Slashdot Mirror
Is Retaliation the Answer To Cyber Attacks?
coondoggie writes "Should revenge assaults be just another security tool large IT shops use to counter cyber attacks? It's a controversial idea, and the law generally frowns on cyber attacks in general, but at the Black Hat DC conference last week, some speakers took up the issue of whether and how organizations should counterattack against adversaries clearly using attack tools to break into and subvert corporate data security."
No, retaliation comes *after* the attack. The attack comes first.
Makes about as much sense as conducting panty raids on shoplifters.
1. Attack your target. 2. Wait for counterattack. 3. Deny 1, or claim it was an attack launched by compromised computers without your knowledge. 4. Sue your target for the costs of their counterattack.
...if we stopped calling exploitation attempts "attacks." It's trickery; it's spying; it's occasionally even -- and this is stretching the word a little -- sabotage (in the case of DoS). But "attacks?" It makes it sound like some kind of assault that one can somehow "get even" for. The metaphor is all wrong.
Is the attack scenario one bad guy?
Then you should contact law enforcement. Also you should make sure your security set up is appropriate.
Is the attack scenario that you are an big company and people attack you because you are known?
Then you should make sure your security set up is appropriate. Attacking people is pointless because new ones will turn up all the time.
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
Maybe that's next after Stuxnet. Program target IP, launch, fire, forget.
No, retaliation comes *after* the attack. The attack comes first.
Which is exactly the problem; by the time you retaliate you've already taken damage. Do unto others BEFORE they do it to you.
If (Cyberattack){
Cyberattack;
}
Nobody see the problem?
The problem is that anyone can do a cyber attack, steal a ton of money by scamming it. It isn't tough, it just requires a lack of morals.
If they're caught, some countries will not only refrain from punishing you, but they'll even congratulate for siphoning money from foreign countries.
I don't think there is a solution unless we had a world government... In which case we have a lot bigger problems facing us.
God spoke to me.
But I am curious about about the machines that are responsible for a lot of attacks online. A year or so ago I noticed ssh brute force attempts in /var/log/secure and found a cool solution called denyhosts that parses log files, adjusts /etc/hosts.deny, and logs all activity.
This got me thinking about a project... I would really like to create some NSE (nmap scripting engine) scripts, or something similar, to go through and scan the machines that show up in my log files as trying to weasel their way in via ssh or other common, filtered tools. It would be interesting to create some visual representations of services, geographical locations, and general makeup of the boxes that are attacking these services.
1) Collect as much info as you can about the source of the attack.
2) Send an email to the abuse address on record.
3) Harden system some more.
4) Wait for some sort of response.
5) Publish the source IP, whatever response is received in the email response, and AS info (i.e. netblock) along with the details of the attack.
6) Block all future traffic from the AS.
Show me packet captures and log entires, or it never happened.
No really. If it's after the fact, no... Cease fire when they do.
For justice, we must go to Don Corleone
Unless it is "Anticipatory Retaliation"...
In all cases of violent conflict, often the best deterent is the promise of retalition.
If you know your target will retaliate, even if it isn't in their best interest, you will think twice about attacking.
Think about those games of Risk you use to play as a kid. There was always that one guy who once you attacked, he would not stop retaliating, even if he was endangering his ultimate goal - win the game. In the process, your chances of victory plummeted in the face of the onslaught.
In subsequent games, no one would attack that guy.
If retaliation is your thing, then I suspect it depends on how much self control you have before you retaliate.
That wasn't hard to answer!
If everyone clicked the link in those "work from home" scams 100 times, or replied to every "your webmail account is about expire" email with bogus details then it would drown the enemy in useless information.
If you then take it a step further and have an automated system that clicks links a million times automatically and replies to the emails with bogus information a million times then it would be even better.
Until someone gets the idea to send out a "I made a billion $$$ working from home. Click http://www.kernel.org/pub/linux/kernel/v2.6/testing/linux-2.6.38-rc2.tar.bz2 for details!" and you're suddenly part of the problem.
Rule #13: Do unto others.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
The concept of revenge cyber attacks is functionally insane.
At least at the corporate level. Consider. A competitor's network appears to be attacking yours, so you attack back and get into their networks. Only it turns out that someone hacked the competitor, and it was no fault of the competitor at all. The counter attacking corporation's employees are now guilty of a felony, and presumably were directed to do so by a senior manager. The following actions are available to your competitor:
1. Pressing the district attorney to prosecute the employees and management
2. Pressing the district attorney to prosecute the corporation (i.e. the corporate death penalty)
3. Suing all the criminal employees including all executives in the chain, either authorizing parties or cognizant parties
4. Suing the corporation
Given the criminal act with malice of forethought, the #4 option will be of practically unlimited liability. You can expect to be charged 100% of all attorney's fees, the actual cost of their security event including cleanup and all IT labor associated therewith, and an apportionment of their ongoing security operations fees. For #3, some jurisdictions do not permit bankruptcy out of civil liabilities originating from criminal acts. No employee will be protected just because their bosses told them to do the act, as the act was a crime and is indefensible.
