Strikeback: Attacking the Cyber Attacker

What? It’s against the law to hack back against someone who launched a cyber attack against you? Oddly enough, yes. The rationale is the same as that behind any other criminal act. If someone steals your car, you’re not allowed to steal their car. You would be, technically, committing a crime. You are supposed to contact the authorities to intervene on your behalf. Consider this as something of a disclaimer.

Strikeback, strike-back technology, hacking back, reverse hacking, or active defense are just some of the names used to describe launching a counterattack against someone who has tried to compromise your device or network. Launching such attacks is not as easy as it may seem. To explain this, I will digress here a bit, actually quite a bit. In an Italian movie called, The Seduction of Mimi, a man discovers that his wife is having an affair, and, in order to get revenge, he decides to seduce the wife of the man who has seduced his. To his dismay, he discovers that this man’s wife is, let us say, a large, powerful woman with five children. At first, he feels this will work to his advantage as he reasons that she probably has few admirers. However, what he does not reckon with is the fact that she maintains high moral standards and, no matter how he tries, he cannot seem to persuade her to take a romantic interest in him, which leads to a series of humorous scenarios, each of which complicates his life further and further. Strikebacks are much the same. They may appear easy to carry out on the surface, but may have hidden dimensions that only reveal themselves after the attack has been launched.

For example, you may be easily able to find the IP address of the attacker, which may lead you to think that striking back is simply a matter of attacking that address. However, few attackers are using their home computers. Mostly, they mask their address in a number of ways and can launch the final attack from a compromised computer. Your attack may end up disabling a computer of a grandmother in Ohio; not much satisfaction there. In addition, there is always a chance that the attacker may actually want you to know the final IP address and hope that you will, indeed, attack it. The attacker may have some enemy that he wants to cause problems for, either with the authorities or through the result of a strikeback. In this case, you may be playing right into the attacker’s hands.

Nevertheless, hacked companies realize that the authorities often don’t have the time or the expertise to trace down an attacker. In such cases, they may seek out security companies or individual hackers that are willing to help out with “active defense”. “You don’t have a malware problem. You have an adversary problem”, so goes the motto of Crowdstrike, a company that used to be known for its hack back abilities. However, due to legal restrictions, they have changed their marketing style and it is now difficult to find out if they will or will not help you with a strikeback attack. They do promise to engage with the hacker as the attack is going on, however. Endgame is another company that was once known for its cyber weaponry, but the murky prose on its website makes it unclear if they will offer you any hack back options either.

That said, Endgame has been encouraging the government to be more lenient in its strikeback regulations. Chris Rouland, Endgame’s founder, last year said, “I do think eventually we need to enable corporations in this country to be able to fight back.” He added that companies are “losing millions of dollars and it’s so challenging for governments to help them. I think we have to enable them to do it themselves.”

It would certainly work to Endgame’s advantage to legalize strikeback. Endgame’s main product is a software program called, Bonesaw, which, to be honest, is not clear if they secretly market or not. This program is built to pinpoint where (server, computer) an attack is coming from and list the software that’s running on it. It then will list all the vulnerabilities that have been found in each of the software programs. This seems like it would be a perfect tool to use and market if hack back becomes legalized. But what are the chances that this will happen? Well, those chances seem to be getting better with every new hack that the media reports.

The proposed Cyber Information Sharing Act seems to leave the idea of active defense more open. As former National Security Agency general counsel Stewart Baker recently remarked, “I have a strong sense from everything I’ve heard. . . that they’re much more willing to help companies that want to do this.” Some forms of cyber counterattacks may be more acceptable than others. Beaconing is placing a one pixel, colorless tag on a web page, email, or sensitive document that can later be used to track down the location of the stealer of that document. Such unobtrusive attacks may not lead to prosecution, besides, as Baker has noted, “The real question is whether victims can be criminally prosecuted for breaking into their attacker’s machine. And here the answer is: Surely not. Even if you could find a federal prosecutor wacky enough to bring such a case.” You’d also have to wonder if the counterattacked hacker would be wacky enough to report the attack. How much sympathy would you suppose they would get? In opposition to this view is one that points out that innocent parties may be hurt in a counterattack, and this could lead to them filing lawsuits against the enterprises that injured them. However, Baker thinks that this possibility of attacking an innocent party “simply gives an immunity to attackers.” An nCircle survey of 181 conference attendees at the Black Hat USA security conference in 2012 found that 36 percent of respondents had engaged in “retaliatory hacking” on at least one occasion. This seems to indicate that companies are including cyber counterattacks in their security strategy, whether they are legal or not.

Companies such as Endgame and Crowdstrike base their methodology on identifying an attack in progress and using the mode of attack as a way of identifying the attacker. Attackers tend to follow predictable attack patterns from which they can be identified. It is kind of like leaving their fingerprints. Now, let’s take this idea one step further, Imagine that you could instantly identify a known attacker and strike back at them the moment they initiated an attack, and imagine that you could do this automatically, without any human intervention. Well, if the latest revelations from Andrew Snowden are correct, this is what the U.S. government is doing to protect its own networks. The program, called MonsterMind, virtually stops attacks before they happen. In fact, if they could analyze the traffic on the entire internet, they could potentially design an algorithm that would not only be able to stop their own networks from being attacked, but stop attacks on American companies and other institutions as well.

As ideal as such a system may seem at first glance, there are, perhaps, unsurprisingly, problems. There is the possibility that a massive counterattack against a nation state could escalate into a true cyberwar. In addition, collateral damage could take out important infrastructure which could hurt the public and make the counterattack look worse than the original attack. And, finally, there’s the privacy concern. Having knowledge of the entire internet means control over the entire internet and all messages traveling within it.

One reason that the government is probably shying away from granting such retaliatory strategies may be because a company could inadvertently launch a strikeback against a nation state. After all, it’s not unheard of for foreign governments to launch attacks against companies. The attacked nation may assume the attack was organized by the US government, and, well, you wouldn’t want your company accused of starting a massive cyberwar, would you? So for now, although the momentum appears to be shifting towards granting some forms of strikeback to companies and organizations, I wouldn’t expect that unlimited attacks would be allowed in the near future.



InZero Systems architecture keeps your company data safe by dividing your single device into two devices, separated at the hardware level. Nothing that is done in the Play Zone can compromise data in the Work Zone.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s