Cybersecurity strikeback will strike out in the private sector

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Between agenda-pushing hactivists, money-grubbing cybercriminals and -- more recently -- spying nation-states, there is no shortage of attackers breaking into our networks, stealing our trade secrets and generally wreaking havoc throughout IT infrastructure.

Even the government has noticed, with the latest National Intelligence Estimate (NIE) warning that the U.S. is the target of a major cyber-espionage campaign from China. In fact, network penetrations have become so commonplace that President Obama recently signed a cybersecurity executive order in hopes of fortifying our defenses and encouraging the government and critical private sector organizations to share intelligence.

[ ROUNDUP: The year's worst data breaches (so far) ]

Considering this constant deluge of aggressive and financially costly security breaches, it's no wonder that some people are getting frustrated enough to contemplate a countermeasure we used to only whisper about in back rooms: the idea of striking back directly against our attackers. While giving cybercriminals a taste of their own medicine might sound appealing, most forms of strikeback do not belong in private business.

What is strikeback?

The idea of launching counterattacks against cybercriminals is not a new one. If you've been to any information security conference in the past few years you've probably, at least jokingly, discussed the ideas of counter-hacking or proactive defense with your fellow security geeks. After all, many in the cybersecurity community are just as capable at breaching systems as the enemy (if not more so).

In fact, the "bad guys" often leverage tools and code created by "good guy" security professionals. However, lately this idea of striking back against attackers has shifted from the realm of lighthearted fantasy to potentially disturbing reality to the point that security companies have even begun offering strikeback solutions.

[ ANALYSIS: Is retaliation the answer to cyberattacks? ]

There are different ways companies have started approaching strikeback initiatives. They have loosely evolved into three general categories:

  • Legal strikeback: This is the least offensive form of strikeback. It's where organizations, in cooperation with the authorities, gather as much intelligence as possible about attackers -- typically by following the money trail -- and then use any legal maneuvering possible to try and prosecute attackers.
  • Passive strikeback: This is essentially cyber-entrapment. An organization installs a sacrificial system, baited with booby-trapped files or Trojan-laced information an attacker might desire.
  • Active strikeback: In this approach, an organization identifies an IP address from which the attack appears to be coming, and launches a counterattack directly.

What's wrong with Strikeback?

In general, strikeback strategies don't belong in most private organizations, and direct strikeback measures have inherent risk associated with them.

The biggest issue with strikeback is that the Internet provides anonymity, making it hard to know who's really behind an attack, and a strikeback measure could impact an innocent victim. For example, attackers have started to purposely plant false flags into their code, suggesting the code came from another organization in order to sabotage that company.

Another key issue is that Internet crimes tend to pass thought many geographies and legal jurisdictions. Not only are you inviting potential legal problems striking back against attackers in your own country, but when actions cross borders there are much wider ramifications.

Additionally, most strikeback activity is illegal. It is illegal for the average person to track down and punish a burglar who ransacked a house, and such is the case for cybercrimes. If an organization uses a booby-trapped document to install a Trojan on the attacker's network, it is technically breaking the same type of computer fraud and abuse laws that the attacker broke to steal information in the first place.

When it comes down to it, strikeback is simply revenge. If a network has already been breached, striking back against the attacker doesn't recover stolen data or repair damage that has already been done. Time is better spent pursuing legal investigations and prosecutions through the proper channels.

If not strikeback, then what?

Organizations are frustrated and fearful of cyberattacks, which is why the idea of strikeback is gaining popularity. But companies don't have to sink to a cybercriminal's level to protect themselves.

First and foremost, organizations need to implement a multi-layered security policy to increase the chances of catching hints of an advanced attack. For example, a zero-day browser exploit might sneak past an IPS system, but perhaps a proactive malware detection solution will catch the dropper file it uses as its payload. Unfortunately, many companies are still just relying on legacy firewalls and old-school antivirus, rather than a comprehensive, multifaceted solution.

Just as important as implementing a comprehensive security policy is ensuring it is configured properly. A number of surveys suggest most network breaches are due to organizations either misconfiguring or not implementing basic and intermediate security controls. Security controls can't protect networks will if they are not carefully deployed and closely managed.

Also, most organizations focus almost exclusively on attack prevention. No matter how strong a company's preventative defenses, its network could still get breached. It is important that security solutions should also focus on network and security visibility tools that can help identify and respond to anomalies.

Security professionals should also keep in mind there is nothing wrong with actively blocking a user that is a suspected attacker. Some security controls have the capability of auto-blocking the source of suspected attacks, putting the source address of a particular port scan in a "time out" box, blocking all its traffic.

In summary, strikeback doesn't belong in private business. It offers no real advantages to normal organizations, and the risks are not worth the sense of revenge. Companies should focus their security strategies on multi-layer defense that is implemented well and monitored carefully to stop cybercriminals in their tracks, rather than planning retaliation for a network breach.

Read more about security in Network World's Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about IPS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Corey Nachreiner, CISSP, director of security strategy for WatchGuard Technologies Inc., special to Network World

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts