Security Experts:

Black Hat: Hacking Back - The Best Defense May Not be the Best Offense

Black Hat 2012

A new survey of Black Hat attendees shows many are not afraid to fight back against hackers with their own tactics.

The legalities of cyberspace can be complex – particularly when organizations consider whether offense is the best defense.

Nevertheless, the subject of just where the line is came up in more than one talk at the Black Hat USA conference in Las Vegas. During his presentation, Robert Clark, operational attorney for U.S. Cyber Command, laid out this scenario: you are a system administrator, and poor security practices lead to theft of intellectual property on your watch.

"What…is my first thought - if I pick up the phone and call the CEO, I'm freaking fired," he said. "I'm out of a job. So what can I do?"

While it might be tempting to dig through your organizations logs, track the data theft to its source and delete the files off the server, that action can be fraught with legal dangers, he explained. For example, accessing the server for example could be a violation of the Computer Fraud Abuse Act, he noted.

"So you're in there, and you see your files there…I've got to elevate my privileges to delete [the files] off of there…. congratulations, count two of the Computer Fraud Abuse Act," he said.

Earlier this week, nCircle polled 181 people at the Black Hat conference in Las Vegas and discovered 36 percent said they engaged in retaliatory hacking in the past. “There’s a huge difference between a security expert who can qualify attackers and apply appropriate responses and a neophyte who reacts blindly," said nCircle CTO Tim 'TK' Keanini. "The best strategy for most companies is to forget retaliation and concentrate on improving their defenses.”

During his presentation at Black Hat, former FBI Assistant Director Shawn Henry argued that organizations needed to "step up" in the fight against cyber-criminals – but added that he did not mean cyber-retaliations should be in play. Instead, organizations should focus on gathering intelligence that can be used to both catch and defend against attackers.

"We need to understand who the adversary is, because if we understand who they are, we can take proactive measures," said Henry, who today is president of CrowdStrike Services, an arm of security startup CrowdStrike.

While more than a third responded to the company's survey stating that they had either hacked back once (23 percent) or frequently (13 percent), Keanini said the actual percentage may be even higher.

“Retaliatory hacking is a huge topic at Black Hat this year, but we should take these survey results with a grain of salt,” he said. “It’s safe to assume some respondents don’t want to admit they use retaliatory tactics. It’s very tempting to strike back out of anger and frustration. However, as infuriating as cyber criminals can be, this ‘eye for an eye’ code of justice can be extremely dangerous."

view counter