Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Retaliation the Answer To Cyber Attacks?

Posted by Soulskill on from the with-your-switch-or-on-it dept.

coondoggie writes "Should revenge assaults be just another security tool large IT shops use to counter cyber attacks? It's a controversial idea, and the law generally frowns on cyber attacks in general, but at the Black Hat DC conference last week, some speakers took up the issue of whether and how organizations should counterattack against adversaries clearly using attack tools to break into and subvert corporate data security."

9 of 142 comments (clear)

  1. Bad idea by SHP · · Score: 5, Funny

    Makes about as much sense as conducting panty raids on shoplifters.

  2. The world would be a better place... by TerranFury · · Score: 5, Insightful

    ...if we stopped calling exploitation attempts "attacks." It's trickery; it's spying; it's occasionally even -- and this is stretching the word a little -- sabotage (in the case of DoS). But "attacks?" It makes it sound like some kind of assault that one can somehow "get even" for. The metaphor is all wrong.

    1. Re:The world would be a better place... by causality · · Score: 4, Insightful

      Only if they weren't "attacks". They often include theft, including theft of money and private information. They're often expensive to repair, They often break or impedes other computer services, and the most common forms of them are for illegal activity (such as spam running DDOS attachs). Or have you failed to look at what botnets are and how they are run?

      Because such attacks far outnumer mere "exploitation attempts", and because even a mere "exploitation attempt" involves theft of computer resources or private data, yes, it's reasonable to call them "attacks".

      If you leave your car unattended and some asshat criminal steals it, would you say he attacked you, or would you say he has stolen from you?

      If you leave your ATM card in the ATM and some asshat criminal drains all the money from your account, would you say he attacked you or would you say he committed fraud and/or larceny?

      If you leave a candy bar at your desk and an asshat coworker swipes it and eats it without asking you if he may have it, would you say he attacked you or would you say he swiped your candy bar?

      If all of the above are attacks then what do you call it when one person physically assaults another person? We used to have a neat solution for the problem of making this distinction, in the form of specific words like "attack" that have a specific meaning. Sure, we can reject that and blur all distinctions so we can sensationalize and play up the hyperbole of comparing everything to violent assault, and justify it by saying "it's a LIVING language", but have you thought this through? Is using the correct word such an unreasonable burden, is supporting this kind of sensationalism so desirable, that it's worth introducing artificial ambiguity? I for one don't believe so.

      --
      It is a miracle that curiosity survives formal education. - Einstein
  3. What are you trying to achieve? by buchner.johannes · · Score: 4, Insightful

    Is the attack scenario one bad guy?
    Then you should contact law enforcement. Also you should make sure your security set up is appropriate.

    Is the attack scenario that you are an big company and people attack you because you are known?
    Then you should make sure your security set up is appropriate. Attacking people is pointless because new ones will turn up all the time.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    1. Re:What are you trying to achieve? by Pharmboy · · Score: 4, Insightful

      I think the problem is that with a cyber attack, you don't know if the computer attacking you is the actual person, a proxy, and pwned box or what. In a physical attack, yeah, I say pick up a 2x4 and pop them in the head. In a cyber attack, it is pretty easy to attack the wrong target, maybe bogging up some routers along the way causing inconvenience to innocent bystanders as well. I personally would like to see mass spammers and other cyber criminals get a firing squad on public television, as a deterrent, but not sure going vigilante is the right answer.

      --
      Tequila: It's not just for breakfast anymore!
  4. Re:Infinite loop by JonySuede · · Score: 4, Funny

    Nobody see the problem?

    If (Cyberattack){

    Cyberattack();

    }

    there was a parenthesis pair missing.

    --
    Jehovah be praised, Oracle was not selected
  5. Not sure about retaliation... by slackz · · Score: 4, Interesting

    But I am curious about about the machines that are responsible for a lot of attacks online. A year or so ago I noticed ssh brute force attempts in /var/log/secure and found a cool solution called denyhosts that parses log files, adjusts /etc/hosts.deny, and logs all activity. This got me thinking about a project... I would really like to create some NSE (nmap scripting engine) scripts, or something similar, to go through and scan the machines that show up in my log files as trying to weasel their way in via ssh or other common, filtered tools. It would be interesting to create some visual representations of services, geographical locations, and general makeup of the boxes that are attacking these services.

  6. Functionally Insane by Courageous · · Score: 5, Insightful

    The concept of revenge cyber attacks is functionally insane.

    At least at the corporate level. Consider. A competitor's network appears to be attacking yours, so you attack back and get into their networks. Only it turns out that someone hacked the competitor, and it was no fault of the competitor at all. The counter attacking corporation's employees are now guilty of a felony, and presumably were directed to do so by a senior manager. The following actions are available to your competitor:

    1. Pressing the district attorney to prosecute the employees and management
    2. Pressing the district attorney to prosecute the corporation (i.e. the corporate death penalty)
    3. Suing all the criminal employees including all executives in the chain, either authorizing parties or cognizant parties
    4. Suing the corporation

    Given the criminal act with malice of forethought, the #4 option will be of practically unlimited liability. You can expect to be charged 100% of all attorney's fees, the actual cost of their security event including cleanup and all IT labor associated therewith, and an apportionment of their ongoing security operations fees. For #3, some jurisdictions do not permit bankruptcy out of civil liabilities originating from criminal acts. No employee will be protected just because their bosses told them to do the act, as the act was a crime and is indefensible.

    So, to be blunt: "dream on".

    No sane Corporate Counsel will permit any company to do this.

    C//

  7. Re:New idea. by SuricouRaven · · Score: 4, Insightful

    The problem with conventional response is that of geography. When your opponent is some script kiddie or amateur hacker, it's all very well - you go to court, get a warrant, trace his IP through the ISP logs, and file charges. But if the attacker is an organised criminal group, the attack will be coming from a computer in Outer Elbonia, where the local police couldn't care less about your paperwork, and the ISP doesn't care that the connection is registered under a false name. There are even ISPs that specialise in hosting scams and malware - usually in Russia or somewhere similar. It can take weeks to go through legal channels, and during those weeks the attacks (Or malware host) keep on running.

    The impossibility of regulating the internet is what allows us the freedoms we at Slashdot love so much, but the price of this is that it's largely unpoliceable.