Faced with the failure of preventive security, going on the attack is an appealing concept. But is it worth the risk? Israeli anti-spam startup Blue Security thought so. The company created a technology that let customers fire back at spammers by blasting opt-out messages to the source of unwanted email; the company maintained centralized control by researching the origin of spam. Essentially, it went on the offense in a big way by creating a botnet -- an army of computers launching denial-of-service attacks through the Internet. Its technology might have made a real dent in spam operations. Then, in mid-2006, Russian mobsters warned Blue Security to stop operations and threatened to launch their own counterattacks. In the face of ongoing attacks, CEO and founder Eran Reshef returned funds to investors and killed the company.
Blue Security faced other challenges, too. Botnet attacks harm the Internet infrastructure and could be considered illegal. Most network operators shied away, so the company was constantly looking for hosting. Still, getting threatened by the Russian mob is a whole other level of intimidation. Organized malware and spam is a big business, and the criminals aren't likely to back off in the face of anything a typical company can throw at them.
Even so, the appeal of striking back is understandable. Whether the damage is a distributed denial-of-service attack (DDoS) forcing a website off the Internet or malware stealing intellectual property, attacks hurt companies. We've spent millions on information security, and what have we to show for it? Most defenses are static, set in advance so attackers can learn to bypass them at their leisure. Most coping mechanisms are reactive. We respond only after a threat is discovered -- if it's discovered -- and probably too late.
The U.S. military has maintained for some time that it is legally justified in using military force to retaliate against a cyber attack. Presidential Policy Directive 20, signed by President Obama in October after Congress didn't pass the Cybersecurity Act, establishes standards for the federal government's response to attacks, and cybersecurity is specifically addressed in the 2013 National Defense Authorization Act. But for those of us without drones at our disposal, it's still too soon to go on the offensive. I believe the time will come that companies can do so, but for now the legal, ethical, operational and technological challenges are too daunting.
Who's The Attacker?
Even trying to figure out who's responsible for an attack against your systems is difficult. In international law, if a missile is launched from one country into another, we know the entity responsible, regardless of who actually pushed the button. On the Internet -- with millions of compromised computers belonging to botnets -- can a country, or a service provider for that matter, be held responsible for actions by systems in its jurisdiction?
A few years ago, a friend who is a U.S. federal law enforcement officer was tasked with fighting online financial fraud, specifically phishing. He soon discovered the IP address of a computer behind one attack. His team kicked in the owner's door, only to find a family completely clueless that their computer was being used in the phishing scheme. This is called the Trojan horse defense, in which the device owner claims to be unaware: "A hacker broke into my computer."
Download the Jan. 21, 2013 issue of InformationWeek