Offensive Tactics Carry Legal Liability Risks
In a column for SecurityWeek, Radware CTO Avi Chesla argues that cyber-counterattacks should be part of security strategies. A counterattack should include the following steps: detecting and blocking the initial attack, identifying the attack tool, locating weaknesses in the attack tool in real-time or based on previous information, attacking those weaknesses, and slowing down or neutralizing the attack tool. "Identification of the attack tool used as a vehicle to carry [out] the attack campaign is done though pattern-matching," he explained in the column. "There are hundreds of attack tools used in todays market, each one capable of generating different types of attacks. Each attack tool has some kind of fingerprint, invariant to the attack content itself, which can be detected through different pattern-matching algorithms."But entering the world of hacking back can put organizations in a legal minefield. During his talk at Black Hat, Robert Clark, operational attorney for U.S. Cyber Command, noted that organizations could potentially violate laws such as the Computer Fraud and Abuse Act by, for example, hacking an attacker's network and deleting stolen data. "We're looking to push the legal boundaries of what people can do," Kurtz said. "We're talking to a lot of companies who have had breaches. ¦ They're interested in more of a counter [intelligence] approach." For example, he said, there are larger companies that have expressed interest in running operations that allow attackers to steal fake intellectual property as a way to combat espionage. "When you start to have doubt of the validity of the data, [attacking] becomes more costly," he said. "Those are the types of things that some of the bigger, more progressive companies are thinking about. It's got to be very targeted, and you've got to have the intelligence to understand what people are coming after. But they are tired of just sitting back and having this stuff stolen. And if they can do something within the legal bounds to make the adversary's life more difficult and time consuming, everything's on the table." But that may not be a smart move, argued Pescatore. "Do you see many banks going on the offense against bank robbers? Or many retail shops going on the offense against shoplifters? Nobecause it would be a bad business decision," he said. "Make your bank harder to break into, your merchandise harder to steal and leave the enforcement and infiltration to the law-enforcement side."
"Attack tools that rely on the operating system TCP congestion control algorithm usually possess a weakness that a counterattack operation could exploit to exhaust the attacking machines stack and CPU resources," he added. "The TCP congestion control and avoidance algorithms are designed to transfer larger chunks of traffic [packets] as long as no traffic congestion is identified [e.g., no packet drops, relatively short round trip time, etc.]."