So, to be blunt: "dream on".
No sane Corporate Counsel will permit any company to do this.
C//
In the US, and in the sorts of theoretically-rule-of-law-y jurisdictions that corporations generally have substantial operations and assets in, most flavors of "cyberattack" are de jure Pretty. Seriously. Not. Legal.
This does approximately jack shit against gangs operating offshore in who-knows-where controlling botnets of enslaved Joe User XP home boxes; but it is the state of the law. Now, let's think about this for a second: Any "cyber-counterattack", unless unbelievably flawless, is probably going to have some amount of collateral damage: ISPs getting parts of their networks DDOSed, innocent-if-clueless home users getting their botnetted boxes taken down, etc. Even the direct damage will be illegal(though criminal gangs probably won't press charges); but the collateral damage will, in not a few cases, fall directly on people and businesses, in western jurisdictions, who had nothing to do with the original attack(other than, perhaps, not updating their AV often enough).
Now, when it comes to light that Foocorp LLC, a division of Deeppockets Industries, and their officers and employees have been guilty of numerous violations of federal cybercrime violations, most felonies, and a variety of civilly actionable property damage, where do you think the lawyers are going to go looking for blood? Yuri Shadymov and John Does 1-N, the mysterious perpetrators of the attack on Foocorp, or the conveniently-located-right-at-home Deeppockets Industries?
There would be a nonzero risk(and they would deserve every bit of it) that Deeppockets industries could find itself up to its eyeballs in civil suits, and the Foocorp IT team and every exec who knew of and authorized their actions could be looking at serious fines and some quality time in FPMITA...
Yes. But let's keep it non-nuclear, ok? Cruise missiles, Predator drones, maybe SeeBees with satchel charges: all fine. Just be sure the response isn't disproportionate.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
They would never be certain to get the right target and cannot guarantee that innocent bystanders won't get caught in the crossfire. That may be acceptable in the silly plots of TV dramas, but in real life there are consequences.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
"Hello, my name is Inigo Montoya. You hacked my computer. Prepare to die."
Karma: Excellent. 15 moderator points expire sometime.
The problem is, if you throw the first punch, you've got no right to cry if you get hit back.
So, the summary is misleading.
The actual article (starts out) talking about using vulnerabilities in botnets and "attack" tools, and an idea called a "tarpit" that would attempt to tie up resources on botnets and "attack" tools.
Not much of a new idea, as people are already doing things like this: Locking out login attempts, delaying login, or CAPTCHAs are a simple example of "tarpits". Reverse engineering malicious programs is already being done. Honeypots, etc.
"Revenge assault" seems to be strong wording for this. Really just silly.
You'd think they were referring to stuff like the worms that spread around patching security holes and removing other worms. This, which would in itself also be a proven stupid idea, given how the "good" worm ended up tying up as much resources as the "bad" worms they were trying to stop.
The second part is just a whole lot of talk about how "data thieves" might steal data and "DLP". Whole bunch of silly lingo that seems to be not much more than fear mongering.
tl;dr version is basically, social engineering attacks are still a problem.
its the best way to get everyone blind.
Retaliation sure worked out well for the military, why wouldn't it work out the same online?
Just like if you get up in the morning to find that your window is broken, the BEST response is to pick up a shotgun and go kick in your neighbour's front door.
Remember, your first impulse is always right and you can never, EVER misunderstand any situation.
For the attacks I heard about it was often not clear who was behind them. As for many viruses, it was unknown where Stuxnet came from. It is mostly unknown who is controlling the botnets behind DoS attacks. If someone steals data he will either use TOR, or an open hotspot.
contact their ISP and request a takedown, if they dont respond or the ISP in question has a PO box then contact their upstream provider(s) and get them de-peered or face prosecution
or just turn up at the data center with bats/guns and start smashing
You mean Tit-For-Tat? http://en.wikipedia.org/Prisoners_Dilemma
I believe the political term is "preemptive strike".
Worse, it's pretty easy to pin an obvious or even not-so-obvious cyberattack on someone else. If vigilante "cyber justice" is acceptable, then an efficient way of performing your cyber attack is simply to attack a third-party target and make it look like your real target did it.
There's a reason vigilante justice isn't acceptable.
I believe the political term is "preemptive strike".
Just like "shock and awe" is the new political term for "blitzkrieg".
