Some Firms Giving Hackers a Taste of Their Own Medicine

Some IT pros think that the best defense against hackers is a good offense, and some deception plays might work well too.

One of the great sports cliches is the best defense is a good offense. I’m not sure that’s always true actually, but Reuters reported this week that it’s a strategy being employed increasingly by companies to at least punish hackers who get inside their defenses.

The idea is to fight back, rather than simply wait for government or law enforcement to intervene, which so far at least, has been mostly ineffective in stopping hackers from having their way with just about anyone, anywhere, any time.

Some firms are taking a legal proactive approach, but according to the Reuters’ article some are using the same methods as the hackers they are trying to fight. In fact, Forbes reported last week that many firms are openly recruiting “black hat” hackers into their firms:

“Defense contractor giant Raytheon is looking for a “Unix Attack developer.” TeleCommunications Systems wants a “Windows Attack/Exploit Developer.” NSA contractor SAIC seeks a “Red Team Developer.” All three of those companies’ job descriptions include the phrase: “analyzing software for vulnerabilities as well as development of exploit code,” Forbes reported.

But you don’t have to hack the hacker to win this battle. Instead, you can play games with them and let them think they are getting at valuable information. The idea is once you know a hacker has penetrated your firewall, you can play cat and mouse with him or her, let the hacker think they are getting something  beneficial, or even misdirect them by letting them at files with information that’s deliberately wrong.

Trying to misdirect hackers is probably a better strategy than developing your own hacking strategies, which could after all come back to bite you, as the US government found with the Stuxnet virus. When reports surfaced that US helped create it, as Computerworld reported, it could now be a target for hackers (as though it weren’t before that) who want revenge.

That’s why as a private company, you might want to be careful which tack to you take. First of all, it’s never a good idea to run afoul of the law. Second of all, you don’t have to be as bad as the hackers to stop the hackers.

If your defenses aren’t working, it’s time to develop better ones, which might be a more sensible use of resources than recruiting and hiring hackers.  If you don’t trust the technology that’s out there today to protect your firm’s systems, then perhaps deception is the next best defense.

Going after hackers using their own methods is something you want to stay away from, no matter how tempting it may sound. IT should be in the job of protecting systems, not attacking them.

What do you think? Should IT get in the hacking business?

3 Comments

  1. Chris Halbersma says:

    This is 100% defensible. If I hit you feel free to hit me back. There’s no reason that one can’t attack an attacker. This is castle law and it’s what made America lawful othertimes in history while the law caught up.
    You think that the wild west became lawful because of the law? No it became lawful because the lawbreakers learned that lawbreaking could get them killed. Same concept here.

  2. Johnson says:

    Companies (and foremost defense companies) are surely not only after hacking hackers when they post such a job description. The exploit market has grown into a multi-billion dollar market and private contractors want their share. This is about making money and military power, not the retribution against a single individual.

  3. Legion says:

    Black hat hacker or cracker.
    I don’t think that hackers like Linus Torvalds or Steve Wozniak like to be call criminals.

    I don’t think anyway than making illegal thinks on internet will stop other illegal activities.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>