Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Retaliation the Answer To Cyber Attacks?

Posted by Soulskill on from the with-your-switch-or-on-it dept.

coondoggie writes "Should revenge assaults be just another security tool large IT shops use to counter cyber attacks? It's a controversial idea, and the law generally frowns on cyber attacks in general, but at the Black Hat DC conference last week, some speakers took up the issue of whether and how organizations should counterattack against adversaries clearly using attack tools to break into and subvert corporate data security."

14 of 142 comments (clear)

  1. Bad idea by SHP · · Score: 5, Funny

    Makes about as much sense as conducting panty raids on shoplifters.

  2. The world would be a better place... by TerranFury · · Score: 5, Insightful

    ...if we stopped calling exploitation attempts "attacks." It's trickery; it's spying; it's occasionally even -- and this is stretching the word a little -- sabotage (in the case of DoS). But "attacks?" It makes it sound like some kind of assault that one can somehow "get even" for. The metaphor is all wrong.

    1. Re:The world would be a better place... by Antique+Geekmeister · · Score: 3, Insightful

      Only if they weren't "attacks". They often include theft, including theft of money and private information. They're often expensive to repair, They often break or impedes other computer services, and the most common forms of them are for illegal activity (such as spam running DDOS attachs). Or have you failed to look at what botnets are and how they are run?

      Because such attacks far outnumer mere "exploitation attempts", and because even a mere "exploitation attempt" involves theft of computer resources or private data, yes, it's reasonable to call them "attacks".

    2. Re:The world would be a better place... by _Sprocket_ · · Score: 3, Insightful

      ...if we stopped calling exploitation attempts "attacks." It's trickery; it's spying; it's occasionally even -- and this is stretching the word a little -- sabotage (in the case of DoS). But "attacks?" It makes it sound like some kind of assault that one can somehow "get even" for. The metaphor is all wrong.

      I disagree. The use of the word "attack" is perfectly suited. Espionage involves attacks. Politics involves attacks. You can attack a problem, attack a mountain (climbing in mind but that could imply more than one form of 'attack'), attack a movie you found worthy of strong criticism, or attack an idea. An attack is nothing more than an aggressive action who's implication is highly dependent on the situation and context of the use of the word.

      The base problem is looking at this as warfare. In the context of war, an attack has very specific connotations. That form of attack and the concept of war lead us in to the wrong mind-set for the reality of the situation. This is where trickery, spying, and sabotage comes in. This is simply a new set of tools for espionage. And while this does open a new way of looking at things beyond the old Cold War era, namely actors that may not be directly associated with a State, a lot of the traditional concepts and general nature of the behavior apply well to the exploitation of this new environment and tool sets.

    3. Re:The world would be a better place... by causality · · Score: 4, Insightful

      Only if they weren't "attacks". They often include theft, including theft of money and private information. They're often expensive to repair, They often break or impedes other computer services, and the most common forms of them are for illegal activity (such as spam running DDOS attachs). Or have you failed to look at what botnets are and how they are run?

      Because such attacks far outnumer mere "exploitation attempts", and because even a mere "exploitation attempt" involves theft of computer resources or private data, yes, it's reasonable to call them "attacks".

      If you leave your car unattended and some asshat criminal steals it, would you say he attacked you, or would you say he has stolen from you?

      If you leave your ATM card in the ATM and some asshat criminal drains all the money from your account, would you say he attacked you or would you say he committed fraud and/or larceny?

      If you leave a candy bar at your desk and an asshat coworker swipes it and eats it without asking you if he may have it, would you say he attacked you or would you say he swiped your candy bar?

      If all of the above are attacks then what do you call it when one person physically assaults another person? We used to have a neat solution for the problem of making this distinction, in the form of specific words like "attack" that have a specific meaning. Sure, we can reject that and blur all distinctions so we can sensationalize and play up the hyperbole of comparing everything to violent assault, and justify it by saying "it's a LIVING language", but have you thought this through? Is using the correct word such an unreasonable burden, is supporting this kind of sensationalism so desirable, that it's worth introducing artificial ambiguity? I for one don't believe so.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    4. Re:The world would be a better place... by Fnord666 · · Score: 3, Informative

      If all of the above are attacks then what do you call it when one person physically assaults another person?

      Battery.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  3. What are you trying to achieve? by buchner.johannes · · Score: 4, Insightful

    Is the attack scenario one bad guy?
    Then you should contact law enforcement. Also you should make sure your security set up is appropriate.

