Enterprises waste time with revenge counter strikes against hackers

Unless you're in the revenge business, trying to counterattack hackers is an expense waste: Analysts

Multinational companies sick of being hacked by everyone from Anonymous hacktivists to the governments of countries in which they're trying to do business, are starting to do something other than wait and "cooperate" with law enforcement agencies that seem unable to corner most attackers.

Some companies are starting to hire their own hackers in order to strike back.

There is little or nothing even major companies with well-funded security teams can do to keep well-financed hackers out of their private data spaces, according to Rodney Joffe, cyber security advisor to the White House and senior technologist at infrastructure and security company Neustar, Inc.

The number, severity and even acceptance of cyber attacks as a fact of life has frustrated many companies that put a premium on security and made it more difficult for them to operate effectively, putting their financial health and that of the U.S. economy in danger, Joffe said in an interview with Reuters.

In an effort to determine how widespread successful hacks actually are, Joffe analyzed Neustar forensic logs covering 168 of the 500 largest companies in the U.S.

He found 162 of them owned computers that had at some point been sending data to hackers, Reuters reported this morning.

That's 96.4 percent of the highest revenue-producing companies in the U.S., whose giant revenue streams should be sufficient to pay for a reasonable level of defense.

It is routine for Western companies sending teams of negotiators to China, for example, to discover the laptops and often the servers used by those teams of lawyers and technical experts had been compromised, presumably to help Chinese companies get the upper hand in negotiations, according to Reuters quotes from Dmitri Alperovich, co-founder of CrowdStrike, a security company that specializes in taking the fight back to the hackers.

Rather than simply repair the damage to their own computers, the idea of "active defense" or "strike back" tactics is to launch a digital counterattack designed to make the company an unattractive target, or to give the hackers misinformation posing as the real thing, Alperovich told Reuters.

In the face of Flame, Stuxnet, Duqu and a host of other state-sponsored malware or other attacks, the kind of security most companies can mount is weak, at best. Many have gone along with the stance the Pentagon announced earlier this year that assumes hackers will penetrate even secure networks and to construct defenses based on misleading, blocking or deceiving them, rather than stopping them at the firewall, according to Kenneth Minihan, former director of the National Security Agency when he spoke at the RSA security conference in San Francisco earlier this year.

Even at its worst, 'strike back' tactics are more forensics than special operations

The counterattacks are not like the "black ice" security in cyberpunk novels like William Gibson's Burning Chrome, that can strike back at attackers in lethal ways.

Many companies conduct forensic investigations designed to identify their attackers in greater detail and using more sophisticated methods than most law-enforcement agencies are willing to devote.

Others figure it's more effective to mess with the hackers directly.

One tactic is to set up honey pots and repositories of fake data that can give attackers the idea they've hit the mother lode, only to realize later they've been mining pyrite instead.

Another is to let hackers take documents faked or booby-trapped in ways that will identify the thieves later, or reveal information about the location, ownership and possible vulnerabilities of the hackers' machines, Alperovich said.

Counterstrikes, which are almost always covert due to the potential for the victimized company to break the same laws as their attackers, are still controversial among security pros.

They raise the stakes of an attack, inviting more serious counterattack, which is a losing game if the attacker is a national security agency rather than an organized crime gang.

They also raise the profile of the victimized company along with news that it has been hacked, making it a more likely target for other hackers, some security pros worry.

Before launching revenge strikes, check your corporate charter to see if you're in the revenge

Although the phenomenon is fairly new, the term is not precise. HBGary, famously hacked by Anonymous spinoff LulzSec last year after its CEO threatened to out several of its leaders, advertises "Active Defense" that is a node-by-node malware monitoring service , not a effort to strike back for a specific attack.

The essence of active defense is "breaking the vicious cycle of Whack-a-Mole," the game in which security has to respond to one threat after another from the same enemy without being able to attack the command-and-control networks that direct the continuous stream of malware moles, to freely paraphrase and warp the metaphors of Adam Myers, director of intelligence at CrowdStrike.

Doing that requires first, knowing who the enemy is, a question CrowdStrike addresses by identifying the tools, techniques and procedures (TTPs) used by attackers.

Once private intelligence services have been able to identify and track the attackers, the victimized company can decide whether to handle the attack simply as a problem for law enforcement agencies, or whether to set traps, plant misinformation and run other scams designed to turn the tables on the attackers.

Myers called this the "adversary based approach."

While being able to strike back at tormenters might be emotionally satisfying, there is no business case that justifies a counterattack and "no possible positive outcome," according to John Pescatore, formerly of the NSA and Secret Service and current head of Gartner's Internet security practice, speaking to Reuters.

Rather than spending a lot of time and effort trying to find and torture hackers, it would be much cheaper and more effective for companies to just identify the data that really is worth keeping absolutely secret and take the steps necessary to make sure that happens, Pescatore said.

Keeping 100 copies of the same blueprint, only one of which is accurate would obscure real data with fake, for example.

Never loading critical documents on Internet-accessible machines, or encrypting them every time they hit a hard drive or travel across a network would also be good starts.

Considering how poor much of the firewall-based security at most companies is – passwords too complicated to be guessed by the average 5-year-old are still pretty rare in Corporate America – it might be a good idea to upgrade corporate data security to "adequate" as a first step toward an effective defense.

If it were your house rather than your company, you'd think anyone suggesting you launch a "Burn Notice" counter-intelligence operation against intruders was crazy if all you really had to do was make sure the doors were actually locked at the end of the day and no one left the cat flap open.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon