Should You Pursue Your Attacker?

Perhaps as a security officer, you day dream about spending endless hours tracking down and catching intruders. You envision yourself being rewarded by company executives for heroic actions and ingenuity, which led to the recover of important intellectual property or money. And, you do all of this in a few long nights and still have time to make your tee time on Saturday morning.

Realty is far from this fantasy. Just read about how much time Cliff Stoll spent in one of the most interesting cases to date (Stoll, 1989). Going after a serious attacker is not for the faint hearted. The number of different levels of indirection a cracker will build up to hide his true identity can be mind boggling. You might think you’re after a university student when the real hacker is actually in another country. Someone who is serious about remaining anonymous will use stolen credit card numbers, phony names, forged cellular phone access, and temporary Internet accounts. By the time you trace back to the culprit, the switch already has been made to another facade at another ISP.

This information is not intended to discourage you from pursuing criminals who attack your systems. Instead, the purpose is to ensure that you have a dose of reality to go with your zeal. After you decide to involve law enforcement agencies, consultants, and others outside the scope of your company, costs can escalate. Often phone lines are involved, which means that you need permission to trace phone calls, tap lines, or other legally daunting techniques to catch the intruder. Most hacks span multiple sites, so you’ll be forced to work with other systems administrators—some who may not want to be cooperative.

In some computer crime cases, a mouse trap was set up to capture the intruder. Allowing someone to access your systems, even if you think they are in a protected subnet, can introduce greater risks. The delightful story of Berferd (Cheswick, 1992) describes how AT&T allowed a cracker to wander through some designated machines. Stoll (1989) set up similar juicy bait, such as fake memos describing topics about national security. If you decide to give hackers access to some of your systems in an effort to better track them down, make sure that you have approved the activity with senior management at your site and involve local law enforcement. Know the legal implications for your company, which certainly will be confounded if you knowingly give the intruder access.

Some commercial products boast automated responses, such as reverse SATAN scans. Absolutely do not do this! Intruders work from compromised systems or temporary accounts at an ISP, not from Linux boxes in their basements. When you reverse scan or reverse SYN Flood an address, you probably are trashing another innocent victim. You could end up facing a lawsuit from the other site.

Finally, if you are working for a business that has fiscal responsibility to shareholders, then you must consider whether pursuing someone is a greater financial risk than fixing the problem and letting the attacker go. Security is a practical matter dealing with the financial value of assets and the risk of compromise. Make sound business decisions when you consider whether to spend resources pursuing an attacker.