The idea of avenging cyber attacks may be tempting for some, but organizations should focus instead on sharing threat data to strengthen their defenses, a panel of cyber security experts said Thursday.
While there has been a lot of discussion recently within the security community about organizations launching counteroffensives, a panel speaking at NYU-Polytechnic Institute in New York cautioned against the practice.
"Strikebacks" refer to the act of tracing a cyber attack back to its origin and disabling that computer. The attacking organization is no longer a victim, but an aggressor, and there may be legal concerns about making that switch, panelists said.
A homeowner may strike at a thief in the middle of an intrusion, but the situation is different during a cyber attack, said William Pelgrin, president and chief executive of the Center for Internet Security (CIS), an East Greenbush, N.Y.-based security consultancy.
For starters, attributing an attack doesn't always lead to the actual perpetrator, Pelgrin said. Attackers use proxies and commandeer other systems to hide their tracks.
As an example, a server in France may send out an email containing a link to a server in the United Kingdom hosting malware, he said. That malware may then transmit personal data to several servers around the world. But before a victim organization be sure who is at fault, all of these machines have to somehow be linked back to a single individual or entity.
"I can't imagine any responsible organization would allow hacking back as part of their policies," said Edward Amoroso, senior vice president and chief security officer of telecom giant AT&T.
Payback is a recurrent discussion point in cyber security circles, but it's unlikely to ever become an acceptable practice, he added.
The tactic, regardless of the provocation, is still not legal, said Paul Mahon, assistant special agent in charge of the New York field office of the U.S. Secret Service.
Instead of trying to get even, organizations should compile information about the attack and work within the legal system to go after responsible parties, Mahon said. The evidence must be presented to a judge, who then has the authority to determine whether the organization can take down the offending servers or disable the system.
"Vigilantism may feel good, but it didn't work in the Old West," Mahon told SCMagazine.com on Thursday.
Instead of striking back, information sharing is a more effective method of understanding the attacks and possibly identifying the perpetrators, panelists said. Organizations should work to develop partnerships with government agencies and other private sector companies, as that would allow them to create defenses against increasingly sophisticated attacks.
"Information sharing must be second nature," Pelgrin said.
But, Mahon pointed out that there are challenges to information sharing, saying there are legal requirements in place to ensure individual privacy is protected. Threat data needs to be scrubbed, and there are specific limitations to what can be requested.
Organizations also must acknowledge that they will be attacked, or that they have already been compromised, said Marcus Sachs, vice president for national security policy at Verizon Communications. Once they accept that fact, they can start making plans on how to respond, in the same way they have plans to deal with natural disasters.