CyberRevenge– Hacking the Hacker, Attacking the Attacker: CyberWarfare– Hire Mercenary to– Hack-Back, Retaliate… Or, Not!

Hacking the hacker: In effect means being a thief to catch a thief… There is a hot debate over companies’ rights to defend themselves in cyberspace by taking offensive action… The hacker-on-hacker retaliation is a tantalizing option for some victims, however, many experts warn that the strategy, commonly known as ‘hacking-back’, could go very wrong…

According to Jeffrey Carr; hacking-back is the worst option for companies because they don’t know who is on the other end of the keyboard nor what capabilities that person(s) has. What may start as simple [intellectual property] theft could, after a ‘hacking-back’ attempt, can result in unforeseen consequences… People with any life experience usually understand and respect the adage– ‘never pick a fight with a stranger’; the same adage applies in cyberspace…

hack untitled

According to Rick Howard; just because you are able to jab back against a cyber adversary does not mean that you should… More likely than not, you would have succeeded in poking the beehive and you may have unleashed a world of hurt on your organization that it did not need… However, other experts say companies should be allowed to hack-back after they’re hit… If companies cannot get timely help and protection from law enforcement, then they should be allowed to take responsible action to mitigate the impact of theft of their data; companies should be allowed to hack back…

According to Matthew Green; hacking-back sounds like a great idea until you think about how easy it’s to subvert. Today’s attackers go to great lengths to hide the source of their attacks. How can any company know they’re really hacking their attacker, and not some innocent bystander?

According to Mark Weatherford; it depends: there are so many possible unintended consequences in hacking back that unless you truly understand what you are doing, it isn’t worth the risk. Remember, when you hack-back, you are escalating an event with someone who may have far greater skills, resources and evil intent than you…

According to Melanie Teplinsky; hack-back, retaliation, vigilantism. These words not only make for great headlines; they spark heated debate over the appropriate roles of the private sector and government in cyber-security. However, defensive measures alone may delay, but are unlikely to prevent penetration of target networks by concerted adversaries. Focusing exclusively on defense will not solve cyber-security… We need to raise the costs and risks to concerted adversaries in order to deter their activities.

In the article Hack the Hackers? Companies Itching To Go On Cyber Offense by Matt Egan writes: Fatigued by a relentless onslaught from hackers, some companies are mulling a more aggressive and proactive approach to powerful cyber evil-doers. Offensive counter strikes are likely illegal in today’s murky legal structure, but some security professionals are calling for at least a more proactive stance that utilizes measures like disinformation campaigns, honey pots, intelligence gathering…

All of this is aimed at squashing cyber attacks that can generate millions of dollars in damages and lost revenue, loss of intellectual property, and even cause reputation harm… According to Dmitri Alperovitch; these adversaries are like a dog with a bone… they will not go away… it doesn’t matter how many times you stop them, the one time they get through they cause very, very serious damage…

Whether it’s from vindictive terrorists, anti-capitalistic hacktivists or stealthy hackers, it’s clear that companies are under attack from nefarious online forces… According to a report, 65% of organizations polled suffered an average of three denial of service attacks in the past 12 months, costing financial-services companies a hefty $32,560 a minute… This helps explain a rising frustration about the limited options companies have to fight back… Some security firms are advocating a more proactive defense, though companies need to be careful to navigate laws…

According to Dmitri Alperovitch; we are not advocating hacking-back, since in most cases it’s illegal… we are talking about doing legal things on the network… that are more aggressive as opposed to just sitting there and trying to swat away these intrusions… its active defense, which can be a very effective deterrent…

In the article Hacking the Hackers: Legal Risks of Taking Matters Into Private Hands by Becca Lipman writes: Private groups are beginning to fight back against foreign sources of malware and credit fraud, but methodologies put these digital crusaders and their employers at serious legal risk… Breaking into somebody’s computer, even if it belongs to a hacker in– Russia, China… who just hacked you, is illegal… It’s the same as if you broke into a robber’s house to take back your stolen jewels. Intention does not justify the crime of breaking and entering…

