Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Retaliation the Answer To Cyber Attacks?

Posted by Soulskill on from the with-your-switch-or-on-it dept.

coondoggie writes "Should revenge assaults be just another security tool large IT shops use to counter cyber attacks? It's a controversial idea, and the law generally frowns on cyber attacks in general, but at the Black Hat DC conference last week, some speakers took up the issue of whether and how organizations should counterattack against adversaries clearly using attack tools to break into and subvert corporate data security."

28 of 142 comments (clear)

  1. Re:First! by transwarp · · Score: 2

    No, retaliation comes *after* the attack. The attack comes first.

  2. Bad idea by SHP · · Score: 5, Funny

    Makes about as much sense as conducting panty raids on shoplifters.

  3. New idea. by SuricouRaven · · Score: 2, Insightful

    1. Attack your target. 2. Wait for counterattack. 3. Deny 1, or claim it was an attack launched by compromised computers without your knowledge. 4. Sue your target for the costs of their counterattack.

    1. Re:New idea. by Geraden · · Score: 3, Funny

      You forgot a step...

      5. Profit!

    2. Re:New idea. by jamesh · · Score: 2, Insightful

      Depending on the nature of the attack, it might be easy to spoof. If A wants to attack C then all they need to do is attack B pretending the attack is coming from C, then sit back and enjoy the show :)

    3. Re:New idea. by tkprit · · Score: 2

      Exactly my thought; I don't want rogue corporate types or the government trying to figure out who's do the attacking and retaliating. They need to beef up their own security and use the current legal system to subvert "cyber attacks".

      Plus, given how the US govt and probably US corporations wants to treat wikileaks as a terrorist org, I can imagine big corp/govt "retaliation" being a literal Trojan Horse [SWAT team!] instead of code.

    4. Re:New idea. by SuricouRaven · · Score: 4, Insightful

      The problem with conventional response is that of geography. When your opponent is some script kiddie or amateur hacker, it's all very well - you go to court, get a warrant, trace his IP through the ISP logs, and file charges. But if the attacker is an organised criminal group, the attack will be coming from a computer in Outer Elbonia, where the local police couldn't care less about your paperwork, and the ISP doesn't care that the connection is registered under a false name. There are even ISPs that specialise in hosting scams and malware - usually in Russia or somewhere similar. It can take weeks to go through legal channels, and during those weeks the attacks (Or malware host) keep on running.

      The impossibility of regulating the internet is what allows us the freedoms we at Slashdot love so much, but the price of this is that it's largely unpoliceable.

  4. The world would be a better place... by TerranFury · · Score: 5, Insightful

    ...if we stopped calling exploitation attempts "attacks." It's trickery; it's spying; it's occasionally even -- and this is stretching the word a little -- sabotage (in the case of DoS). But "attacks?" It makes it sound like some kind of assault that one can somehow "get even" for. The metaphor is all wrong.

    1. Re:The world would be a better place... by Antique+Geekmeister · · Score: 3, Insightful

      Only if they weren't "attacks". They often include theft, including theft of money and private information. They're often expensive to repair, They often break or impedes other computer services, and the most common forms of them are for illegal activity (such as spam running DDOS attachs). Or have you failed to look at what botnets are and how they are run?

      Because such attacks far outnumer mere "exploitation attempts", and because even a mere "exploitation attempt" involves theft of computer resources or private data, yes, it's reasonable to call them "attacks".

    2. Re:The world would be a better place... by _Sprocket_ · · Score: 3, Insightful

      ...if we stopped calling exploitation attempts "attacks." It's trickery; it's spying; it's occasionally even -- and this is stretching the word a little -- sabotage (in the case of DoS). But "attacks?" It makes it sound like some kind of assault that one can somehow "get even" for. The metaphor is all wrong.

      I disagree. The use of the word "attack" is perfectly suited. Espionage involves attacks. Politics involves attacks. You can attack a problem, attack a mountain (climbing in mind but that could imply more than one form of 'attack'), attack a movie you found worthy of strong criticism, or attack an idea. An attack is nothing more than an aggressive action who's implication is highly dependent on the situation and context of the use of the word.

      The base problem is looking at this as warfare. In the context of war, an attack has very specific connotations. That form of attack and the concept of war lead us in to the wrong mind-set for the reality of the situation. This is where trickery, spying, and sabotage comes in. This is simply a new set of tools for espionage. And while this does open a new way of looking at things beyond the old Cold War era, namely actors that may not be directly associated with a State, a lot of the traditional concepts and general nature of the behavior apply well to the exploitation of this new environment and tool sets.

    3. Re:The world would be a better place... by causality · · Score: 4, Insightful

      Only if they weren't "attacks". They often include theft, including theft of money and private information. They're often expensive to repair, They often break or impedes other computer services, and the most common forms of them are for illegal activity (such as spam running DDOS attachs). Or have you failed to look at what botnets are and how they are run?

      Because such attacks far outnumer mere "exploitation attempts", and because even a mere "exploitation attempt" involves theft of computer resources or private data, yes, it's reasonable to call them "attacks".

      If you leave your car unattended and some asshat criminal steals it, would you say he attacked you, or would you say he has stolen from you?

      If you leave your ATM card in the ATM and some asshat criminal drains all the money from your account, would you say he attacked you or would you say he committed fraud and/or larceny?

      If you leave a candy bar at your desk and an asshat coworker swipes it and eats it without asking you if he may have it, would you say he attacked you or would you say he swiped your candy bar?

      If all of the above are attacks then what do you call it when one person physically assaults another person? We used to have a neat solution for the problem of making this distinction, in the form of specific words like "attack" that have a specific meaning. Sure, we can reject that and blur all distinctions so we can sensationalize and play up the hyperbole of comparing everything to violent assault, and justify it by saying "it's a LIVING language", but have you thought this through? Is using the correct word such an unreasonable burden, is supporting this kind of sensationalism so desirable, that it's worth introducing artificial ambiguity? I for one don't believe so.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    4. Re:The world would be a better place... by Lorien_the_first_one · · Score: 2

      That's an interesting point and raises the issue of how we're framing the incident of an "attack". By calling it an attack, we're attempting to justify retaliation. As to the best response, I'd say diverting the attack and logging the method of attack makes more sense. As data is collected about attacks, their sources, methods and frequency become the basis for standard operating procedure rather than the news.

      By reducing their effect with black hole strategies rather than retaliation, we reduce the chance of escalation between the parties and hopefully, injury to unsuspecting third parties. It's worth noting that blackhole-ing attackers means that they have no way of knowing they've been spotted. Thus, they will continue their attacks without knowing for sure if they've been spotted, allowing the targets of attacks to properly identify the sources of attacks and even allowing a better chance of prosecuting attackers.

      I guess you could say that I prefer to err on the side of peace, if possible.

      --
      The diversity and expression of human opinion is essential to human survival.
    5. Re:The world would be a better place... by Fnord666 · · Score: 3, Informative

      If all of the above are attacks then what do you call it when one person physically assaults another person?

      Battery.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  5. What are you trying to achieve? by buchner.johannes · · Score: 4, Insightful

    Is the attack scenario one bad guy?
    Then you should contact law enforcement. Also you should make sure your security set up is appropriate.

    Is the attack scenario that you are an big company and people attack you because you are known?
    Then you should make sure your security set up is appropriate. Attacking people is pointless because new ones will turn up all the time.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    1. Re:What are you trying to achieve? by Motard · · Score: 2

      Is the attack scenario one bad guy?
      Then you should contact law enforcement. Also you should make sure your security set up is appropriate.

      Would you perform these steps in a physical attack? i.e. an imminent physical ass whooping?

