Our team recently identified the IP address of a group that has been attempting to brute-force our servers. Some of our younger devs want to "strike back" by scanning their infrastructure for vulnerabilities. Is this ever legally or ethically acceptable in the industry? We want to discourage them from coming back, but I’m worried about the legal repercussions and the potential for escalation.
3 answers
The short answer is: Absolutely do not do it. "Hacking back" is illegal in almost every jurisdiction, including the US under the Computer Fraud and Abuse Act (CFAA). Beyond the legal risk, you have no way of knowing if the IP address you see actually belongs to the attacker; they often use compromised servers from innocent third parties or hospitals as proxies. If you "hack back," you might be attacking another victim. Your job is to defend, harden your systems, and report the evidence to the FBI or your local authorities. Leave the offensive operations to the professionals.
Pamela, if we can't strike back, what is the best way to actively "discourage" them so they realize we are a difficult target and move on to someone else?
Focus on your Incident Response plan. A fast, efficient recovery is the best way to prove to an attacker that their efforts are a waste of time and resources.
Well said, Justin. Resilience is the best defense. If you can bounce back in minutes, the attacker loses their leverage and their motivation to keep trying.
Ryan, the best discouragement is "Friction." Use Geofencing to block traffic from countries you don't do business with, implement strict rate-limiting on your login pages, and set up "Honeytokens" or "Honeypots." A Honeypot is a fake server that looks vulnerable; when an attacker touches it, you get an immediate alert and can block their real intent before they find your actual data. It’s a safe, legal way to play "mind games" with the attackers.