May 11 2015

Can A Good Defense Include…Offense?

When defending one’s network resources, things like firewalls and other security appliances are envisioned. Putting walls up, both physical and virtual, to keep the bad guys out-that’s the name of the game, right?

What if it wasn’t?

People, and businesses, are hacked with regularity. Some hacks are harmless, some random person just probing things but without malicious intent. Others are testing and probing defenses, searching for a soft spot to exploit. And sometimes, you get the Sony hack that we’ve all heard so much about. But how do you handle it when you are hacked?

There are agencies that handle cyber crimes, though I think it’s safe to say that law enforcement may not be as prepared to handle an onslaught as they’d lead many to believe.  And one key grey area could very well be, how to respond to attacks? For an attack like Sony endured, or some of the healthcare breaches over the last few months, damages can be ascertained to some extent, but pinning the blame on one person or group is extremely challenging. More often than not, the hack was not the work of just one person, but a group of largely anonymous people. They may eventually be found, but it’s slow work.

Is the slow pace of the work driving the victims to take matters into their own hands? The thought is not all that preposterous. Thinking in terms of a traditional crime, victims have been known to take matters into their own hands if they don’t get the justice they feel is warranted-either fast enough, or ever.

Recently, the FBI has been investigating some hacked institutions that have engaged in an effort to hack back. ( Perhaps they aim to retrieve stolen information, or just simply exact some revenge. But is it something that should be allowed? Or is it even worth it?

Clearly, with the FBI looking into it, it’s not something they want US citizens engaging in. There’s too fine a line that is too easy to cross. And besides, if you were able to breach the hacker’s network and find the data they had pilfered, who’s to say it wasn’t already duplicated in numerous other locations? Odds are you might find one repository, but not the others, which means you really aren’t likely to take back sensitive data and leave the would-be hackers empty handed. Outside of re-acquiring your data, is it even an effective defense? Companies like Sony, Disney or IBM offer a well-known name, an easy target. A big giant of industry. The various hacking organizations that have claimed credit for some of these attacks? They are much smaller, less defined and spread out. Anyone can look up who runs Disney. It’s not easy to track down members of a hacking group. And when the group responsible may actually be a state run group? It’s no wonder why the FBI would rather the victims stay out of the offensive hacking business.

If there were clear-cut rules of engagement, it could prove to be a useful tactic. But there aren’t, which leads me to believe that while it’s good to be able to know who is coming at your networks, you are likely better off staying passive. After all, if you pinpoint one of the original attackers and launch a counterstrike, what’s to stop that person or group from reaching out to their friends and expanding the scope of their prior attack?

Ultimately, this is a brave, new world, with much left to be defined.