A DDoS against your company costs you big-time in downtime and lost sales. You investigated all your data and have located the attacker. Do you:
A. Contact the authorities and let them handle it, or
B. Fight back by hacking the hacker?
Though A isn't always an option that will solve the problem, B is the wrong option in any scenario. So says Steven Maske, security engineer for a Fortune 1000 company. Maske outlined the risks during a recent talk at SOURCE Boston 2013.
As his talk description states, many respected industry professionals have written articles or presented talks on how to gain valuable information on your attacker and how to do so legally. What has been missing from this discussion is whether or not "hacking back" is a good idea to begin with. Maske outlined the following problems, which he has also listed in his Security Ramblings blog:
Legal Repercussions – An attack does not grant the victim a license to break the law. By taking an “eye for an eye” you are potentially exposing yourself to the same legal repercussions that the attacker is subject to.
Friendly Fire – Any attacker worth their salt (or who has watched the 1995 movie “Hackers“) is not going to attack you from their home with a computer they own (it’s “universally stupid“). The attacker can use numerous obfuscation techniques and even if you can identify the origin of the attack, any retaliation will likely be targeted at an innocent bystander whose machine was compromised.
You’re Not That Good – If you have the skills necessary to successfully compromise the attacker, why were these skills not used to identify the issues in your environment? After all, as a defender, this is why you are paid by your employer. Which leads me to my next point…
You Have Better Things To Do – “Hacking back” implies that you have been compromised. Your efforts are better spent executing your incident response plan, reviewing lessons learned and taking steps to ensure that it doesn’t happen again.
Escalation – Hypothetically, let’s say you have successfully compromised your attacker. Now what? You are performing a job, but to the attacker it has now become personal. You go home at the end of the day, they do not. “Hacking back” only provides additional motivation for the attacker to redouble their efforts. Even worse, if you are the target of a state sponsored attack, retaliation might spark an international incident which could potentially lead to physical retaliation.
He makes many good points. But his audience went back and forth on the pros and cons -- some believing it's often a matter of simple self defense and gathering research on your adversary's strengths and weaknesses.
Like most things in life, I think the truth is somewhere in between. So let's have a discussion: Is hacking back a necessity in most circumstances or is it more trouble than it's worth?