How Corporate America fights hackers


To defend themselves against hackers, some of America's largest corporations have adopted shadowy tactics usually reserved for government spies.

They go undercover, infiltrate secretive hacking groups and occasionally even build personal profiles of their attackers -- everything short of physically hunting them down themselves.

The old method of constructing defenses and waiting for a strike doesn't cut it anymore, according to security professionals who advise Fortune 500 firms. Cyberattacks have gotten far more effective, especially now that hackers are increasingly being funded by foreign governments.

In fact, experts said that key corporate executives -- whose email accounts usually carry the most prized information -- are no longer the target of choice for hackers. Instead, the bad guys now try to hack into accounts of secretaries, who are often just as knowledgeable as their bosses, or engineers who create valuable intellectual property.

"The more modern approach is: I want to know who's going to attack me, so I can tune my defenses in advance," said Ian Amit, service director at security consultant IOActive.

Related story: Security hole found in Obamacare website

None of the security consultants who spoke to CNNMoney would identify their clients. But the consultants said the largest firms in banking, energy, technology and health care are the ones most likely to be engaging in espionage to keep hackers at bay.

The stakes in the United States are high, as hacking costs more than $100 billion a year. Foreign governments want to steal intellectual property, and well-organized cyber mafias seek credit cards.

So how exactly are companies fighting back? Some use what's referred to as "active defense." Amit said that involves maintaining a cybersecurity team to monitor clandestine chat forums or marketplaces where hackers plan their assault. This usually happens on the so-called deep web, where anonymity is paramount.

Sneaking in. The first step is infiltration, security experts say. To fit in, some corporate scouts are fluent in Arabic, Chinese or Russian. To gain the community's trust and prove themselves as worthy, some even stage hacks of their own company. A bank might create a few throwaway credit card accounts.

"You'll fake compromise a few credit cards and lose a couple of bucks. If that buys your way into a forum that gives you a heads up on intelligence on future fraud," Amit said.

Businesses may also prepare bait to lure in an outside attack. Some set up computer servers as targets to passively study the hacker's movements. Others ruin the digital files hackers are trying to loot as it leaves their system. Hackers stealing large amounts of data tend to compress files to move them faster, so corporate tech security will change a single byte in the compressed file, rendering it useless.

The scary reality of hacking infrastructure
The scary reality of hacking infrastructure

Companies often team up with consultants for the heavy lifting. A team of operatives at anti-virus software maker Symantec (SYMC) does that very kind of spy work.

Samir Kapuria, who leads Symantec's Security Intelligence Group, recalls an incident last year when a major manufacturer (he wouldn't name) created bogus blueprints of a valuable product and left it hidden in its servers. When the company later found it being traded in an underground community, it knew there was a leak somewhere in its computer system.

"For them, it was really telling," Kapuria said.

Hacking the hackers. As companies up the ante, some flirt with the idea of fighting back. Jeffery Stutzman is the CEO of Red Sky Alliance, which coordinates intelligence sharing among 30 of the world's largest conglomerates. His firm profiles attackers by keeping their pictures, phones numbers and other personal information on file.

At a recent security industry conference in New York City, he noted the building sentiment among some companies to commit a counterstrike.

"I'm all for the Second Amendment right in cyber," he said, referring to the right to bear arms. "You've got to be able to defend yourself."

That could mean hijacking an attacker's computer and making its hard drive overheat. Or wiping it blank. Or turning on their webcam and taking their picture.

Related story: How Silk Road was reborn

But industry experts say that type of offensive is rare, and admitting to it is taboo. Although tempting, the risks of getting caught are too high, said Craig Carpenter, a marketing executive at digital investigating firm AccessData.

Fighting back is time intensive and expensive. Because hackers occasionally hijack servers to launch an attack, fighting back might hurt an innocent third party. And if it's a state sponsored attack, as with some Chinese government hacking, an American firm might be striking back on a government-owned enterprise.

"Vigilantism in the cyber world is dangerous," Carpenter said. "You could find yourself in a situation of undeclared war. It's a really bad idea."

It would also draw the ire of the FBI, which is why the industry norm is to document attacks, track down hackers and hand over "prosecution files" to the FBI. It gives federal agents a significant head start and puts companies one step closer to eliminating the threat.

"As a commercial entity, it's very hard to take an operation down by yourself," IOActive's Amit said. "This is a law enforcement thing."

CNNMoney Sponsors