Skip Links

Thinking of a counterattack? Deception is better, say experts

Security experts say hack-backs are simply asking for more trouble, because it is almost impossible to know where an attack came from

By Taylor Armerding, CSO
January 04, 2013 08:00 AM ET

CSO - There is no such thing as a bulletproof firewall against digital attacks. And it's risky, and probably illegal, to "hack back," or try to launch preemptive strikes against attackers who are trying to steal your intellectual property or the identities and confidential information of your customers and employees.

15 free security tools you should try

But it's not illegal, and it is much less risky, to practice the traditional art of deception -- that is, to lure attackers into chasing fake data into places where they can't do any damage, and where you can monitor their activities and possibly their location.

The so-called "honeypot" defense is not new. It has been around for at least two decades and is regularly used by law enforcement and intelligence agencies. But the Washington Post reported this week that the tactic is becoming mainstream in the private sector as well.

The story profiled Brown Printing, of Minnesota, which has planted bogus user log-ins and passwords and phony configuration files in its system in an effort to lure hackers into "rabbit holes." Any hacker drawn to the phony data "was being watched by Brown, their computer locations tagged and their tactics recorded," the Post reported.

This kind of digital deception falls under a group of tactics called "active defense," since they involve engaging the attackers instead of simply trying to block or get rid of them. But it is probably the least aggressive of any active defense, because it is not a counterattack.

Most security experts say counterattacks are simply asking for more trouble, since they could promote an escalating series of attacks, and it is possible to attack the wrong villain because of the attribution problem. It is still almost impossible to know for sure where an attack came from.

[See related: Should the best cybercrime defense include some offense?]

And then there's the law. "Reaching into a person's computer to delete stolen data or shutting down third-party servers ... probably would violate federal law, FBI officials said," the Post reports.

Chester Wisniewski, senior security adviser at Sophos, said companies trying to counterattack generally have much more to lose than the attackers. He compares it to trying to go after car thieves by finding and stealing their car. "They don't have a car -- that is why they are trying to steal yours," he said.

Matt Johansen, threat research manager at WhiteHat Security, said Digital deception, by contrast, "is a great practice for companies to get into that isn't at all asking for more trouble."

"The idea of a honeypot and fake data allows a company to buy some time in detecting an intrusion and dealing with it effectively before any real compromise is made to the customer or sensitive information," he said.

Attribution is not a problem because the company is not going outside its own digital walls to plant the fake data -- it's not attacking anyone, but only monitoring those who are illegally inside its own walls.

"The fake information 'rabbit holes' will only be stumbled upon by people who aren't supposed to be looking there and will obviously just set off alarms for a company to identify a threat," Johansen said.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News