Is Retaliation the Answer To Cyber Attacks? 142
coondoggie writes "Should revenge assaults be just another security tool large IT shops use to counter cyber attacks? It's a controversial idea, and the law generally frowns on cyber attacks in general, but at the Black Hat DC conference last week, some speakers took up the issue of whether and how organizations should counterattack against adversaries clearly using attack tools to break into and subvert corporate data security."
New idea. (Score:3, Insightful)
The world would be a better place... (Score:5, Insightful)
...if we stopped calling exploitation attempts "attacks." It's trickery; it's spying; it's occasionally even -- and this is stretching the word a little -- sabotage (in the case of DoS). But "attacks?" It makes it sound like some kind of assault that one can somehow "get even" for. The metaphor is all wrong.
What are you trying to achieve? (Score:5, Insightful)
Is the attack scenario one bad guy?
Then you should contact law enforcement. Also you should make sure your security set up is appropriate.
Is the attack scenario that you are an big company and people attack you because you are known?
Then you should make sure your security set up is appropriate. Attacking people is pointless because new ones will turn up all the time.
Infinite loop (Score:2, Insightful)
If (Cyberattack){
Cyberattack;
}
Nobody see the problem?
Re:The world would be a better place... (Score:4, Insightful)
Only if they weren't "attacks". They often include theft, including theft of money and private information. They're often expensive to repair, They often break or impedes other computer services, and the most common forms of them are for illegal activity (such as spam running DDOS attachs). Or have you failed to look at what botnets are and how they are run?
Because such attacks far outnumer mere "exploitation attempts", and because even a mere "exploitation attempt" involves theft of computer resources or private data, yes, it's reasonable to call them "attacks".
Re:What are you trying to achieve? (Score:4, Insightful)
The question is more are you actually going to retaliate against the attacker or is it like "Let's send some rockets back into that city, because that's where they came from." Anyone launching an attack directly from their own computer is a total amateur, chances are great it'll be some unsuspecting third party's machines and networks that'll be your battle ground. And I very much doubt they care who started it, they're likely to go after everyone that's been hacking their systems when they first find out. If I go on vacation and find two gangs have trashed my apartment I'm not really going to care who started it.
Re:New idea. (Score:3, Insightful)
Depending on the nature of the attack, it might be easy to spoof. If A wants to attack C then all they need to do is attack B pretending the attack is coming from C, then sit back and enjoy the show :)
Functionally Insane (Score:5, Insightful)
The concept of revenge cyber attacks is functionally insane.
At least at the corporate level. Consider. A competitor's network appears to be attacking yours, so you attack back and get into their networks. Only it turns out that someone hacked the competitor, and it was no fault of the competitor at all. The counter attacking corporation's employees are now guilty of a felony, and presumably were directed to do so by a senior manager. The following actions are available to your competitor:
1. Pressing the district attorney to prosecute the employees and management
2. Pressing the district attorney to prosecute the corporation (i.e. the corporate death penalty)
3. Suing all the criminal employees including all executives in the chain, either authorizing parties or cognizant parties
4. Suing the corporation
Given the criminal act with malice of forethought, the #4 option will be of practically unlimited liability. You can expect to be charged 100% of all attorney's fees, the actual cost of their security event including cleanup and all IT labor associated therewith, and an apportionment of their ongoing security operations fees. For #3, some jurisdictions do not permit bankruptcy out of civil liabilities originating from criminal acts. No employee will be protected just because their bosses told them to do the act, as the act was a crime and is indefensible.
So, to be blunt: "dream on".
No sane Corporate Counsel will permit any company to do this.
C//
Re:What are you trying to achieve? (Score:5, Insightful)
I think the problem is that with a cyber attack, you don't know if the computer attacking you is the actual person, a proxy, and pwned box or what. In a physical attack, yeah, I say pick up a 2x4 and pop them in the head. In a cyber attack, it is pretty easy to attack the wrong target, maybe bogging up some routers along the way causing inconvenience to innocent bystanders as well. I personally would like to see mass spammers and other cyber criminals get a firing squad on public television, as a deterrent, but not sure going vigilante is the right answer.
Re:The world would be a better place... (Score:4, Insightful)
...if we stopped calling exploitation attempts "attacks." It's trickery; it's spying; it's occasionally even -- and this is stretching the word a little -- sabotage (in the case of DoS). But "attacks?" It makes it sound like some kind of assault that one can somehow "get even" for. The metaphor is all wrong.
I disagree. The use of the word "attack" is perfectly suited. Espionage involves attacks. Politics involves attacks. You can attack a problem, attack a mountain (climbing in mind but that could imply more than one form of 'attack'), attack a movie you found worthy of strong criticism, or attack an idea. An attack is nothing more than an aggressive action who's implication is highly dependent on the situation and context of the use of the word.
The base problem is looking at this as warfare. In the context of war, an attack has very specific connotations. That form of attack and the concept of war lead us in to the wrong mind-set for the reality of the situation. This is where trickery, spying, and sabotage comes in. This is simply a new set of tools for espionage. And while this does open a new way of looking at things beyond the old Cold War era, namely actors that may not be directly associated with a State, a lot of the traditional concepts and general nature of the behavior apply well to the exploitation of this new environment and tool sets.
Re:New idea. (Score:5, Insightful)
The impossibility of regulating the internet is what allows us the freedoms we at Slashdot love so much, but the price of this is that it's largely unpoliceable.
Re:The world would be a better place... (Score:5, Insightful)
Only if they weren't "attacks". They often include theft, including theft of money and private information. They're often expensive to repair, They often break or impedes other computer services, and the most common forms of them are for illegal activity (such as spam running DDOS attachs). Or have you failed to look at what botnets are and how they are run?
Because such attacks far outnumer mere "exploitation attempts", and because even a mere "exploitation attempt" involves theft of computer resources or private data, yes, it's reasonable to call them "attacks".
If you leave your car unattended and some asshat criminal steals it, would you say he attacked you, or would you say he has stolen from you?
If you leave your ATM card in the ATM and some asshat criminal drains all the money from your account, would you say he attacked you or would you say he committed fraud and/or larceny?
If you leave a candy bar at your desk and an asshat coworker swipes it and eats it without asking you if he may have it, would you say he attacked you or would you say he swiped your candy bar?
If all of the above are attacks then what do you call it when one person physically assaults another person? We used to have a neat solution for the problem of making this distinction, in the form of specific words like "attack" that have a specific meaning. Sure, we can reject that and blur all distinctions so we can sensationalize and play up the hyperbole of comparing everything to violent assault, and justify it by saying "it's a LIVING language", but have you thought this through? Is using the correct word such an unreasonable burden, is supporting this kind of sensationalism so desirable, that it's worth introducing artificial ambiguity? I for one don't believe so.