Hacking the Hacker: The Downside to Vigilante Justice
Pat Clawson - July 2nd, 2013
Imagine you woke up one morning to find all of your possessions gone. Someone broke into your house in the dead of night and stole all of your things. You don’t know how they did it or who it was, but the fact remains: your stuff is gone. You might step outside, see the broken window or the ruined lock, and know that’s how they got in. If you look closer, you might see a few scuffs on the sidewalk showing you where the robber dragged your things to his car. When you go look in the street, tire marks show you where he drove away. Do you follow the tire tracks? Or do you call the police?
If you’re like most people, you call the police, rather than chasing down the robber himself. You want your stuff back, but rely on law enforcement to find it and retrieve it, rather than chasing down the unknown robber on your own.
But in the cyber world, more and more companies are considering chasing after or hacking back those unknown robbers who steal company data, intellectual property and other information. But hacking back is still illegal under the Computer Fraud and Abuse Act. Companies are lobbying for that to change and there’s even a recent report that supports their position. Issued by the independent Commission on the Theft of American Intellectual property, the report says that, “without damaging the intruder’s own network, companies that experience cyber theft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information.” Essentially, a portion of the report advocates that companies go in and take back their stolen information and as long as they do it without damaging the hacker’s network, it should be legal.
Don’t Focus on the Problem; Focus on a Solution
For a few reasons, I don’t agree. Aside from the obvious reason that a focus on finding the bad guys takes resources away from your core business functions, actually finding the hackers is almost always a fallacy. If you followed the trail of digital breadcrumbs for any given hack, it’s highly unlikely you’ll be able to determine who hacked you with 100% certainty. The origins of the hack are rarely clear-cut and hackers take steps to obfuscate their origin as much as possible. When nation-states are involved, as is becoming increasingly common, the political waters surrounding hack backs become even more muddied. Tracing a hack becomes almost like Inception – a hack within a hack.
Instead, going back to our initial scenario, while the police chase down the robber and your stuff, you should focus on replacing the broken locks, installing an alarm system or putting in other additional measures to keep the robber out. You should concentrate on a strong security model that uses your own network as a smart methodology for defense and even countermeasures.
Most of us have limited resources available to defend our ever-growing data stores and access points. And sadly, the bad guys are very persistent at finding weaknesses and exploiting any hole we might have. The key is to understand the typical methodology used by attackers and use your network as an actively defensive tool. Specifically:
- Identify what’s outside of your system and network norm with event-based, early detection measures across cloud and on premise sensors;
- Employ next generation data analytics to understand your security baseline and distinguish APTs from everyday malware (Crowdstrike and KEYW are two examples of companies in this space);
- Activate additional layers of defense as needed to slow an attacker’s movements while additional strategies are deployed;
- Consider crowdsourced threat intelligence – a sharing of information across companies that would help defenders more quickly understand the threat and predict where attackers may go next. For more on this topic, check out this interesting blog post by CyberSquared.
I’m not suggesting it’s necessary to roll out an entirely new IT infrastructure, rather enhance your existing network and the security investments you have already made with information. Diligence is required to prevent the hacker from hitting your company…and that should be your focus rather than getting your stuff back.