According to Gartner Inc., using "hack back" and deception techniques in enterprise IT is an increasingly popular...
method for fooling criminal hackers and thwarting attacks. It's almost a rebirth of the decades-old honeypot approach to security. These new deception techniques promise to reduce false positives and increase visibility over traditional honeypots. It could certainly provide certain businesses with security intelligence that might not otherwise be available. Similarly, organizations that have been attacked will use a long-standing technique that has had a recent revival and will lawfully hack back. There is plenty of debate around the ethics of hacking back, and this tip will discuss the merits and drawbacks of an "offense is the best defense" approach to security.
Fix the small problems first
Deception techniques, as described by Gartner's recent report, or hacking back may not be an ideal approach for an average enterprise in the long term because reaction is not a strategy. It's important to focus first on doing what it takes to prevent an environment from being easily attacked. It's safe to say that most enterprises have not done everything they can to fix the basic issues that are known to cause problems, such as weak passwords, missing patches, poorly or improperly implemented antimalware protection, untested or unresolved Web security flaws, mismanaged and undersecured unstructured information, unencrypted laptops, and unmanaged phones and tablets that access and store sensitive information.
Resolving the handful of issues that are known to cause the majority of problems is basic Pareto Principle implementation. These issues are also commonly identified the findings of the Verizon Data Breach Investigations Report, studies from the Ponemon Institute and many others. Yet they are still ignored in so many cases. Perhaps it's by choice -- i.e., they're too "basic" to really solve big problems -- or perhaps it's through ignorance -- i.e., the flaws haven't yet been uncovered. Regardless, if organizations focused on the issues that have been shown to cause problems before resorting to hack back techniques, they could improve security.
Take modern society, for example; there's a pill for almost every ailment today, including prediabetes and diabetes. Research has shown for decades that carbohydrates in excess are bad for the human body, and that people should take steps to reduce carbs in their diets. When I discovered I was insulin-resistant, I followed this basic advice and was able to quickly resolve everything diabetes-related that was ailing me, including my inability to lose weight no matter how much, or how hard, I exercised. Over the past decade, the research has been further refined to the point where we know how to virtually eliminate type-2 diabetes. Yet, still, half of Americans are diabetic or prediabetic. This scenario plays itself out in information security, across businesses and government agencies of all sizes to this day. As author Ayn Rand said, "The hardest thing to explain is the glaringly evident which everybody had decided not to see."
What to consider before adopting 'hack back' and deception techniques
There isn't zero value in using hack back and deception techniques when it comes to enterprise security. There's no doubt that deception techniques can add some value, especially in federal government scenarios where these approaches are already being used to thwart advanced persistent threat groups and nation-state hackers. It would surely be more fun than fighting the security fight from a defensive perspective. But keep in mind that deception techniques are not necessarily the same as hacking back techniques, such as launching denial-of-service attacks and running exploits in attempts to obtain remote access. However, traditional deception techniques can be considered "offensive" measures. The mere act of luring attackers into a honeypot trap, getting them to do things they might not otherwise do, using up their resources to try to penetrate the wrong targets, and the like, could be shown to be more than just passive measures.
Still, the average business is probably not ready to take on such an approach because there are many considerations such as:
- Where do you start? Who heads up such efforts?
- How do you set rules of engagement?
- Do you have a policy, procedures and a set of standards documented for this approach to security like you have for the defensive side?
- What do you do with the information?
- Will executive management and legal be involved?
- When do you grow the practice?
- When do you know when to stop counterattacks?
Let's say there's an ultra-sharp team of people, including former military, NSA and perhaps even some ex-con hackers, working on the enterprise's offensive security program, is it truly in the best interest of your business mission for these people to fight back when the attacks start? Fighting back in the physical sense is often the only option for survival, but is that necessary to secure ones and zeroes? Deception and hack back techniques could instigate the attackers even further. Is the network, the team and the business ready to handle the potential repercussions? If it gets out, how are such attacks going to reflect on the organization in the marketplace? What legal issues arise when it indirectly impacts innocent third parties when gathering attack information and/or hacking back?
For enterprises that truly have a handle on their information security programs, have maximum visibility and control along with minimal risks, these deception techniques might be just what's needed to take security to the next level. Until then, focus on what matters and fix the fixable. Otherwise, enterprises will be spinning their wheels and wasting valuable resources that would be better served elsewhere.
Learn the best way to reduce false positive security alerts
What enterprises should learn about security basics from the OPM data breach
Discover whether network port security is worthwhile for your enterprise