It is a miracle that curiosity survives formal education. - Einstein
We need to establish corporate extraterritoriality before anyone exept the government can start to mount turreted autocannons in their lobbies/Black ICE in the networks/kink bombs in the implants of all employees and family members below B-grade. Or at least, that's the story that anyone below grade Ultraviolet/AAA gets fed. But boy, will those AAA bastards be up for a surprise when the second stage of Dunkelzahn's Cyberzombie-Jesus-plot finally comes into action at the product lifecycle end of Shadowrun 4ed...
Emotions! In your brain!
From a purely Machiavellian perspective, if you throw the first punch and they're still able to hit back, then you deserve to get hit.
Check out my sci-fi/humor trilogy at PatriotsBooks.
No.
Better to strike first. Mind, good enough so _they_ can't retalliate.
Whoever 'they' are ...
Well, victims "should" leave retaliation to law enforcement. But when there is no answer to the question, "What law enforcement?" victims "will" retaliate whether they "should" or not.
I have been formulating a system to fight back when attacked by people. Doing this action brings up many things, some philosophical.
a) It is possible that the person attacking is an un-witting participant, ie a zombie. It would not be fair to cause any type of damage to these people.
b) I have also found that the vast majority of exploits contain reverse exploits in which very heavy damage can be inflicted upon an attacker. Stay tuned for that - you heard it here first.
c) I believe that being a US citizen I can consider myself a member of a militia (a cyber militia). I have a right to defend myself using instruments of war. In this case the primary weapon will be a C compiler.
d) Fighting back is not a common strategy at this point in time. The current strategy is to let 3rd party security vendors (ie Symantec, Norton) fight attackers via contract. This isn't working to my satisfaction so I believe a new strategy must be employed to fight people who use computers to adversely affect other people. The sitting duck approach will be abandoned and a fight back harder approach will be employed. Good luck kiddies.
Let the games begin you little fucking toys.
The other issue, with electronic attacks specifically, is that effective "self defense" would require absurdly broad authorization.
In physical terms, you have states like Texas, where shooting trespassers is largely legal, and states like Massachusetts where you pretty much have to have run out of other options before you can use lethal force in self defense. When it comes to electronic attacks, everybody already enjoys greater-than-Texas level of self-defense capability. I can tell my routers and switches to drop whatever packets I want them to. I can terminate whatever processes I care to on my hardware. I can delete whatever files, etc. My network, my rules.
Given that everyone, in basically every jurisdiction anywhere, can already do that any call for expanded powers of self defense is a call to be allowed to just start shooting up the neighborhood with wild abandon. Not going to end well.
I am the owner of www.TurklerinMekani.nl and my site was attacked. That's not fine. I think that the attackers / hackers must get a real high punishment so they don't do it again.
Given the ease of hiding the origin of your attack (tried tracking spam?) you've got the problem of the hackers doing false flag attacks on you in order to trick you into attacking the real target of the hackers. The only way to actually stop attacks is to track them down and arrest them. No other plan will ensure the attacks permanently stop. On the other hand, having the RIAA attack MPAA in a full scale cyberwar would be kindof cool.
If you leave your car out, then someone else uses it to drive into a power pole to take down the power in a local neigborhood, can the local company who was the subject of this denial of (power) service send out a hit squad to blow your car up?
There aren't good real world analogies, except perhaps: the police coming and arresting the property owner who's signed a management contract with a management company who leased it to a meth lab, who they can't catch selling drugs, so they target the property owner.
News flash: (and Black Hat is the last place you need to remind people of this by the way) attribution is incredibly difficult, someone skilled and well funded doesn't use a system that can be tracked to them. They operate in an out of band Command and Control method that they interact with through some sort of darknet-like (or public onion routed) system (i2p, tor etc) from a public wireless using a stolen/cash bough laptop.
if domestic the fbi and other agencies can handle it well, if foreign, well that's what russian snipers are for...
Why would anyone imagine that the same outcome would not apply in cyberspace? I DDOS you, you DDOS me. We get our friends to DDOS our enemies. You deface me, I deface you. Sounds like a whole lot of wasted bandwidth. I'd rather see folks invest in anti-spoofing at the network edge, implement better auth methods, and review content for vulnerabilities before they publish. Sheesh.
Wrong.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Hyperbolic, possibly; but the law is fairly broad and the bar fairly low.
I don't know about Texas, but in Florida, your legal right to shoot (or otherwise use lethal force) against anyone on your property is fairly broad.
Do you really want CORPORATES have that power? Please. These guys don't even have the common sense to break the boom-bust cycles. It's like giving a knife to a child incapable of learning from experience. So Company A attacks Hacker B. Only it turns out that the attack went awry and Hacker B is actually a rival corporate giant. So Rival Corporate giant attacks, which misfires too. Remember, it is difficult to prove motivation or origin or logic in a cyber attack. Isn't it fun, boys?
