Sergey Nivens - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Hacking back: A viable strategy or a major risk?

Many organizations are now hacking back at attackers, in an active cyberdefense move. Expert Peter Sullivan explains the possible outcomes and drawbacks of taking action.

Organizations all over the world are concerned about protecting the information assets they need to produce products, deliver services, differentiate themselves in the marketplace, produce revenue and deliver value to their customers and their shareholders. These organizations are devoting enormous amounts of resources to protecting the information assets needed for them to operate and stay in business.

Businesses and government agencies are under attack every day. The costs are enormous. According to a 2014 study by the Center for Strategic and International Studies, and security firm McAfee, cybercrime costs the United States 0.64% of GDP annually. Using a 2015 GDP figure of $18 trillion, that works out to be $115.2 billion a year.

Given the extent of cybercrime costs, many organizations are wondering, "Why can't I defend myself against these constant attacks and prevent these losses?" Actually, enterprises can defend themselves  -- and can even engage in "hacking back." But the reality of a typical cybersecurity defense consists of passively sitting, waiting for the next attack to hit, while hoping that whatever defensive schemes you have employed will protect you.

Organizations may hope that attackers don't find where they didn't employ any defensive strategies, but also know that attackers would probably know about the next new vulnerability ahead of them. An attacker is likely to have an exploit for these vulnerabilities before organizations can form an effective defense against it. Organizations all over the world are finally coming to the realization that employing a purely defensive strategy to protect their information assets is a strategy that ultimately will fail.

This type of strategy will fail because of the asymmetric nature of information defense. This asymmetry is often expressed as, "To be successful, the defender needs to right 100% of the time, while the attacker needs to be right only once."

Hacking back is a technical activity, but deciding to do it is a business decision.

Given that the defensive strategies commonly employed are not working to protect vital information assets, organizations are becoming frustrated that the resources expended on cybersecurity only provide, at best, a low level of assurance that their information systems are protected.

For organizations that have been attacked, and suffered intrusions and losses in spite of investments in cybersecurity, the level of frustration and anger has built to the point where they may be willing to become more active and aggressive in dealing with their attackers. In a survey conducted at Black Hat USA 2012, 36% of respondents claimed they had retaliated in response to a cybersecurity attack.

One particular method of turning the tables on the attacker is "hacking back," in which the target of an attack responds with a counterattack against the cybercriminals or hackers. For organizations willing to at least consider going on the offensive by hacking back, what are some of the issues to consider?

Hacking and hacking back

Hacking is defined as accessing a computer, network or information system, including its information, without authorization. Hacking involves circumventing security controls or exploiting vulnerabilities with malicious intent.

Hacking back is also accessing a computer, network or information system without authorization. The difference with hacking back is with respect to motivation. The motive for an organization to hack back against an attacker may be to recover or wipe stolen data or intellectual property. Other motives for hacking back may be retaliatory in nature, including disrupting or damaging the attacker's systems and degrading their ability to carry out future attacks.

The decision to hack an adversary is a policy decision that needs to be made at the highest levels of management. Hacking back is a technical activity, but deciding to do it is a business decision. Information security is a business-focused operational risk management activity, and the decision to hack an adversary in order to protect information needs to be considered from a risk management perspective.

Legal and ethical implications

If malicious hacking is an illegal activity, then hacking back is also illegal. In the United States, the Computer Fraud and Abuse Act of 1986 (CFAA) has been interpreted broadly enough that unauthorized access to almost any computer is seen as illegal.

Another issue with hacking back is collateral damage. Cybercriminals will often use the computer of an unwitting third party to conduct attacks, sometimes gathering these compromised computers into large botnets that are used to launch attacks and distribute spam and malware. Identifying the true source of an attack is difficult and to hack back into a computer owned by a third party presents serious liability concerns. A 1994 amendment to the CFAA now permits claims pursuing civil damages.

Legality aside, a simple ethical code that lists values such as "do no harm," "respect employees, contractors and vendors" and "follow the law" would also be violated by the activities and outcomes involved in hacking back.


The decision to hack an adversary has a number of risk considerations, including:

  • Financial Loss

Organizations need to answer several questions -- Does hacking back offer any financial incentives? Will hacking an adversary prevent the loss or allow recovery of information assets and intellectual property? Will hacking an adversary prevent damage to computers and networks? How much will hacking back save? What does it cost to hack back?

