Breach Attribution and 'Hack Back': Don't Waste TimeKroll's Alan Brill on Setting the Right Breach Response Priorities
Hack attack victims often ask two questions: "Who did it? And can we hack them back?"
But after an attack, with time of the essence for blocking further damage, those are the wrong questions for breached organizations to be asking, says data breach prevention and response expert Alan Brill of the corporate investigations and risk consulting firm Kroll.
"If you spend a bunch of money trying to figure out who did it, how's that going to help you?" he asks. "You're not cops. You're not going to go arrest somebody. You're probably not going to go file civil suits against foreign governments, [so] is that a wise use of funds?"
Focusing on attribution so that an organization can "hack back" - rather than focusing on how to quickly recover from a breach - doesn't make a lot of sense, Brill contends in an interview with Information Security Media Group.
Misguided Calls for Vigilantism
Following this year's belated discovery that Yahoo suffered the biggest known data breach ever, some commentators called for pre-emptive strikes against attackers. Meanwhile, a French ransomware researcher earlier this year described how he'd attempted to infect India-based tech support scammers with Locky ransomware after they allegedly targeted his parents with their online scams.
While this type of "hacking back" vigilantism may earn public plaudits and satiate a desire for revenge, it's often illegal - and it could easily cause collateral damage. In addition, it too often detracts from the rapid triage that must occur following any breach, Brill notes. "The resource in the shortest supply when a breach occurs is time," he points out.
In this interview (see audio link below photo), Brill also discusses:
- Crisis management steps every organization should take both before and after a suspected breach;
- The legal risks faced by any firm that attempts to hack back;
- Lessons learned from hundreds of data breaches.
Brill is a senior managing director with Kroll's cybersecurity and investigations practice. As the founder of Kroll's global high-tech investigations practice, he has led engagements that range from large-scale reviews of information security and cyber incidents for multibillion-dollar corporations to criminal investigations of computer intrusions. He's also the co-author of a report issued by the nonprofit organization Center for Democracy and Technology titled: "Private Sector Hack-Backs and the Law of Unintended Consequences."