As with any other battle, there’s also a risk of hurting innocent bystanders. The goal is to shut down hackers at the source, but that often involves going through botnets, networks of millions of infected PCs that report to a central server… Perhaps it’s only a matter of time before something truly shocking occurs from the actions of digital justice crusaders, but the fact is that institutions do illegal things all the time to stay on top of security protocols, and it proves effective in many cases… Many of the people involved in these activities are taking actions in legal grey areas in a form of vigilantism…

hack3

In the article Hacking the Hackers by Arthur Piper writes: Hackers use sophisticated techniques to block their server’s IP address-the unique digital code that identifies each device on the internet. But it is not impossible… That passive attitude to managing the risk of cyber-attack is changing; some organizations are setting traps for hackers within their own networks, or designing fake networks to catch the perpetrators. Data on the fake part of the site can often be traced to the criminals when they sell or attempt to use it… You are seeing a bit of a trend of not relying so much just on the government and businesses taking a more aggressive approach…

Other businesses are setting up databases in more sophisticated ways to both prevent serious loss and to help create evidence that can be used in court at a later date… But, not all cyber-criminals have yachts and most are effectively subcontractors working for other criminals. When they do have money, it may be difficult to obtain, and they may be impossible to sue if they live in a jurisdiction with no legal extradition rights…

In the article New Brand of Cyber Security: Hacking the Hackers by Ken Dilanian writes: The traditional way of trying to defend your network is just not going to cut it; you have to do something different… one way is to engage the adversary… According to Irving Lachow; attackers often breach company networks using a tactic known as spear phishing, a practice that gets an employee to download a malware file by disguising it, for example; in an email purporting to be from someone the worker knows. Firewalls and anti-virus software are almost useless against such techniques…

To counter these tactics some experts suggest the uses of decoys to lure hackers into a controlled environment, where investigators can observe and trace the attack… then hopefully identify the hackers by using clues in their malware, and by gathering information from a variety of other sources, they then might be able to develop a profile of the attacker… Profiles enable a more targeted defense by know– when an attacker is likely to strike, how they communicate, what malware they use, how they steal data…These methods are not without critics, who worry about how far companies might go down the road of cyber vigilantism…

The Justice Department said hacking-back may be illegal under the Computer Fraud and Abuse Act, a 1996 law that prohibits accessing a computer without authorization. Many lawyers liken it to the principle that a person can’t legally break into his neighbor’s house, even if he sees his stolen television in the neighbor’s living room…

Organizations need to start thinking like the adversaries, and look at different approaches and techniques to confuse an attacker… According to Sara K. Gates; in the light of unprecedented attacks by cyber-criminals against businesses that span every industry, this question has come to the fore: Is it time to fight back? According to Jeff Bardin; hacker groups and disruption of business has reached an all-time high and no longer can be ignored. We want to get the ‘adversary’ to understand that if they launch an attack against a company, there will be costs to pay…

But many experts are not in favor of going on the offense, because it just won’t work: it’s too difficult to pinpoint the location and source of many cyber-attacks… whereas, many security experts say there are some ‘offense-like’ tactics that can drive up the cost of hacking into a corporate network and, if deployed properly, could discourage hackers enough to have a major impact on the threat landscape…

hack imagesSG3YXMAZ

There are interesting questions being raised about how far businesses can go and what types of attacks can actually be effective… According to Martin Zinaich; it doesn’t necessarily have to go from nothing to launching a full-out assault against cyber-crime infrastructure. It could be much more subtle things like feeding the bad guys misinformation or doing your own reconnaissance… there are offensive security measures the good guys can leverage. Misdirection tactics, for example, can be deployed by heavily targeted companies, such as those in the– financial, defense sectors…

According to Tim McCreight; you need to start thinking like the  adversaries, and look at your defenses as if you are trying to break into your systems. You need to adopt a much more aggressive mindset… Unfortunately, these security tactics may have their drawbacks as well; some companies are very apprehensive about specifically targeting hackivist groups since it raises ethical questions and the legality of the practice. In addition, building phony systems and fake credentials may be too costly to deploy… it’s hard to agree whether ‘hacking-back’ is an acceptable enterprise defense practice, when no one can agree what the term means. Offensive security is huge but relatively undefined, and it’s compounded by the fact that the laws governing it are vague…