Small businesses should consider the possibility of developing well formulated plans for "hacking back" at aggressors in the event of a hack attack. Presenting an "active defence" would not be a form of vigilantism and could even work within the law, argued two speakers at a presentation at the RSA Europe conference. Companies …
"not be a form of vigilantism"
Written as if that were a bad thing. Definitely better than to assume the party escort submission position and wait for the guys in blue.
And I cite Wendy McElroy:
"Officials in the UK, as everywhere, pronounce the word vigilante with intonations of horror and disgust. To them, a vigilante represents 'society gone askew' every bit as much as the looter who smashes open windows, because both men constitute a basic denial of the officials' authority. No wonder the police are eager to portray those who protect their own persons and property as 'lynch mobs' or otherwise threats to civil society. If a trend toward self-defense were encouraged, after all, then the police might be out of a job; the authorities might be out of power. And so, vigilante is a good word that has 'gone bad,' largely because the authorities fear its virtues."
Re: "not be a form of vigilantism"
If people, by taking the law into their own hands, put the proper authorities out of a job, then who is going to come to our rescue when -- as history shows always happens -- the vigilante mob turn bad?
Due Process. You won't notice till it isn't there.
Here in reality, very few small businesses can afford to consult their lawyers on this type of legal advise (if the lawyer is straight with them, the answer would be: do not even think about it).
How many small businesses actually have the level of knowledge and experience to just be able to track an attack.
Infiltrating a bot net, then throwing a spanner in the works - without being accused of being the bad guy. Wheres my bag of pixie dust, must have left it in the saddle bag on my unicorn.
Re: Nice idea...
Well, I would agree, this is not for small businesses, and hopefully most small businesses are not persistently attacked by the same hackers. Most small businesses could easily deal with this problem by increasing the quality of their security. This is focused on large businesses that are persistently attacked for their IP, trade secrets, client data, or to disrupt their operations. It would be a judgment call by the company leadership as to how much they are willing to do and spend in order to protect their valuable assets.
An active defence for SMB
That would be firing sales bunnies and managers who copy large chunks of company data onto USB sticks. Because they get away with bullying the IT Dept into not stopping them. The problem is power, not IT.
Theory vs practice
Intrusion can happen any which way otherwise you will get false positives with "ultra paranoid mode", yet business managers will never understand technology... or the full extent of the threats their choices exposes company data to... thats until, something goes wrong!!
Tracking botnets back, using honeypots (wasnt that what DMZ was made for?) unless we're talking network sniffing with a isolated machine, some variants do not show up if its modified netstat functions and may even hide itself when using sniffing from the 'infected macine' (Now you'd need to know the difference between a gateway, a router, a switch and a hub and remove the network connection so it repeatedly tries to connect and the pattern will soon seem clear when the machine is sluggishly slow!)
IT managers need training, but never recieve it, but yes, its a good idea on 'proactive network perimeter defence' (after a botnet infection has taken place?) Perhaps train them to ASM level, including polymorphism and hex forensics of disk drives... They still wouldnt know what they're looking for unless they're speciallised in security/forensics/programming!
And lastly, legally, throwing spanners into the works may interfere with any current police investigations, which may actually cause a further offence in the communications and misuse of computers legislation... Not to mention the umbrella action you would be commiting... perverting the course of justice. And no doubt giving the police techies a headache trying to establish whos who!
A better idea is designing the network from the ground up so its as secure as it can be... by design with virtual 'guard huts' running an IDS.
Too expensive to attack?
Sorry, I fail to see where money is used if you have the brains and ethics and compilers/packagers to misuse computers/communication networks for purposes usually to extort mony? Usually I would imagine it wouldnt be from their bank accounts? Again, the idea behind anonymous?
Netwok devices can be just as vulnerable *cough* UPNP/Samba/LSASS daemons *cough*, if not more vulnerable, as many arent AV-monitored / IDS scanning themselves and the techies dont have enough resources/experience to implement such.
Theres only so many hours in the day because alot dont do round the clock (most NOC's/NIC's do) but theres limits to how much they can do aswell!
Tell me more about how you intend to "hack back" at someone using a chain of compromised and/or anonymously purchased servers.
Only children attack from their home line, and you'd be better just to give their details to LEO so they can get a slap on the wrist, as opposed to embittering/angering them.
Be passive and just lace or poison your own systems so that intruders who go trasure hunting get a fatal nasal explosion.
So long as the poison is not pumped out, it should be seen as akin to keeping unlabled bottles of potent shit in the garage, but no HazMat or environmental controls are required. Might even be prudent to give the AINP (anti intrusion nasal poppers) some seductive names. A fucking intruder is a fucking intruder. And, carefully configured, the setup would be less than comparable to a booby-trapped window, front door, or toilet.
Doesn't matter wherher the intruder is a script kiddie, hacker, cracker, mafia, terrorist, military, givernment, or ET?
Any form of retaliation is probably going to be illegal in most countries, and rightly so.
Even if it were legal, you would have to be sure that you've correctly identified the source of the attack and that your retaliation is proportionate and that you cause no collateral damage to the the innocent systems and users that just happen to be in the way.
And of course, you have to be sure that you're not going to be attacking the local cybercops/security services. You never know, do you?