9 Facts: Play Offense Against Security Breaches

Striking back by hacking hackers is a legal and corporate no-no. But IT and security managers can shore up defenses and trick attackers into revealing their identities.

Who Is Hacking U.S. Banks? 8 Facts (click image for larger view and for slideshow)
When the intrusion prevention system signals that a corporate network is under fire, what IT manager wouldnt love to launch a cyber strike-back attack?
Better to control any such impulses, as legal experts say that hitting back may
break the law
. For starters, unauthorized access to an attackers system can put you in violation of the Computer Fraud and Abuse Act or states trespass laws.
On the other hand, as David Willson, an attorney from Titan Info Security Group,
said at this weeks Hacker Halted conference
, If a hacker wants to sue you for unauthorized access, that might be a chance youre willing to take.
[ The FBI is beefing up its resources to defend against malicious hackers. Read more at
FBI Expands Cybercrime Division
. ]
Unauthorized access to an attackers system is one thing; a full-blown cyber strike-back is another. Given all the potential responses, exactly what is allowed -- or at least tends to not be prosecuted? Here are nine facts to help keep your security operations in the legal and ethical clear.
1. Forget striking back, unless youre Georgia.
Online attacks may be sexy, but theyre also illegal – unless, of course, you happen to be operating under the aegis of a
clandestine U.S. government cyber-weapons program
, or assisting a state intelligence or security service.
Take the country of Georgia, which recently
outed an attacker through his webcam
. Unfortunately, its techniques fall into the Dont Try This at Home camp for corporate security professionals, since Georgias self-described counter cyber-intelligence effort involved infecting the attacker with his own
Georbot malware
. To do this, Georgian security experts infected a test machine with the malware, thus putting it under the control of the attackers botnet. Then they copied a fake zip file containing the malware, re-titled Georgian-Nato Agreement, onto the PC.
Helpfully, Georgias Computer Emergency Readiness Team (CERT) had already gained access to the botnets command-and-control server control panel. So after the attacker unzipped the file and executed it, infecting himself with his own malware, Georgian authorities were literally able to control his computer. They then activated the webcam and began studying the contents of his PC, obtaining information about his destination city, Internet service provider, and email, as well as his handle--Eshkinkot--according to a
report
released by Georgias CERT, which blamed the attack on Russian security services.
2. Dont set malicious booby traps.
If striking back is out, whats the point? Focus on
building a better defense
. We discourage people from full-on attacking back, said Paul Asadoorian, product evangelist for Tenable Network Security. He teaches an offensive countermeasures course with John Strand on tactics and measures that companies can take to improve their defenses while also adding, in his words, a splash of offense.
A large portion of the course is devoted to reviewing relevant case law from both the digital and physical realms. Were definitely aiming to put in the hands of practitioners techniques that they can use that are both effective at stopping attackers today, and which also wont land them in an orange jumpsuit, Asadoorian said, speaking by phone.
He references a case involving Eric Stetz, who decided to protect his apartment by
creating a malicious booby trap
involving a knife duct-taped to a crutch. When the landlord opened the apartment on a preannounced maintenance visit, he fortunately avoided injury, but Stetz was arrested on charges of reckless endangerment. You should not be thinking of doing the digital equivalent of what this person has done, because the moral of the story is, the wrong person could fall into this trap, said Asadoorian. You have to use good common sense.
3. Pursue reconnaissance.
Malicious booby traps are out, but some types of reconnaissance seem to be legally acceptable. In a
case involving Jerome Heckenkamp
, for example, a Unix system administrator at Qualcomm who was investigating an attack collected the IP and MAC addresses of the attacker and then hacked into the alleged attackers computer, which he found belonged to Heckenkamp. Crucially, however, the administrator didnt delete any data or set any traps -- he only collected relevant information -- and a court ruled that he
hadnt violated Heckenkamps privacy
. Heckenkamp ultimately agreed to a plea bargain that saw him released for time served.
