In sport, sometimes the best defence is a good offence, but since hacking is considered illegal, organisations under a cyber attack only have defensive options. Or do they? A legal expert says retaliatory hacking might not be illegal in Australia.
The general rule for penetration testers, or hackers who make a crust breaking into others' computers, is don't hack unless you've got consent.
"We can hack when we have permission to do it," says Rob McAdam, chief executive of penetration-testing firm PureHacking.
McAdam says he's been asked twice over 11 years to "hack back". "They were international sources that asked us to help with domestic circumstances, but both times we refused."
"White hat" hacking services that McAdam and others provide help customers mitigate vulnerabilities, such as un-patched software, that "blackhat" or bad hackers could exploit.
"Hack back" on the other hand moves the battle beyond the victim's network to the attacker's turf. The thinking goes that a company could eliminate a competitive technology that was born out of its stolen IP.
Matt Keil, senior research analyst with Palo Alto Networks, previoulsy told Fairfax Media he did not recommend it.
"I don't think companies should venture down that path. At a government level, this type of probing and poking as been going on for many years. I wouldn't condone attacking other organisations at government or company level," Keil says.
Questions over the legality of cyber retaliation linger for lawmakers in Australia and the US. Supporters say it's a necessary evolution in the fight against malicious hackers who only need to find the weakest point to gain entry. One employee who opens a malware-laden phishing email could be enough.
Earlier this year, a US private commission on intellectual property argued that laws and law-enforcement couldn't keep pace with nimble hackers, and petitioned for legal reform that would permit acts of self-defence if law enforcement support was limited.
Alongside calls in the US for more freedom to hack back, a new breed of security company has emerged promising "active defence". FireEye is one example, but the best-known is CrowdStrike, which promises to identify hackers, reveal their intent and disrupt their intrusion.
"It's less about trying to keep them out and more about being able to hunt them down and limit the damage that they're able to do," CrowdStrike CEO George Kutz told Fairfax Media recently. "You want to make it really costly for them to get in and you want to be able to identify them very quickly and eradicate them from the network."
While the company has mocked "passive defence", it's also been careful to avoid claiming it actually offers hack back services due to the tough stance the US takes on hacking.
"There isn't much 'hack back' going on in the real world these days," says H.D. Moore, chief researcher at US penetration testing firm Rapid7 and founder of Metasploit, a popular attack toolkit both blackhat and whitehat hackers use for remote intrusion, either to improve or break defences.
"Hack back is illegal as hell in the US, and even if you're military or intelligence, it's illegal until you get approval directly from the executive branch," he adds.
In Europe things are a little looser. "Their perspective is that no one's going to go after them if they're hacking bad guys, so they just sit around and hack Syria all day or Iran" Moore says.
Unlike the US, Australian organisations may have an option to fight back, according to Dr Alana Maurushat, a senior lecturer at the UNSW's Law Faculty, who has contributed to cyber elements of Australia's Model Criminal Code (MCC).
"Depending how it is done, it may not be illegal," Dr. Maurushat tells Fairfax Media, pointing to a 2001 MCC Officers Committee report, which considered "computerised counter attack against cybernet intruders" could be construed as self-defence.
According to Dr Maurushat's research, hack back is fairly common in Australia. She cites an anonymous survey at the 2009 AusCERT security conference where 20 per cent of the audience said they had used hack back. And since it's already happening, she's advocating legislation that permits it if it meets several conditions such as "sufficient attribution of the source of an attack" and "reasonable, proportionate and necessary" measures that also avoid damage to unintended third-parties.
Those are tricky to meet though. A report last week claimed 32 per cent of targeted attacks in the second quarter of 2013 involved a command and control server located in Australia. Chances are that many of these were actually compromised servers, not willing attackers.
Marcus Carey, a former NSA cryptography expert at the NSA explained the issue to Fairfax Media.
"When I was at NSA I had a co-worker try to hack back and he was actually hacking an American Oil company that had been compromised."
His rule: don't hack targets outside your network. But he adds: "You should be tracking all enemy activity such as keystrokes and all other traffic. This is where honeypots come into play."
Honeypots are decoy simulated environments designed to lure attackers. Researchers can use to them to study attackers' means and methods, but they do have limits.
"Fully automated simulations of a real network costs a lot and can be rather quickly discovered and blacklisted by the attackers. That is why they are not widely used," Vitaly Kamluk, chief malware analyst at Kaspersky' Lab Russian Global Research & Analysis Team says.
Nonetheless, Carey and McAdam have released honeypot-inspired "active defence" tools that help alert customers to when their information is stolen. Carey's HoneyDocs rigs decoy documents with a 'call back' feature that tells owners when the document has been accessed. McAdam's crawls the web for stolen data.
Another Australian company, Threat Intelligence, has launched a new online product that tracks hackers around the world and sends mobile and email alerts to users of its Threat Analytics about attacks against their websites before they begin. It includes hacker profiles and the types of attacks they usually perform.
"We are experiencing a shift in the global threat environment. To prevent falling behind and falling victim to a security breach, organisations need to mature their thinking beyond traditional security controls and into the era of threat management," says Ty Miller, Threat Intelligence founder and CEO.
McAdams says clients are better informed.
"Where we do find a piece of information, we hand to the client [who] hands it over to the police and they go do their job. That's a completely appropriate way to do 'hack back'," says McAdams.
But if you've collected attack data and don't get joy from the cops?
"Your best recourse is to dump it publicly," says Moore. "Just publish it all and say hey guys, we're seeing attacks from this company in China, or Malaysia, or wherever it's going to be, and document it and back it all up. The press is probably the best thing you can do at that point."
- FFX Aus