GO
Loading...

Companies Battle Cyberattacks Using 'Hack Back'

It's something computer security professionals don't want to talk about, and companies won't admit to doing.

It's called a "hack back," when the victim of a cyberattack turns the tables and actively fights back against their attacker.

"This literally is a wild west out there," Greg Hoglund, a cypersecurity specialist, told CNBC.

Hoglund is the founder and former CEO of HBGary and has worked on cybersecurity for the Pentagon and the U.S. intelligence community.

(Read More: Hacker Claims Airplanes Vulnerable at 30,000 Feet)

"When I think of hack back, I think of more of a counterstrike, or a mitigative action to stop an imminent or ongoing attack. You're not going out and trying to find trouble, you're in trouble and trying to stop the pain right then," he said.

A hack back could mean a company shutting down a cyberattack already in progress, or hacking into a cybercriminals' network to delete or alter information that's already been stolen.

The bad guys are so pervasive, according to Hoglund, that some companies are taking matters into their own hands. Victims of attacks are fighting back by hacking the hackers where the hacker becomes the hackee.

But this new way of fighting cybercrime is in legally uncharted territory.

(Read More: Cyberthreats Escalate as Banks Go Paperless)

"Reverse hacking is a felony in the United States, just as the initial hacking was. It's sort of like, if someone steals your phone, it doesn't mean you're allowed to break into their house and take it back," Fordham University law professor Joel Reidenberg told CNBC.

But Reidenberg said law enforcement is unlikely to detect or prosecute a hack back. "If the only organization that gets harmed is a number of criminals' computers, I don't think it would be of great interest to law enforcement."

(Read More: Cyberattacks: Big Business for Small Security Firms)


By CNBC's Scott Cohn; Follow him on Twitter @ScottCohnCNBC

CNBC's Gennine Kelly contributed to this post; Follow her on Twitter @GKellyCNBC

Featured

  • Andrea Day

    Andrea Day covers Crime & Punishment for CNBC. She and her team have reported nearly $1 billion in fraud this year.

Madoff Trustee: Investigations Inc

Crime & Punishment: Inside the SEC

  • The Treasury estimates that $21 billion in potentially fraudulent refunds due to identity theft could be issued in the next five years.

  • CNBC's Gary Kaminsky takes a look at the massive amount of digital data that pours into the SEC's enforcement division, which is in charge of investigating violations of securities laws.

  • CNBC's Gary Kaminsky spent time with SEC's Bruce Karpati to learn more about his division, which investigates allegations of fraud committed by investment advisers. Kaminsky reports that if you're breaking the law, the agency will find you.

Selling the American Dream

Investigations Inc.: Cyber Espionage

  • When a person enters information on a website, like an email or credit card, it gets stored in that company’s data base. Those web-based forms are a simple tool for users, but they are also another way hackers can exploit a company’s system. Instead of inputting a name into the website, cyber spies can put in a specially crafted text that may cause the database to execute the code instead of simply storing it, Alperovitch said. The result is a “malicious takeover of the system,” he said.

    By attacking business computer networks, hackers are accessing company secrets and confidential strategies and creating huge losses for the overall economy.

  • China is working feverishly to counteract its slowest GDP growth in recent years, and one of the ways it’s doing so, say U.S. officials, is through the theft of American corporate secrets.

  • US businesses are enduring an unprecedented onslaught of cyber invasions from foreign governments, organized crime syndicates, and hacker collectives, all seeking to steal information and disrupt services, cybersecurity experts say.