Revenge may be sweet, but it also may be illegal.
When a company faces sustained and malicious cyber-attacks, it is tempting to go beyond ordinary defensive measures, hire a team of black hat hackers of your own and go on a counterattack. And, while it may feel like justice to break into an attacker’s network, it may also be counterproductive.
I recently talked to CIODive about the hazards of doing just that.
Of course, every Chief Information Security Officer has a right and an obligation to protect his or her company and the partners connected to its network, but a counterattack may be crossing a line. Even if it is in retaliation for an illegal breach, an offensive counterattack can be illegal – and potentially dangerous.
Some offensive measures, according to the SANS Institute, include planting a weaponized document in a honeypot that compromises the attacker’s system when it is opened. This type of measure crosses the line beyond traditional honeypots, which simply monitor attacker activity.
Cyber-attackers tend to be opportunistic, and they tend to have multiple targets. Attack strategies often revolve around quick, successive hits on hundreds or thousands of different targets, rather than continued attacks on a single target. In other words, once attackers hit you, they move on – that is, unless you provoke them. While they are opportunistic, many cyberthieves are also arrogant – and are likely to respond quickly if you draw a line in the sand.
Three stages of protection
While you will want to stop short of actually breaking into a cyber-attacker’s network, there are three approaches to defending your own: passive (prevention-based) defense, active defense and information gathering.
Nearly every network – even those in companies that lack a security officer – has some sort of passive protection, such as a firewall, anti-virus software or intrusion detection. Passive protection efforts may even involve more sophisticated deception tactics, such as honeypots or false servers that can mislead attackers.
A more active defense may include tools that, for example, monitor login attempts, and then shut down an IP address when a user-defined threshold of unsuccessful logins has been met. Though some active tactics, like automated prevention and response techniques, do not thwart 100% of attackers, they can be effective in ensuring an attack does not progress once it has been identified.
In response to escalated and increasingly sophisticated attacks, more companies are supplementing traditional defensive measures with active ones that help them identify potential attackers and what they are after. Although actually going after the attacker isn’t advisable, scanning a potential attacker’s network to gather information that might help identify an attack vector is a legitimate tactic.
A combination of passive and active defense tactics make it more difficult for cyberthieves to succeed. These active measures stop short of an all-out counterattack, but they do the important work of preventing loss in the first place.