Should revenge assaults be just another security tool large IT shops use to counter cyber attacks?
It's a controversial idea, and the law generally frowns on cyber attacks in general, but at the Black Hat DC conference last week, some speakers took up the issue of whether and how organizations should counterattack against adversaries clearly using attack tools to break into and subvert corporate data security.
One idea that got plenty of attention here was the notion of exploiting vulnerabilities in attack tools and botnets to try to determine what the attacker was going after or feed fake data, or even dive into the attacker's network lair.
If it turns out an attacker has taken control of a corporate machine, it's logical that you'd want to "counter-strike" to find out what the attacker is up to, perhaps by finding a hole in the attack tool being used and planting a backdoor of your own to watch the attacker, said Laurent Oudot, founder and CEO of TEHTRI-Security, a French-based ethical-hacking and vulnerability research firm, who spoke at Black Hat.
"We want to strike back. We want to exploit his network," said Oudot. You want statistics and logs related to the attacker, and it might be the idea of attacking ZeuS or SpyEye or even a state-sponsored attacker. It's not so complex to find zero-day vulnerabilities that would allow subversion of attack tools, noted Oudot, whose firm has experience in identifying vulnerabilities, including several related to mobile devices. He suggested it would be fairly simple to strike back against exploit packs such as Eleonore, or feed fake information into attacker's hands. "You can strike back," Oudot said. "Your enemies are not ethical hackers."
Matthew Weeks, a security researcher who recently joined the Air Force, also spoke on the question of counterattacks against hackers clearly using attack tools to break into networks, acknowledges the law would probably regard most counterstrike ideas as illegal.
But as a contributor to the open-source version of Metasploit, a tool that can be used for either good or evil to test and explore network vulnerabilities, Weeks says tools such as this have their own vulnerabilities much like any type of software will, and attackers may not pay attention to patching their own attack tools.
At the conference he went into depth on some vulnerabilities in open-source Metasploit. And he says other tools, such as Nessus or the Wireshark protocol analyzer, which can also be used for attack purposes, have also had vulnerabilities.