A recent article on Network World entitled “Is Retaliation the Answer to Cyber Attacks” presented an interesting concept from French-based firm TEHTRI-Security—that of businesses and other organizations actively responding to criminal attacks by exploiting vulnerabilities in criminal networks and possibly deploying those same tools that criminals use to illegally acquire information, disrupt business, and steal money.
We appreciate that, of course—everybody wants to strike back—this is a very natural emotion. Simply compare how you might behave should somebody attack you or your family on the street. Meanwhile, the security industry delivers clean, legitimate solutions that help mitigate and prevent—but cannot guarantee 100 percent to eradicate—every emerging threat but this does not address this emotional need.
We do understand why some organizations may consider such a response to criminal attacks, in our view, to deploy attack tools on attackers presents the same moral consideration whether it is used in a physical or digital response. If everyone were to attack their attackers, we would likely find ourselves in an all-out digital conflict.
There are further issues that need to be presented and considered before anyone takes a decision such as this.
Reacting to such an incident in this way can potentially worsen the situation. Frequently, such attacks are carried out by criminal organizations with greater resources and money than even the largest enterprise.
When you strike back, are you ready to accept the blackhat revenge?
You may be confronted by a massive distributed denial-of-service (DDoS) attack that can take you out of business for weeks. You may be confronted by a hacking attack or other cyber activities that you do not want to be exposed to.
And do you really know who your attacker is—they may well be a powerful Mafia organization. Criminals have long demonstrated that they lack moral fiber. Is there any reason to believe they will not use other illegal tactics in their counter response?
Then there is a legal consideration, not for the criminal who does not care about law and order, but for you… the use of hacking tools in a revenge attack is not legal. That you are a victim does not justify the violation of law and such a violation can place you at risk of legal action as well as can seriously damage your organization’s and your own reputation.
In short, a pure counterstrike does not do its job and may increases the security, professional, and personal risks for the one who retaliates.
While there is no easy answer to the cybercriminal onslaught, at Trend Micro, we actively collaborate with Internet organizations, security industry partners, and law enforcement agencies around the world to stop these criminal activities.
And by working together with our customers to expand the global network of sensors that feed information to the Trend Micro™ Smart Protection Network™, we are committed to offering the best protection whenever, wherever, and however our customers connect.