    Is the attack scenario that you are an big company and people attack you because you are known?
    Then you should make sure your security set up is appropriate. Attacking people is pointless because new ones will turn up all the time.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    1. Re:What are you trying to achieve? by Kjella · · Score: 3, Insightful

      The question is more are you actually going to retaliate against the attacker or is it like "Let's send some rockets back into that city, because that's where they came from." Anyone launching an attack directly from their own computer is a total amateur, chances are great it'll be some unsuspecting third party's machines and networks that'll be your battle ground. And I very much doubt they care who started it, they're likely to go after everyone that's been hacking their systems when they first find out. If I go on vacation and find two gangs have trashed my apartment I'm not really going to care who started it.

      --
      Live today, because you never know what tomorrow brings
    2. Re:What are you trying to achieve? by Pharmboy · · Score: 4, Insightful

      I think the problem is that with a cyber attack, you don't know if the computer attacking you is the actual person, a proxy, and pwned box or what. In a physical attack, yeah, I say pick up a 2x4 and pop them in the head. In a cyber attack, it is pretty easy to attack the wrong target, maybe bogging up some routers along the way causing inconvenience to innocent bystanders as well. I personally would like to see mass spammers and other cyber criminals get a firing squad on public television, as a deterrent, but not sure going vigilante is the right answer.

      --
      Tequila: It's not just for breakfast anymore!
  4. Re:Infinite loop by JonySuede · · Score: 4, Funny

    Nobody see the problem?

    If (Cyberattack){

    Cyberattack();

    }

    there was a parenthesis pair missing.

    --
    Jehovah be praised, Oracle was not selected
  5. Not sure about retaliation... by slackz · · Score: 4, Interesting

    But I am curious about about the machines that are responsible for a lot of attacks online. A year or so ago I noticed ssh brute force attempts in /var/log/secure and found a cool solution called denyhosts that parses log files, adjusts /etc/hosts.deny, and logs all activity. This got me thinking about a project... I would really like to create some NSE (nmap scripting engine) scripts, or something similar, to go through and scan the machines that show up in my log files as trying to weasel their way in via ssh or other common, filtered tools. It would be interesting to create some visual representations of services, geographical locations, and general makeup of the boxes that are attacking these services.

  6. Re:New idea. by Geraden · · Score: 3, Funny

    You forgot a step...

    5. Profit!

  7. Functionally Insane by Courageous · · Score: 5, Insightful

    The concept of revenge cyber attacks is functionally insane.

    At least at the corporate level. Consider. A competitor's network appears to be attacking yours, so you attack back and get into their networks. Only it turns out that someone hacked the competitor, and it was no fault of the competitor at all. The counter attacking corporation's employees are now guilty of a felony, and presumably were directed to do so by a senior manager. The following actions are available to your competitor:

    1. Pressing the district attorney to prosecute the employees and management
    2. Pressing the district attorney to prosecute the corporation (i.e. the corporate death penalty)
    3. Suing all the criminal employees including all executives in the chain, either authorizing parties or cognizant parties
    4. Suing the corporation

    Given the criminal act with malice of forethought, the #4 option will be of practically unlimited liability. You can expect to be charged 100% of all attorney's fees, the actual cost of their security event including cleanup and all IT labor associated therewith, and an apportionment of their ongoing security operations fees. For #3, some jurisdictions do not permit bankruptcy out of civil liabilities originating from criminal acts. No employee will be protected just because their bosses told them to do the act, as the act was a crime and is indefensible.

    So, to be blunt: "dream on".

    No sane Corporate Counsel will permit any company to do this.

    C//

  8. Re:New idea. by SuricouRaven · · Score: 4, Insightful

    The problem with conventional response is that of geography. When your opponent is some script kiddie or amateur hacker, it's all very well - you go to court, get a warrant, trace his IP through the ISP logs, and file charges. But if the attacker is an organised criminal group, the attack will be coming from a computer in Outer Elbonia, where the local police couldn't care less about your paperwork, and the ISP doesn't care that the connection is registered under a false name. There are even ISPs that specialise in hosting scams and malware - usually in Russia or somewhere similar. It can take weeks to go through legal channels, and during those weeks the attacks (Or malware host) keep on running.

    The impossibility of regulating the internet is what allows us the freedoms we at Slashdot love so much, but the price of this is that it's largely unpoliceable.