1. Non-cooperative intelligence gathering—the use of any tools to gather information about the attack and the attacker. Tools might include honeypots, honeynets, traceroutes, loose source and record routes, pings and fingers.

  2. Non-cooperative “cease and desist”—the use of tools to disable harmful services on the attacker’s system without affecting other system services.

  3. Counterstrike—response taking two potential forms: direct action (active counterstrike) such as hacking the attacker’s systems (hack-back) and transmitting a worm targeted at the attacker’s system; passive counterstrike that redirects the attack back to the attacker, rather than directly opposing the attack. Examples of passive counterstrike are a footprinting strike-back that sends endless data, bad data, or bad SQL requests, and network reconnaissance strike-back using traceroute packets (ICMP “TTL expired”).

  4. Preemptive defense—conducting an attack on a system or network in anticipation of that system or network conducting an attack on your system.

Different actions may be taken based on the type of attack and an analysis of the benefits and costs associated with each type of response. Multiple types of responses may be taken for any given attack.

Actions 1-4 are generally non-controversial, in the sense that it would not be legally problematic for a private company to take any of these responses. Actions 6-8 are much more aggressive, fall into the general category of active defense (and more), and certainly raise many questions under the statutory prohibitions against conducting cyberattack. In addition, system administrators often express concern about the legality of Action 5 in light of the various statutes governing electronic surveillance.


1 S. Caltagirone and D. Frincke, Information Assurance Workshop, 2005, IAW ‘05, Proceedings from the Sixth Annual IEEE SMC, June 15-17, 2005, pp. 258-265. See also David Dittrich and Kenneth Einar Himma, “Active Response to Computer Intrusions,” The Handbook of Information Security, Hossein Bidgoli, editor-in-chief, John Wiley & Sons, Inc., Hoboken, N.J., 2005.


Technical Similarities in and Differences Between Cyberattack and Cyberexploitation

The cyberexploitation mission is different from the cyberattack mission in its objectives (as noted in Chapter 1) and in the legal constructs surrounding it (as discussed in Chapter 7). Nevertheless, much of the technology underlying cyberexploitation is similar to that of cyberattack, and the same is true for some of the operational considerations as well.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement