Cybersecurity strikeback will strike out in the private sector

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Between agenda-pushing hactivists, money-grubbing cybercriminals and -- more recently -- spying nation-states, there is no shortage of attackers breaking into our networks, stealing our trade secrets and generally wreaking havoc throughout IT infrastructure.

Even the government has noticed, with the latest National Intelligence Estimate (NIE) warning that the U.S. is the target of a major cyber-espionage campaign from China. In fact, network penetrations have become so commonplace that President Obama recently signed a cybersecurity executive order in hopes of fortifying our defenses and encouraging the government and critical private sector organizations to share intelligence.

[ ROUNDUP: The year's worst data breaches (so far) ]

Considering this constant deluge of aggressive and financially costly security breaches, it's no wonder that some people are getting frustrated enough to contemplate a countermeasure we used to only whisper about in back rooms: the idea of striking back directly against our attackers. While giving cybercriminals a taste of their own medicine might sound appealing, most forms of strikeback do not belong in private business.

What is strikeback?

The idea of launching counterattacks against cybercriminals is not a new one. If you've been to any information security conference in the past few years you've probably, at least jokingly, discussed the ideas of counter-hacking or proactive defense with your fellow security geeks. After all, many in the cybersecurity community are just as capable at breaching systems as the enemy (if not more so).

In fact, the "bad guys" often leverage tools and code created by "good guy" security professionals. However, lately this idea of striking back against attackers has shifted from the realm of lighthearted fantasy to potentially disturbing reality to the point that security companies have even begun offering strikeback solutions.

[ ANALYSIS: Is retaliation the answer to cyberattacks? ]

There are different ways companies have started approaching strikeback initiatives. They have loosely evolved into three general categories:

  • Legal strikeback: This is the least offensive form of strikeback. It's where organizations, in cooperation with the authorities, gather as much intelligence as possible about attackers -- typically by following the money trail -- and then use any legal maneuvering possible to try and prosecute attackers.
  • Passive strikeback: This is essentially cyber-entrapment. An organization installs a sacrificial system, baited with booby-trapped files or Trojan-laced information an attacker might desire.
  • Active strikeback: In this approach, an organization identifies an IP address from which the attack appears to be coming, and launches a counterattack directly.

What's wrong with Strikeback?

In general, strikeback strategies don't belong in most private organizations, and direct strikeback measures have inherent risk associated with them.

The biggest issue with strikeback is that the Internet provides anonymity, making it hard to know who's really behind an attack, and a strikeback measure could impact an innocent victim. For example, attackers have started to purposely plant false flags into their code, suggesting the code came from another organization in order to sabotage that company.

Another key issue is that Internet crimes tend to pass thought many geographies and legal jurisdictions. Not only are you inviting potential legal problems striking back against attackers in your own country, but when actions cross borders there are much wider ramifications.

Additionally, most strikeback activity is illegal. It is illegal for the average person to track down and punish a burglar who ransacked a house, and such is the case for cybercrimes. If an organization uses a booby-trapped document to install a Trojan on the attacker's network, it is technically breaking the same type of computer fraud and abuse laws that the attacker broke to steal information in the first place.

When it comes down to it, strikeback is simply revenge. If a network has already been breached, striking back against the attacker doesn't recover stolen data or repair damage that has already been done. Time is better spent pursuing legal investigations and prosecutions through the proper channels.

If not strikeback, then what?

Organizations are frustrated and fearful of cyberattacks, which is why the idea of strikeback is gaining popularity. But companies don't have to sink to a cybercriminal's level to protect themselves.

First and foremost, organizations need to implement a multi-layered security policy to increase the chances of catching hints of an advanced attack. For example, a zero-day browser exploit might sneak past an IPS system, but perhaps a proactive malware detection solution will catch the dropper file it uses as its payload. Unfortunately, many companies are still just relying on legacy firewalls and old-school antivirus, rather than a comprehensive, multifaceted solution.

Just as important as implementing a comprehensive security policy is ensuring it is configured properly. A number of surveys suggest most network breaches are due to organizations either misconfiguring or not implementing basic and intermediate security controls. Security controls can't protect networks will if they are not carefully deployed and closely managed.

Also, most organizations focus almost exclusively on attack prevention. No matter how strong a company's preventative defenses, its network could still get breached. It is important that security solutions should also focus on network and security visibility tools that can help identify and respond to anomalies.

Security professionals should also keep in mind there is nothing wrong with actively blocking a user that is a suspected attacker. Some security controls have the capability of auto-blocking the source of suspected attacks, putting the source address of a particular port scan in a "time out" box, blocking all its traffic.

In summary, strikeback doesn't belong in private business. It offers no real advantages to normal organizations, and the risks are not worth the sense of revenge. Companies should focus their security strategies on multi-layer defense that is implemented well and monitored carefully to stop cybercriminals in their tracks, rather than planning retaliation for a network breach.

Read more about security in Network World's Security section.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)