategies and the active measures particularly have inherent risks. The biggest issue is that the anonymity the internet provides makes it hard to know who is really behind an attack, so a strike-back could target someone quite innocent. Attackers sometimes plant false flags in code, for example, to make the attack look as if it came from another organisation.

Internet crimes also tend to pass through many geographies and legal jurisdictions. Not only are you inviting potential legal problems by striking back against attackers in your own country, but when your actions cross borders there will be wider ramifications.

It is illegal for you to track down and punish a burglar who ransacked your house, and the same is true for cybercrime. Strike-back is simple revenge. If a network has already been breached, it will not recover stolen data or repair damage that has already been done.

The time is better spent pursuing legal investigations and prosecutions through the proper channels - and of course putting preventative measures in place. There is no need to sink to a cybercriminal's level to protect yourself or your customers.

First and foremost a multi-layered security policy is needed to increase the chances of catching an advanced attack. For example, a zero-day browser exploit might sneak past an IPS system, but perhaps a proactive malware detection solution will catch the dropper file it uses as its payload.

Just as important as implementing a comprehensive security policy is ensuring it is configured properly.

Surveys suggest most network breaches are due to organisations either misconfiguring or not implementing basic and intermediate security controls. Such controls cannot protect networks if they are not properly deployed and closely managed.

Most organisations focus almost exclusively on attack prevention. Yet no matter how strong a firm's preventative defences, the network could still be breached. It is important that security offerings should encapsulate network and security visibility tools to help identify and respond to anomalies.

Striking back offers no advantages to normal organisations. It is simply retaliation for a network breach. The risks are not worth it.

Instead, our efforts in the industry should focus on providing a correctly implemented multi-layer defence to stop cybercriminals in their tracks before problems arise.

Corey Nachreiner is director of security strategy at WatchGuard