Counter Attacks

A NetworkWorld article asks should revenge assaults become another security tool for IT to use for counter attacks?

It’s a controversial idea, and attacks of any sort are  generally frowned upon by law enforcement, but at the recent Black Hat DC conference, some speakers had other ideas regarding how organizations could counterattack against adversaries that are clearly using attack tools to break in and subvert corporate data security.

I believe that the question is provocative, and far too broad.  If taken at its widest interpretation, no, I don’t think that a business should be issuing retaliatory denial of service attack streams at its customers or other businesses.  Painting with a much more narrow brush, yes, Incident Response teams should consider ways and means to capture, redirect, interfere with, and pollute suspicious data streams emanating from, or destined into, their own networks.  As long as the communication is within the bounds of the corporate network, it is subject to the policies of the corporation.

Where it gets tricky is when one talks about pursuing data that has been stolen, and uploaded to a web or FTP site.  It is not uncommon for credentials and passwords to these sites to be transmitted in the clear or obfuscated within the data or data stream when contacting the Command & Control (C&C) server or storage site.  Discovering what the target data was that the attacker exfiltrated is paramount to containing, reporting and determining whether law enforcement must be engaged.  If the decision is made to infiltrate the data store, the decision also needs to be made as to next actions taken to secure, corrupt, or even destroy the data and/or site.

Caution is called for here, as is a good long chat with Legal.  Taking ANY action outside of the network introduces significant liability, and it would be a shame for a security professional to overstep their bounds and land in front of a judge, explaining why they “hacked” a website and tampered with or destroyed important evidence.  Something to think about…