Think Twice Before Becoming A Hacker Attacker

I'm a big proponent of self-defense. Having studied a few of the martial arts, I've learned the value of being prepared to fend off and respond to attacks. To paraphrase a famous activist of the '60s: If someone attacks you, make sure he can't put his hands on somebody else.

That appears to be the stance of a growing number of large companies that have been victimized by hacker attacks, according to extensive research conducted by WarRoom Research.

In an 18-month study of 320 Fortune 500 companies, 30 percent said they have installed software capable of launching counterattacks to security breaches. The report, titled "Corporate America's Competitive Edge," focuses on security and business intelligence practices and will be available next month.

Most security experts agree that companies should have some way to strike back at hackers. They caution users, however, not to get embroiled in cyber shootouts. The main reason? The system you're aiming at might not be the culprit.

The concept of "strikeback" has been around for years, but the method gained wider attention over the past few months after the Defense Department used software to disable an attacker's browser.

Strikeback can take many forms-from the collection of information about intruders that can be used later to launch a counterstrike or put the culprits in jail, to the launch of debilitating countermeasures such as denial of services or flooding attacks that virtually shut down an attacker's system.

But a savvy hacker can forge packet headers to make it appear that an attack is coming from another location. And if a company is shooting first and asking questions later, innocent people could be hurt.

What's ominous about the WarRoom Research findings is that many of the companies in the security study would prefer to use their own strikeback methods as opposed to calling the FBI or state law enforcement agencies.

As WarRoom Research president Mark Gembicki pointed out, a code of ethics controls how government agencies use strikeback measures. Large companies are truly borderless and are moving into uncharted territory.

Ken Geide, section chief of computer investigation with the FBI's National Infrastructure Protection Center, agreed.

"It's really important that companies have the capability to detect efforts to break into systems," he said. But strikeback has possible drawbacks.

"The consequences of strikeback has the potential to put the victim at civil risk or physical risk," Geide said.

The companies in the WarRoom study view strikeback as a right, just as the law protects physical self-defense by way of force.

But there are lessons from the physical world that IT managers should consider before launching a strike, experts said.

If you see someone trying to break into your car parked at the curb, do you have the right to get your gun and take a shot at the suspected thief? Geide asked.

The person might be intoxicated and just stumbling on your car, not actually intending to break in. Worse, the bullets may ricochet and hit a bystander.

"Our recommendation would be to let a properly trained individual help protect the property," Geide said. IT managers should adopt the same kind of response when conflicts arise in cyberspace.

"They could be launching a strikeback against themselves. The victim is better off working with law enforcement," he added.

Geide said, however, that companies have been reluctant in the past to tell law enforcement about security breaches, fearing unwanted public exposure. Just as technology continues to advance, the FBI has grown more sophisticated in investigating computer break-ins. "We're cognizant of the concerns of the victim. It would be silly to victimize the victim twice," Geide said.

As a result, the FBI has seen a nearly 200 percent increase in pending investigations, primarily as referrals from victims, according to Geide.

It's clear that more large companies are devising options and plans to address network intrusions-from both internal and external attacks. Many are deploying tools that block or kill TCP/IP connections when an intrusion is detected.

Those considering counterstrikes should realize that we're a long way from being able to effectively verify that we're hitting the right targets.

Rutrell Yasin is a senior editor at InternetWeek.