Friday, December 7, 2012

Counter CyberCrime - Do not challenge the hackers

I'm pretty sure many organisations had faced cyber-attacks before. Some organisation might think of getting a "revenge" at the attacker. It could be a good idea, but it could also be a bad idea totally, depending on how you do it.

This is a story about why it's a bad idea, if you do it this way......

Few months ago, in that XYZ company.....

Business Owner guy: How come my users can't access this application at all? I have got emails, phone calls from everywhere, complaining!

IT Supplier chap: Mr. Business Owner sir, our Network Operation Center (NOC) just confirmed that the application is currently under DDoS attack. Our ISP and NOC is trying their best to mitigate the attack.

Business Owner guy: What? How dare they attack us. Do we have any information who is doing this to us? Can we track them?

Information Security lad: Not easy to trace. As most certainly those machines or IP addresses that we seen attacking us are zombies or compromised machines part of a botnet. I'm afraid the real attacker is a few more layers behind those compromised machines.

IT Supplier chap: We do have a solution to mitigate this attack. There is this Company P that provides protection against DDoS. It would cost us 10K EUR to use their service. From what we are seeing now, the attacks are not going to stop anytime soon and it will only get worse. Hence, it just a matter of time that our whole network would be completely brought down by it. We should engage this DDoS protection service immediately.

Business Owner guy: Ok. Let's do it. You have my approval to proceed.

2 hours later. After the solution has been implemented....

IT Supplier chap: Good news folks. The attacks have subsided. It is a right call to engage that company.

Business Owner guy: Great! But I'm still not very happy. I want whoever behind this attack punished. I want them to know that they are messing with the wrong guy. I have contacted my friend in the law enforcement and opened an official case. Not only that, I will call a press conference to tell whoever behind this that we are coming after them and that they are messing with the wrong people.

Information Security lad: Mr Business Owner. Hold on a second there sir. I agree on opening an official case with the law enforcement. But the press conference is a bad idea. The last thing we want is for the attacker to think that we are challenging them. I'm afraid it will have a reverse effect. A bad one. We don't want to be seen as provoking them.

Business Owner guy: Let them come. I'm not afraid, we are now protected by the Company P. So, we would be safe even they launch another attack.

Information Security lad: Still a bad idea sir! We shouldn't throw a challenge nor invite for attacks. I have been in this information security field long enough to know challenging the hackers is a very bad bad bad idea!

Business Owner guy: <* cowards! *> I have made up my mind. I have instructed my PR Manager to send the press release to The Storybrooke Post.

3 days later.....

IT Supplier chap: Mr. Business Owner, we are under DDoS attack again....

Business Owner guy: We have nothing to afraid right? We have got Company P watching our back.

IT Supplier chap: Yes and no sir. Company P only protect one of the sites. The current attacks are targeting another 10 websites of us. Our whole network is paralyzed now. Nothings can come in, nothings can go out....

Business Owner guy: <* start panicking *> What are you waiting for? Get Company P to protect all these 10 websites as well!

IT Supplier chap: We could do that sir.... but it would cost us 200K EUR for the new 10 websites.

Business Owner guy: What??? Last time they only charged us 10K per site. How come it's double the amount now?

IT Supplier chap: Well, according to them. The DDoS traffics are much bigger this time. They have to pull-in more resources and hardware to cope with it. Hence, it costs more... but I think they just taking advantage of our situation to blackmail us. They know we don't really have a choice. Do we, sir?

Information Security lad: < * I told you so, don't go and provoke the hackers! *> Mr. Business Owner, I don't think you have another choice here. Our customer would not tolerate anymore downtime....

Business Owner guy: .......... Ok. Go ahead and do it. Charge it to my cost center.... <* damm, there go all my cost savings and my bonus *>

Moral of the story?
1. Engaging law enforcement to fight cybercrime is a good idea and a right move, but making a big brouhaha out of it is a bad idea. Do not ever provoke or challenge the hackers. There are too many out there ready to accept any challenges.

Ain't security fun? ;)

Acknowledgement: Picture taken from:

No comments:

Post a Comment