One of the great sports cliches is the best defense is a good offense. I’m not sure that’s always true actually, but Reuters reported this week that it’s a strategy being employed increasingly by companies to at least punish hackers who get inside their defenses.
The idea is to fight back, rather than simply wait for government or law enforcement to intervene, which so far at least, has been mostly ineffective in stopping hackers from having their way with just about anyone, anywhere, any time.
Some firms are taking a legal proactive approach, but according to the Reuters’ article some are using the same methods as the hackers they are trying to fight. In fact, Forbes reported last week that many firms are openly recruiting “black hat” hackers into their firms:
“Defense contractor giant Raytheon is looking for a “Unix Attack developer.” TeleCommunications Systems wants a “Windows Attack/Exploit Developer.” NSA contractor SAIC seeks a “Red Team Developer.” All three of those companies’ job descriptions include the phrase: “analyzing software for vulnerabilities as well as development of exploit code,” Forbes reported.
But you don’t have to hack the hacker to win this battle. Instead, you can play games with them and let them think they are getting at valuable information. The idea is once you know a hacker has penetrated your firewall, you can play cat and mouse with him or her, let the hacker think they are getting something beneficial, or even misdirect them by letting them at files with information that’s deliberately wrong.
Trying to misdirect hackers is probably a better strategy than developing your own hacking strategies, which could after all come back to bite you, as the US government found with the Stuxnet virus. When reports surfaced that US helped create it, as Computerworld reported, it could now be a target for hackers (as though it weren’t before that) who want revenge.
That’s why as a private company, you might want to be careful which tack to you take. First of all, it’s never a good idea to run afoul of the law. Second of all, you don’t have to be as bad as the hackers to stop the hackers.
If your defenses aren’t working, it’s time to develop better ones, which might be a more sensible use of resources than recruiting and hiring hackers. If you don’t trust the technology that’s out there today to protect your firm’s systems, then perhaps deception is the next best defense.
Going after hackers using their own methods is something you want to stay away from, no matter how tempting it may sound. IT should be in the job of protecting systems, not attacking them.
What do you think? Should IT get in the hacking business?