Port scans, which might be considered an offensive countermeasure, also appear to be legally acceptable in some circumstances according to Asadoorian, who noted that many security researchers have used them to help reveal the quantity of
Internet-connected devices with known vulnerabilities
.
Still, many underlying legal questions remain unanswered. Veteran technology reporter David Pogue, for example, this month
asked
in
Scientific American
, Does a public Find My iPhone search violate personal privacy? after he tweeted the address of the person whod snatched his iPhone from an Amtrak train. While local police recovered the phone and the culprit admitted guilt, Pogues tweet raised some peoples privacy hackles. After investigating the issue, however, Pogue reported that for the most part … both the legal and ethical ramifications of my crowd-sourced phone quest are nothing but murk.
4. Leave enticing -- but fake -- pages unsecured.
Legally speaking, when it comes to defending corporate networks, what is allowed? One of Asadoorians recommendations is to create a fake administrator page on a website and use it as part of an early-warning alert system. Well set up a fake administration page on someones website and do things to lure attackers to that site. Since we know that no one should be going to that site except an attacker, its almost like a honey pot, he said.
5. Socially engineer attackers into using Java.
For a twist, leverage attackers curiosity by noting that Java must be enabled to access all administrator panel features, perhaps suggesting that the panel can then be used to access network-connected video cameras or switches. If attackers do enable Java, execute JavaScript on their system to gather information and see if the PC is operating behind network proxies. For example, the
Metasploit Decloaking Engine
demonstrates how Java and Flash can be used to gather information on someone visiting a website.
While such tools may be good for gathering information, they also have limits. That works well in a scenario where there are one or two attackers targeting your network -- dare I say APT? said Asadoorian. But when you have all these different attackers targeting you and you may get back to machines in Russia, you have to be careful.
6. Scuttle port scanners with infinite loops.
Another useful defensive measure is to guard against attackers using port-scanning tools that try and identify known vulnerabilities on a business network. One technique,
developed by Ben Jackson of Mayhemic Labs
, involves seeding corporate websites with numerous link-filled pages to send port-scanning tools into an infinite loop.
Similarly, Asadoorian said hes helped develop Unix and Windows scripts -- one for OS X is on the way -- that
create firewall rules
to block IP addresses from which scans are being launched. The scanner has to be making a full connection, and once is does that, were able to block their IP address based on their connection attempt, he said.
7. Security 101: Start with a good network.
Building better countermeasures might sound sexy, but such enhancements must rest on a firm foundation. You need to have a very well-defined network before you can start monitoring it, and you need to be monitoring the events and logs from your systems before you can go putting these types of things in place, said Asadoorian. If you have no firewall, patch management, or log management, Im not going to recommend that you start putting scripts in place to add firewall rules.
8. Keep Legal in the loop.
When considering avant-garde defensive measures, start by liaising with in-house counsel and technology managers. Discuss it. Make sure this isnt something that you do in the dark of night, [without letting] your CIOs or CFOs know, said John Strand in a
presentation on offensive security at Derbycon 2011
. Also, document the plan and everything thats been discussed and agreed upon -- not least to protect yourself. Ensure that
information security policies and warnings
are updated to reflect the fact that technologies could be used to scan and forcibly identify any system that attempts to connect to the corporate network or that is acting suspiciously.
9. Reach out to law enforcement agencies.
Beyond blocking attacks in a timely fashion and amassing potential intelligence on the attackers themselves, is there anything else that information security professionals can do fight back?
Not directly, but do consider handing off the information to authorities in case they can follow through and positively identify and prosecute the people behind the attack. If you gain access to an attackers machine, and legally youre able to look around and see that theyve compromised a number of other machines, thats certainly useful information, and working with law enforcement is where a lot of this would lead to, said Asadoorian.
Notably, the FBI this week announced plans to
expand its cybercrime division
. In particular, the bureau wants to get better at attributing attacks to specific hackers.
Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report,
Using Google To Find Vulnerabilities In Your IT Environment
, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
9 Facts: Play Offense Against Security Breaches