I was just reading an article about an FBI investigation of whether US banks are attacking their cyber attackers in an attempt to fight back. Along similar lines, we recently saw reports of Sony taking an offensive position by DDOS-ing sites hosting its content.
The question of whether it makes sense to attack your cyber attackers isn’t new—this has been a debate in the infosec community for quite a while. In my opinion, in most cases the answer is “No, companies shouldn’t attack back.”
Attacking Back Is A Bad Idea…
There are a number of problems retaliatory attacks on the internet—here are a few that come to mind:
- Attribution is difficult and error-prone. Savvy attackers usually obscure their attacks in ways that make it difficult to tell who is really behind the attack and where they are coming from. Not only does that make it likely you’ll be attacking the wrong target in your retaliation, it also means the attackers will be unlikely to feel the impact, if they even notice that you’re striking back at their botnet.
- It’s usually a bad idea to poke the bear. If the attackers do notice, you might increase their determination or cause them to go from nuisance attacks to more dangerous approaches. Similarly, with more frequent “state sponsored” attacks, you might be attacking an entity with greater resources than you realize – and their “counter- counter-attack” could be much worse than the original attack.
- You’ll probably break the law. In many (most?) jurisdictions, it is against the law to intentionally attack, harm, or disrupt others in a cyber attack – even if they are the bad guys. While it might feel good to attack back, you might be getting into more than you bargained for from a legal perspective.
…Except When It Isn’t
Of course, the issues above generally assume that you’re acting as a lone entity trying to exact vengeance on your attackers. But what if you’re not a vigilante? For instance, we’ve seen a number of successful “botnet take downs” by Microsoft recently.
The major difference is that Microsoft’s retaliatory attacks were orchestrated through cooperation with law enforcement, such as Europol’s European Cybercrime Centre (EC3) and the US FBI. Not only does working with law enforcement address the question of the legality of your actions, it aligns you with greater resources and response capabilities if things spin out of control.
Working with law enforcement also adds higher confidence in attribution, so you are more likely to retaliate against the right people. Even then, we can see examples that attribution is difficult, as we saw when Microsoft accidentally took down some researchers’ servers during a botnet take down.
Look Before You Leap
If you’re thinking about striking back, don’t take the first step until you’ve really thought about the possible implications. Make it a corporate decision, not just an infosec decision (and definitely not an individual contributor decision). Discuss it with your legal team and use outside counsel, if you need to.Lastly, talk with law enforcement.
Whatever you do, think before you act.
Agree? Disagree? Share your thoughts.