In a working state, the power to punish by act seen as criminal is exerted by the police and the courts. If "the strong" can "retaliate" against the weak, the we call that anarchy.
If Amazon want they can take offline everybody who is hosting wikileaks and every imageboard which used the word "anonymous" on the planet by dedicating 10% of their computational/network power to "retaliate". If google would like to "retaliate" against somebody, they could take a medium-sized country offline and render it inoperative for months (imagine what amount of disturbance they could cause by searching all gmail for important infrastructure numbers and showing them up in 10% of the search results - an adminitration getting 10times more calls than they can handle will not be able to work any more). Imagine if they show a companies homepage randomly in 1% of the search results - the homepage will be offline for some time. If china wants, they can take any NGO offline by an attack.
We should not aim for an internet, where we retaliate and fight wars without any legal court having said anything, but plainly with the legitimation of the own strength. Once this would be the established order of things, the internet failed.
If somebody behave badly, put them on a list. Don't pair with them, don't accept mail from them, and anybody who systematically ignores that ends on the same list. That system is not perfect, but its the best we have. Try to figure out the people behind and bring them to justice. The security companies should dedicate a substential amount of their products to educating the user (e.g.: pay high-level news speakers or actors to speak a 2 minute warning on the current trends). Official/company websites need to stop to put "ssl-certified" logos on the webpage itself, but should put a picture with how the URL bar should look like and ask the user to compare and remember it. Big companies should not educate the user to install just every program, because they tell to.
What i want to say: the image, the resources, and the power of big companies can be used in constructive ways, and not to establish illegal actions as the course of the day.
I thought he was going to hit me so I hit him back first.
Everything you know is wrong, Just forget the words and sing along.
in a meeting when one of the executives said we should attack back when we were denial of service attacked. Yeah, no legal liability there.
Seems pretty acceptable to me. As long as the attack is confirmed, and there aren't idiots at the helm. Didn't Israel do something like this? Pre-emptive assassinations or something that?
I wouldn't be surprised if big-iron IT departments didn't already do something like this. Not like it matters anyways, with corporate control of the internet looming (slashdot story of 2 tier internet access)
1- Determine type of attack.
2- Take control of attacking machine using scripted attacs. Certainly if a script kiddy can success a pseudo AI can too.
3- Send payload. Can be both a simple antivirus if dealing with botnets etc,
4- Get user attention etc?
5- Profit?
As a former Shadowrun GM, I can only facepalm. Either roll with Sleaze or do your decking with a disposable deck. And remember: when the ICE rezzes, your MAC address is already forfeit.
Every trollism an AC posts is prefixed, in my mind, with "A. Coward whined, in a weak and cowardly voice:"
Good that you point out that the /. article is misleading.
But you are wrong in naming defensive measures that enhance login security "tarpits".
If I recall right "tarpits" work by tying up resources at the attacking computer.
See here for an actual implementation:
http://www.wilderssecurity.com/showthread.php?t=16674
Hey don't blame me, IANAB
If a man shall smite thy right cheek, turn also your left. --Jesus
If a man shall smite thy right cheek, smash him on his left, beat him hip and thigh that he might ruminate over what he has done. --Anton LaVey
IANAL.This brings up the question, "Is cyber self-defense a legally viable defense in court?"
The analogy goes like this. I was being attacked so I whacked him to may him stop. The corporate equivalent is, My network and computer systems were being attacked to whacked the attacker to make him stop.
It is true that 'attacking' the ip who infiltrated your network is probably the wrong target but in the article, the suggested counter attack was not an attack, it was an infiltration designed to glean information about who is really behind the attack and what sorts of info they are looking for.
RTFA
That "pinning" is standard operating procedure, it's rare for an attack to be traceable to a real guilty party.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Naturally, although many cyber attacks right now are done through botnets or are made to look as if they were done by an anonymous, meaningless entity, rather than intentionally placing evidence that leads you to believe it's from a particular third party.
The short version is that vigilante justice is particularly bad for cyber attacks because attribution is particularly difficult.
I'd say the law is fairly reasonable. In any case it clearly does not permit the use of deadly force against a mere trespasser.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
There is nowhere in the USA where use of deadly force against a mere trespasser is legal.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Any competent attackers will cover their tracks, often making it appear that the source of the attack is in a completely different country. It's fairly easy to frame someone and make it look credible.
They need to forcibly enter your home or occupied vehicle (rather than just being on your property). Otherwise, Florida's castle doctrine does exactly that.
Somehow I managed to read this title as "Is Retaliation the answer to Cylon attacks?"
The answer is clearly yes (assuming we have any ships left to retaliate with...)