  • Reputation and Customer Confidence

There is the possibility that an organization's reputation would be impacted if its hacking back activities attract interest by the press and law enforcement. What if hacking back resulted in damage to a third party? This could lead to a negative reaction by customers, with possible revenue implications.

  • Civil and Criminal penalties

What are the potential penalties that may result from hacking back? A cybercriminal may not be likely to sue, but what about the organization that was forced offline and lost business as a result of your hacking back?

With respect to criminal prosecution, the U.S. government has aggressively pursued violations of the CFAA, although not for hacking back.

  • Productivity

The productivity and business losses from a denial of service attack could be severe. Is hacking back a realistic response strategy to a denial-of-service attack? Could hacking back reduce the damage and speed recovery from a malicious security incident?

  • Safety

What if, after an attempt to hack back, the attacker decides to conduct additional attacks solely for the purpose of damaging your information systems and damage your ability to conduct business? What would a complete denial of service mean to your business?

  • Liability

What if your hacking back activity causes damage to a third party? What if that third party decides to pursue damages in civil court?

What hacking back is not

Hacking back is not an alternative to cybersecurity best practices. It is not a way to sidestep the responsibility to protect information assets through conventional means. Deciding to hack back is a last ditch strategy after all other alternatives have failed. Hacking back should only be considered, if at all, after an organization has already implemented world-class cybersecurity plans, policies and procedures and has operational experience with them. With the various legal and ethical problems that may exist, organizations should ponder if hacking back really is a reasonable and viable cybersecurity protection strategy.

About the author:
Peter Sullivan began his career in network operations, information security, incident response and risk management over 20 years ago with the U.S. Army. For the last twelve years, Sullivan has been a visiting scientist at the Software Engineering Institute, Carnegie Mellon University, where he teaches courses in risk management, information security and assurance, computer security incident response and digital forensics. He is also a partner with InfoSecure Solutions LLC, a consultancy specializing in IT risk management and incident response planning based in Massachusetts.

Next Steps

Find out where active cyberdefense is moving toward in the future.

Read about the risks of hacking back and cybervigilantism.

Learn how to develop an incident response policy.

This was last published in May 2016

Dig Deeper on Information security laws, investigations and ethics

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

In what scenarios should an organization consider hacking back?
I know it's wrong of me, but I really love the idea of this hack-back approach. It could actually work. If we can sense the pending attack and respond - hopefully by making the hackers and/or their computers burst into flames. Since this is unlikely to have much effect on the most virulent attacks, the industry would be far better would served by shoring up our defenses and actually preventing the hacks. Alas infrastructure repair has never been a  sexy investment. 
To boast or claim that we can hit back at "Black Hat Hackers" is bordering reckless and stupid and possibly arrogant.

Whilst sometimes the best offense is a good defense, the idea of hacking back a target can be minefield in sense as the actual analyst would be picked out in a second that they are a "White Hat Hacker" or the actual target itself is well defended against return attacks.

Rather then spending time and money investing in return attack techniques could be spent on penetration testing and designing an infrastructure that can defend against attacks and have an "Defense Plan" in place for such events.
I like the idea of hacking back in theory. The laws do no provide enough of a deterrent for the hacking activities. So the risk vs. reward is a big incentive. If we just set up a few bogus sites laden with malware and viruses to infect those that are new to hacking, it may deter them. The seasoned hacker would most likely be to smart to fall for the ruse.
@Norman - what about false alarms though? While some attacks are probably easy to justify in court, others will be more subtle. And how to justify the impact of revenge? I.e. damage received versus the damage given back?
Most hackers will likely move on after they hit your system. They would be crazy to hang around. Giving this some more thought, if you found out and hacked them back, they might just come back at you harder than the first attempt. They got in once without you knowing and may feel they have superior skills and could do more harm than you might be willing to risk.. It would be like starting a feud that goes on and on and on....
Sure, we can imagine that hacking back would be a great way to even the score with attackers, but it's a dangerous fantasy for all the reasons Peter Sullivan lays out.

Criminals who hack my systems don't consider themselves bound by laws against hacking, so escalating the situation by hacking back merely invites the hacker to escalate right back at me, with bigger, badder and more damaging responses.