Striking Back in Cyberspace: Sanctioned or Vigilantism?

Tuesday, June 26, 2012

Joel Harding


Your corporation has just been probed, broken into, and highly sensitive proprietary intellectual property (IP) has been copied and/or destroyed. 

Whoever took the IP now has the information for pennies on the dollar, they did not have to invest perhaps millions of dollars and years of research and development, conducting experiments or finding just the right combination of materials or techniques. 

They now have a finished product.  If you were about to go into production your competitor might beat you and put out a product before you can.  They also have a much lower overhead and can sell a similar product far cheaper than you.

What do you do?

You can report the incident to the police, who will probably take your hard drives to obtain forensic evidence.  If they are really good they’ll keep you informed at each step during their investigation.  Probably, however, they will keep you in the dark, citing not disclosing information during an active investigation. 

It may or may not be their number one priority.  After a while, ranging from weeks to months, they will return your hard drives and you can now resume progress.  Sure, you’ve lost weeks or months and your partners might have lost patience and your customers might not trust your security, but business must go on.


You can strike back. Hiring your own security team you can discover, to your level of satisfaction, who broke into your system. This is easily accomplished by establishing a honeypot, replicating your system and putting in ghost files. Not only will this tie up your infiltrators and significantly waste their time, but you can also find out more about their techniques and track where they are.


Knowing you are about to be hacked (again), you can plant false information on your system.  Negotiating Strategy.doc would be a great way for you to make your opponent believe they knew your negotiating strategy for a certain contract.  This gives you the upper hand…

According to a recent Reuters report, here, these are only a few of the ways a corporation can “fight back”.

So what?

Everything I have outlined here is perfectly legal and won’t get you in hot water.  If you were to attach malware to a file you knew was going to be taken, this begins to take on the appearance of vigilantism.  If you were to hire a team of hackers, break into your competitors’ system and destroy everything, you’ve now broken the law.

While taking the offense and destroying a competitor’s system is always tempting, this is tantamount to warlike actions in cyberspace, you’ll probably be caught and you’ll probably suffer.   I’ve heard rumors, for decades now, of vigilantism in cyberspace.  Are they true?  ‘not saying…

Cross-posted from To Inform is to Influence

Possibly Related Articles:
Enterprise Security Incident Response Attacks Network Security hackers Cyber Defense Digital Vigilantism Offensive Security
Post Rating I Like this!
Jayson Wylie This puts the scenario in better light than my previous understanding of the intent of strike back.

I consider Honeypots to be a sound idea and feel it is a defensive tactic unless it dishes out a Remote Access Trojan to the attacking element in the name of investigation.

I feel the government could do something like that and sanctioned honeypots run by the FBI/DoD could sit in many of the companies who designs and IP are extracted creating IMO a national security incident.

I feel companies need to step up a bit on threat detection, forensics and evidence gathering.

I would say count on the FBI or other crimes bodies to find the criminals but I also feel it is important for a company to be able to detect compromise, asses damages or loss and begin the investigation on the incidents.

Many times I feel like I'm chasing ghosts but feel we have to have 'due care' with the evidence gathered on even insignificant events.

Corporation maybe should invest more in their people and I'm not sure where to learn things I do without just doing it. Security isn't all about IS actions and technical pen testers. There needs to be some detectives on staff.

I like to be termed a security researcher or threat detection.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.