For any organization that has ever been the recipient of malicious cyber activity, the first question asked is “what can we do?” Classical IT wisdom has always preached strong defensive measures. We employ email filters in hopes of ebbing the never ending flow of infected SPAM. We rely on Intrusion Detection Systems to notify us of unauthorized access. We are told to always encrypt data lest it be stolen. These measures are what most would consider “passive defense.” The US Department of Defense (DoD) defines passive defense as “measures taken to reduce the probability of and to minimize the effects of damage caused by hostile action without the intention of taking the initiative.” No matter how much time, energy and money we invest to protect our digital borders, we can never be 100% secure. The best these measures can hope to accomplish is to minimize the damage when an attack does occur.
The real question isn’t if we will get “hacked,” it is how will we respond when it does happen? All too often our only response is to block suspicious traffic and “quarantine” infected/compromised systems. Are these limited responses really our only options? Is there more to a strong cyber defense than anti-viruses and blocking IP addresses? Perhaps it’s time to start considering a strong active cyber defense. The military definition of active defense is “the employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.” In simple terms, the best defense is a strong offense.
Is it even possible to “hack back?” Simply put, yes it is. Why can’t we employ the same tactics that our adversaries employ against us? Legalities aside, what is keeping us from pushing back. Following the “phases of hacking,” we begin our campaign by conducting our reconnaissance. Simple lookups of offending IP’s can reveal a wealth of information about our adversary such as country of origin and Internet Service Provider. Next we move on to conducting network scans of our suspected targets. These scans can reveal the operating system used and even open or potentially vulnerable ports. At this point, we have a lot of very useful information that may be used by law enforcement or legal teams that could be used to legally strike back at our target. This information can also be used to continue the hacking process and eventually gain access to target systems.
Of course I would never advocate the use of force to enter someone else’s systems. The unauthorized access of a computer system is a crime and could be punishable by fines or imprisonment.