The surging amount of cyber attacks against companies and their dear consequences pushes companies to the edge. Defensive measures can go only so far in terms of effectiveness, assuming they are fully deployed which is also far from being the common case. Companies are too slow to react to this new threat which is caused by a fast paced acceleration in the level of sophistication of attackers. Today companies are in a weakness point. From a CEO perspective, the options available to mitigate this threat are running out especially considering the addition of state-sponsored attacks to the game and the unclear role of the government and their inability to effectively intervene.
So what can companies do? Attack back.
Attacking the attackers was and are always an option which remained in the heart of people and maybe spoken out very quietly due to the very simple reason of legality. Unlike self-defence in the real world which may allow you to use violence in order to stop an offender in the cyber world, you can only defend yourself passively and wait for law enforcement to come to the rescue.
What attacking back actually means? Many times you don’t know where the attack came from and who is behind it so whom to attack? It depends on the type of attack and the events happening after the attack. In many cases, there is a good chance a counter attack can help minimize the damage or maybe eliminate it. In Sony case, there was later a counter attack (allegedly) by Sony (allegedly) trying to disrupt the download of the stolen files. From an offensive point of view, the low amount of servers serving the stolen files is a weakness and it is possible to try to stop it. It is not always true where if the files are to reside on another big company’s data center then stopping it can be impossible and definitely problematic in terms of getting into a fight with another company. So in order to have an effective counter attack, you need to find a weakness. And many times it is not difficult. For example, in a phishing attack where the web pages holding the impersonating web site a weakness can be found and it is the servers who hold those pages – taking them down should not be a problem. Another example of attacking back is responding to a DDOS or a spam attack with a counter DDOS and ultra spam attacks. In DDOS which is a distributed denial of service attack, it can be a bit more problematic since it is distributed by nature and run on many servers though I can easily imagine a cloud-based elastic service which response back effectively. Same for spam, why can’t someone send 100 emails back for each one received – let’s see them handling the volume of incoming mail. Symantec had a very nice cover from a technical perspective on counter attacks, although from 2006, 8 years ago, still it is valid on many points.
The benefits of attacking back are three:
Prevention – To stop an ongoing attack where leaking the stolen data from my point of view is just another lateral step in the same attack. As a side note, everyone says the attack of Sony has ended (not everyone) but as long as files are still leaked out then it is still going on from my point of view. The bad guys have not been stopped yet.In terms of prevention also delaying an attack using counter strikes can be valuable.
Remedy – In cases where the stolen data can be identified to be located in a certain place then attacking back to retrieve it or just delete it is definitely an option.
Revenge – The sweet taste of revenge although doesn’t sound very business savvy is something that exists because we are all human.
Waiting for government help can take a long time and this raises the question of what is moral to do in between when you are at high risk with no protection and no one can help you and you can’t respond.
Government & the private sector
The problem with governmental intervention has several aspects (just to be clear, it is not that they don’t do anything, on the contrary, they do a lot but it is just far from being enough):
- The government may have more tools and better access to interesting data but still, they are very limited since they get into the picture very late and they don’t know the internals of each company IT so they have a steep learning curve and a very short time to respond.
- Regulation is something discussed and regulation on required security measures can be effective but only to some extent. Many times the problem with security in organizations is not whether they have the best tools or not, most of the holes are created due to human error, lack of knowledge and lack of enforcement. It will take a really long time until a regulation can have some real impact on how companies protect themselves.
- Integration – In order to effectively react to an attack you need to respond as close to real-time as possible when the damage is lower and the chances of finding traces are higher. The only party which can respond at such speed is the organization itself which controls and knows its IT. The government is not integrated into companies IT and as such, they can’t be aware of attacks and respond effectively to attacks as required. Needless to say, enterprises are very diverse in their IT architectures so even assessing the target security capabilities and weaknesses by the government will take a long time. Another problem with integration is that it raises also the issue of privacy which is unrelated but tightly connected to the topic concerning governments connected to companies IT.
- Reach – The government has a limited reach to attackers not residing in the US. Naturally like any other country. Of course, the US has much more control on the internet infrastructure but still it far from full control.
- Attribution – Due to the latency of the investigation attributing the attack to someone is difficult to everyone including the government. In the future, I will write a standalone post about attribution which is a fascinating topic and is very challenging in the world of cyber crime.
There is another point to consider in regards to government and enterprises and that is the idea of accessing the government intelligence systems by the enterprise. The enterprise is naturally limited in their view of the attack sources and maybe the solution is to allow the security team of the enterprise to extend their view with the data available by the government. Of course this requires deep thinking about isolation and privacy but still, it is an option which can be a basis for devising a prompt response.
Of course is in any other unsolved problem there are those who try to make money out of it. There are several companies or entities offering attack back services though due to legality issues they don’t stay public for too long. I am pretty sure there are quite a few services like that which are off the radar. I tried to look for some open source counter attack projects but could not find such and to be honest, it is surprising there are none.
To summarize, it is a complicated matter and a lot is going on behind the scenes so we are far from knowing the full dynamics. But definitely, something to contemplate on.
A small disclaimer, this post is not aimed to suggest people to attack back, it is just meant to raise the awareness on different aspects of cyber warfare.