      Is the attack scenario that you are an big company and people attack you because you are known?

      Are you a celebrity facing a crazy person?

      Then you should make sure your security set up is appropriate.

      Right. Buy a gun.

      Attacking people is pointless because new ones will turn up all the time.

      Not after they heard about the first one.

      But seriously, isn't the right of self-defense a pretty basic one? Sure, if you have no confidence of success, don't persue this option. But if you do, take 'em out.

    2. Re:What are you trying to achieve? by Dachannien · · Score: 2

      Really, the only scenario meriting retaliation for its own sake is the one in which both you and your opponent are script kiddies, because the Internet is really just one big e-peen contest.

    3. Re:What are you trying to achieve? by Kjella · · Score: 3, Insightful

      The question is more are you actually going to retaliate against the attacker or is it like "Let's send some rockets back into that city, because that's where they came from." Anyone launching an attack directly from their own computer is a total amateur, chances are great it'll be some unsuspecting third party's machines and networks that'll be your battle ground. And I very much doubt they care who started it, they're likely to go after everyone that's been hacking their systems when they first find out. If I go on vacation and find two gangs have trashed my apartment I'm not really going to care who started it.

      --
      Live today, because you never know what tomorrow brings
    4. Re:What are you trying to achieve? by Pharmboy · · Score: 4, Insightful

      I think the problem is that with a cyber attack, you don't know if the computer attacking you is the actual person, a proxy, and pwned box or what. In a physical attack, yeah, I say pick up a 2x4 and pop them in the head. In a cyber attack, it is pretty easy to attack the wrong target, maybe bogging up some routers along the way causing inconvenience to innocent bystanders as well. I personally would like to see mass spammers and other cyber criminals get a firing squad on public television, as a deterrent, but not sure going vigilante is the right answer.

      --
      Tequila: It's not just for breakfast anymore!
    5. Re:What are you trying to achieve? by repapetilto · · Score: 2

      Your analogy is you go on vacation and, in your absence, a gangwar erupted in your apartment? Then you come back and see the damage. Respond with "Alright motherfuckers, I dont give a shit who started it." Then presumably go on to kick some ass. Sounds pretty awesome.

  6. Infinite loop by Haedrian · · Score: 2, Insightful

    If (Cyberattack){

    Cyberattack;

    }

    Nobody see the problem?

    1. Re:Infinite loop by JonySuede · · Score: 4, Funny

      Nobody see the problem?

      If (Cyberattack){

      Cyberattack();

      }

      there was a parenthesis pair missing.

      --
      Jehovah be praised, Oracle was not selected
  7. Not sure about retaliation... by slackz · · Score: 4, Interesting

    But I am curious about about the machines that are responsible for a lot of attacks online. A year or so ago I noticed ssh brute force attempts in /var/log/secure and found a cool solution called denyhosts that parses log files, adjusts /etc/hosts.deny, and logs all activity. This got me thinking about a project... I would really like to create some NSE (nmap scripting engine) scripts, or something similar, to go through and scan the machines that show up in my log files as trying to weasel their way in via ssh or other common, filtered tools. It would be interesting to create some visual representations of services, geographical locations, and general makeup of the boxes that are attacking these services.

    1. Re:Not sure about retaliation... by HungryHobo · · Score: 2

      I hope you included something which turned that off if it added more than a certain number of hosts in a short time.
      otherwise it makes for an easy DOS, spoof packets and watch as your server blocks the whole net.

      something which imposes a temporary block and can only block a limited number of IP's at a time would be good for preventing casual and script kiddie attacks though.

  8. my solution to this problem by linuxwebadmin · · Score: 2

    1) Collect as much info as you can about the source of the attack.
    2) Send an email to the abuse address on record.
    3) Harden system some more.
    4) Wait for some sort of response.
    5) Publish the source IP, whatever response is received in the email response, and AS info (i.e. netblock) along with the details of the attack.
    6) Block all future traffic from the AS.

