A recent article from Reuters has seemed to have revised the age old debate of hacking back again. Apparently some companies and organizations are using hack-backs against intruders of their networks. This activity could involve the victim company either tasking their employees to hack back or hiring an outside firm. Most agree that hacking back is not the right solution for a variety of reasons, including it being totally illegal in most jurisdictions and resulting in attacks escalating out of control.
The other problem with hacking back is that you don’t really know if the attacking IP is the real attacker or simply another compromised victim the attacker is using as a proxy. Hack back and you could be attacking an innocent victim. If this victim happens to be someone that you are on uneasy terms with, the problem could escalate even further by bringing in a third-party against your organization.
Instead of hacking back most advise following the proper procedures, which typically involve repairing the effected machines and adding additional security measures to help prevent future attacks. Further you should report the incident to law enforcement. But the legal system often overlooks smaller incidents and draws out major incidents through a long bureaucratic process. Many times it’s easier to just forgo reporting and continue on with your daily routine (unless that is you have SEC or other reporting requirements).
But for those that are interested in doing something … anything … as alternatives to hacking back, the Reuters article offered several legal “offensive” suggestions … aka deceptive techniques. I tweaked some, added a few, and embellished others but I think this alternative view is a bit more easily consumed.
- Identify your most sensitive data and keep it off your main networks.
- Assume attackers are already inside your boundaries and focus on detecting them.
- Create hard-to-access fake systems or temping material for the attackers to find.
- Plant false or fake sensitive data or files in areas attackers may be interested in.
- Perform the above but plant 100 versions of a critical file with only one that is legitimate.
- Perform the above but include beacons within the files.
- Carefully watch the attackers and their actions instead of immediately shutting them out.
- Waste the attacker’s time by allowing access to the fake systems or material they can’t crack.
- Allow attackers to retrieve the above bogus data or files (e.g., with beacons).
- Perform “deep analysis” of all data to learn everything possible about the intruders.
- Share your analysis with your trusted partners.
- Publish your findings (e.g., redacted or full versions depending on the situation).
So there are some things you may be able to legally do but I find myself wondering whether these deceptive suggestions are truly offensive techniques or not.
Would you consider the above practices offensive? Have any other deceptive suggestions? Let us know in the comments below. Today’s post pic is from BrandProtect.com. See ya!