Thinking of a counterattack? Deception is better, say experts

Security experts say hack-backs are simply asking for more trouble, because it is almost impossible to know where an attack came from

There is no such thing as a bulletproof firewall against digital attacks. And it's risky, and probably illegal, to "hack back," or try to launch preemptive strikes against attackers who are trying to steal your intellectual property or the identities and confidential information of your customers and employees.

But it's not illegal, and it is much less risky, to practice the traditional art of deception -- that is, to lure attackers into chasing fake data into places where they can't do any damage, and where you can monitor their activities and possibly their location.

The so-called "honeypot" defense is not new. It has been around for at least two decades and is regularly used by law enforcement and intelligence agencies. But the Washington Post reported this week that the tactic is becoming mainstream in the private sector as well.

The story profiled Brown Printing, of Minnesota, which has planted bogus user log-ins and passwords and phony configuration files in its system in an effort to lure hackers into "rabbit holes." Any hacker drawn to the phony data "was being watched by Brown, their computer locations tagged and their tactics recorded," the Post reported.

This kind of digital deception falls under a group of tactics called "active defense," since they involve engaging the attackers instead of simply trying to block or get rid of them. But it is probably the least aggressive of any active defense, because it is not a counterattack.

Most security experts say counterattacks are simply asking for more trouble, since they could promote an escalating series of attacks, and it is possible to attack the wrong villain because of the attribution problem. It is still almost impossible to know for sure where an attack came from.

[See related: Should the best cybercrime defense include some offense?]

And then there's the law. "Reaching into a person's computer to delete stolen data or shutting down third-party servers ... probably would violate federal law, FBI officials said," the Post reports.

Chester Wisniewski, senior security adviser at Sophos, said companies trying to counterattack generally have much more to lose than the attackers. He compares it to trying to go after car thieves by finding and stealing their car. "They don't have a car -- that is why they are trying to steal yours," he said.

Matt Johansen, threat research manager at WhiteHat Security, said Digital deception, by contrast, "is a great practice for companies to get into that isn't at all asking for more trouble."

"The idea of a honeypot and fake data allows a company to buy some time in detecting an intrusion and dealing with it effectively before any real compromise is made to the customer or sensitive information," he said.

Attribution is not a problem because the company is not going outside its own digital walls to plant the fake data -- it's not attacking anyone, but only monitoring those who are illegally inside its own walls.

"The fake information 'rabbit holes' will only be stumbled upon by people who aren't supposed to be looking there and will obviously just set off alarms for a company to identify a threat," Johansen said.

Some experts say really good hackers will be able to recognize deception, and will be more determined than ever to break into a company. But both Johansen and Wisniewski said smart companies can avoid that.

"If companies start using open-sourced or commercial-level honeypots, hackers will most likely be able to recognize certain signatures that appear the same to those solutions," Johansen said. "If a company wants to make sure their rabbit hole is successfully disguised as real data, they will likely need to design it themselves."

Wisniewski said the right technique can make it very difficult for an attacker to discern the good from the bad. "I have seen many banks use a canary-in-a-coal-mine-style approach," he said. "They sprinkle fake credit card details and accounts here and there. If there is any activity they know they have been compromised and can take action."

However, both also said deception is not enough on its own. "The better way to deal with these breaches is to spend your time addressing the root causes," Johansen said. "The majority of breaches we saw last year used SQL Injection as the exploitation method, which has been a solved problem for over a decade."

Wisniewski added: "Rather than worrying about whether someone is stealing your unprotected information you could just protect it. Encryption isn't rocket science any more."

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)