Should you fight back against hackers?

Hacking on keyboard

Companies can fight back against cyber attacks, according to Kaspersky Labs, whose researchers took it upon themselves to find out what kind of services firms offer those who have been hacked.

Security deception firms such as Cymmetria, Illusive Networks and Attivo Networks have won millions of pounds in investment recently, but exactly what "deception" services they offer is not easy to discern, noted Kaspersky researchers Vicente Diaz and Dani Creus, speaking in a session at the company's Security Analyst Summit in Tenerife.

The pair decided to investigate exactly what counter-intelligence companies offer their customers, suspecting it would range from active defense and response to reducing attackers' return on investment.

While some companies were happy to discuss selected tactics with the researchers, others were not as forthcoming. So the duo tried some social engineering, creating a fake company and contacting the firms as though they were potential customers.

Creus said at first the idea seemed doomed to be an embarrassing failure. "You are telling us to lie to counterintelligence professionals, most of which have a military background?" he said.

But it worked, and the pair have revealed some of the services under offer but not all the services, because in their guise as a customer, they were required to sign a non-disclosure agreement regarding some tactics.

Spectrum of deception

Diaz said the tactics run a spectrum from less aggressive to more aggressive "you can do nothing, you can just monitor, you can hack back", he said.

That spectrum begins with active defense, which is anything that makes it harder for a company to hack even in the middle of an attack. "The idea is very simple," Diaz said. "It is to decrease the attackers' return on investment, to spend more time on their internet attack [than] on us."

Moving along the spectrum, firms can also set up honeypots to attract and trap hackers with false but tempting data or access points, as well as fake applications, servers and credentials. "That's nothing new from the technological perspective, but there's some really cool implementations," said Creus.

However, the pair of researchers said they have some doubts "about the effectiveness of this approach", saying such tactics are best at tracking hackers moving throughout your infrastructure, but will not trap a targeted attack on a CEO, for example.

Plus, any effort in one area may take the focus away from basic security measures. The security experts discussed an attack on a Middle Eastern bank where hackers worked their way through the internal infrastructure, eventually finding a plain text file of login credentials. Had that been fake, the use of the dodgy logins would have set off alarms, which suggests that planting false data could work in some instances.

"In this case, it would have been super-effective," said Diaz. "But to start with, why do you have a plain text file with user names? You can do more first."

A step further

The last round of countermeasures were not fully detailed, but Kaspersky suggested it includes more serious efforts such as hacking back against attackers. Any company should consider two challenges aside from legal ones before undergoing such measures, the researchers said.

First, make sure the attack has been attributed properly. "[It will go badly] if you don't know who your attacker is and you try to play tricks on them," said Creus, noting that the counter intelligence firms in question do not all offer attribution capabilities. "This is surprising as it is key if you want to respond to your attacker effective response depends on our knowledge of the adversary."

Secondly, counter intelligence is difficult. "There is no software that can do counter intelligence for you, you can't automate it, you need deep internal knowledge," said Diaz.

"These kinds of technologies will not be of general adoption anytime soon as you need to be very mature in your security to apply them effectively," added Creus.