    --
    Show me packet captures and log entires, or it never happened.
  9. Functionally Insane by Courageous · · Score: 5, Insightful

    The concept of revenge cyber attacks is functionally insane.

    At least at the corporate level. Consider. A competitor's network appears to be attacking yours, so you attack back and get into their networks. Only it turns out that someone hacked the competitor, and it was no fault of the competitor at all. The counter attacking corporation's employees are now guilty of a felony, and presumably were directed to do so by a senior manager. The following actions are available to your competitor:

    1. Pressing the district attorney to prosecute the employees and management
    2. Pressing the district attorney to prosecute the corporation (i.e. the corporate death penalty)
    3. Suing all the criminal employees including all executives in the chain, either authorizing parties or cognizant parties
    4. Suing the corporation

    Given the criminal act with malice of forethought, the #4 option will be of practically unlimited liability. You can expect to be charged 100% of all attorney's fees, the actual cost of their security event including cleanup and all IT labor associated therewith, and an apportionment of their ongoing security operations fees. For #3, some jurisdictions do not permit bankruptcy out of civil liabilities originating from criminal acts. No employee will be protected just because their bosses told them to do the act, as the act was a crime and is indefensible.

    So, to be blunt: "dream on".

    No sane Corporate Counsel will permit any company to do this.

    C//

  10. This sounds like an unbelievably terrible plan.... by fuzzyfuzzyfungus · · Score: 2

    In the US, and in the sorts of theoretically-rule-of-law-y jurisdictions that corporations generally have substantial operations and assets in, most flavors of "cyberattack" are de jure Pretty. Seriously. Not. Legal.

    This does approximately jack shit against gangs operating offshore in who-knows-where controlling botnets of enslaved Joe User XP home boxes; but it is the state of the law. Now, let's think about this for a second: Any "cyber-counterattack", unless unbelievably flawless, is probably going to have some amount of collateral damage: ISPs getting parts of their networks DDOSed, innocent-if-clueless home users getting their botnetted boxes taken down, etc. Even the direct damage will be illegal(though criminal gangs probably won't press charges); but the collateral damage will, in not a few cases, fall directly on people and businesses, in western jurisdictions, who had nothing to do with the original attack(other than, perhaps, not updating their AV often enough).

    Now, when it comes to light that Foocorp LLC, a division of Deeppockets Industries, and their officers and employees have been guilty of numerous violations of federal cybercrime violations, most felonies, and a variety of civilly actionable property damage, where do you think the lawyers are going to go looking for blood? Yuri Shadymov and John Does 1-N, the mysterious perpetrators of the attack on Foocorp, or the conveniently-located-right-at-home Deeppockets Industries?

    There would be a nonzero risk(and they would deserve every bit of it) that Deeppockets industries could find itself up to its eyeballs in civil suits, and the Foocorp IT team and every exec who knew of and authorized their actions could be looking at serious fines and some quality time in FPMITA...

  11. Prisoners Dilemma by crsuperman34 · · Score: 2

    You mean Tit-For-Tat? http://en.wikipedia.org/Prisoners_Dilemma

  12. Re:Retaliation as a Policy by fuzzyfuzzyfungus · · Score: 2

    If I am firing hijacked passenger airliners at you, are the criminal homicide charges and the civil wrongful death suits that you would accrue by shooting them down worth it?

    That's the problem: there is basically no such thing as a pure weapon on the internet. Most "stolen missiles" are simultaneously poorly secured home or business computers that have never left the ownership(and, in general, since the botnet guys don't want their hosts getting wiped) are still being actively used by their owners for whatever their intended purpose is.

    Crippling them would, indeed, end the attack; but it would constitute committing dozens or hundreds of what(at least in the US) would be federal felonies and invitations to expensive civil suit. And, to be quite blunt about it, you would deserve to have your ass handed to you for doing so.