Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:43 AM
Dark Reading
Dark Reading
Quick Hits

Identifying And Discouraging Determined Attackers

Enterprises are finding ways to identify targeted attackers and give them fits. Here's how

[The following is excerpted from "Identifying and Discouraging Determined Attackers," a new report posted this week on Dark Reading's Advanced Threats Tech Center.]

George S. Patton said, "Nobody ever defended anything successfully -- there is only attack and attack and attack some more." So, is it possible to strike back at your attackers? And more importantly, is it the sensible thing to do?

"Strike back," "active defense" and "hack back" are terms being used to describe an active response to continuous attacks and breaches. The nature of these responses -- and whether they should incorporate an offensive component -- is a gray area. These measures can range from reconfiguring defenses ahead of a predicted attack to sending threatening emails, filing lawsuits, operating cyber espionage campaigns and launching cyber attacks of your own.

No matter what the response, you have to first determine where attacks are originating from, who is behind them and what they are looking to achieve. However, the nature of cybercrime makes 100% accurate attribution virtually impossible. Knowing exactly who or what to "deter" is very difficult in cyberspace, as attackers use proxy servers and compromised computers to disguise the origins of their attacks.

Does fighting back make good business sense? Any form of threat deterrence should be evaluated just like any other business activity: You must weigh the costs involved against the damage and losses the organization is incurring from the attacks. Many organizations won't have the in-house skills needed to carry out this kind of intelligence, so outside experts will often need to be hired.

What are the longer-term benefits and risks? While disrupting an adversary's operations may give a temporary sense of satisfaction, there's no evidence as yet that it provides long-term protection for Internet-connected systems.

Indeed, accurately evaluating the possible benefits of threat deterrence is hampered by the lack of hard evidence that using aggressive tactics actually does stop hackers. Those who have implemented strike-back capabilities are unlikely to share their experiences, particularly if they are using potentially illegal methods. Also, the effectiveness of a particular approach will depend very much on the type of adversary faced, and any strike back may provoke further, more destructive attacks. Situations where retaliation and force are used have a tendency to escalate hostilities.

Sending emails warning of prosecution is unlikely to be effective, while sending malicious attachments is fraught with legal problems. There have been reports of physical violence being used, with one company claiming that its representatives visited perpetrators with baseball bats. This form of deterrence, even if it does occur, isn't really practical if the perpetrators are based, say, a 12-hour flight away. And an enterprise isn't really in a position to send heavies to visit the local Chinese Embassy.

A denial-of-service attack could occupy an attacker's human and physical resources, putting it on the defensive. Most organizations are short on IT resources already, though, even without taking on this kind of questionable activity. Strike back doesn't scale, either, as it would be exhausting to respond to each and every attack, while concentrating solely on one suspected adversary will leave network defenses undermanned to deal with attacks from elsewhere. Taking out a command and control server would hamper an attacker's ability to deliver and manage attacks, but C&C servers are usually compromised machines belonging to legitimate users and businesses.

Some enterprises believe that hacking back is an option as long as nobody finds out. The Commission on the Theft of American Intellectual Property even believes that if the damage from malicious hacking continues at current levels, the government should consider allowing American companies to counterattack. A survey of 181 delegates at Black Hat 2012 found that more than a third had already engaged in some form of retaliation against hackers. Concerns about cyber vigilantism haven't deterred financiers from investing in active defense firms, either; is a hacker really going to sue for unauthorized access?

Although cybercriminals can effectively hide behind the very laws they flout, legislation allowing companies to effectively build private cyber armies is unlikely. This means there is a real risk that certain types of counterattack cross the line between defending oneself and being a vigilante. Computer hacking is broadly defined as intentionally accessing a computer without authorization or exceeding authorized access, and laws covering computer crimes have been enacted in countries around the world.

Lack of attribution could easily lead to the equivalent of collateral damage -- an attack could take down important systems and cause more chaos and damage than any hacker.

To find out more about your options for active defense -- and what can be done legally to discourage determined attackers -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
10/4/2013 | 7:57:32 PM
re: Identifying And Discouraging Determined Attackers
Why not just throw away the attack traffic just like we have been doing for 30 years? Ignore them and they do actually just go away. Unless you have some tasty things that just can't be ignored, attackers usually move on to the next IP address that will accept those packets. Of course DDOS can't be ignored by definition it can't be stopped either, just mitigated. Carry on.
Peter Fretty
Peter Fretty,
User Rank: Moderator
10/4/2013 | 6:11:07 PM
re: Identifying And Discouraging Determined Attackers
There are solid arguments on both sides of the fence. Does attacking back deter or does it serve as an active challenge? Regardless of where you stand the first priority or core of any security strategy should always be to guard access to the assets that are most crucial through use of next gen firewalls and educating the user base on the best practices to avoid phishing issues. I look forward to hearing various security pro angles and rationale.

Peter Fretty, IDG blogger working on behalf of Sophos
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.