The politics of DDoS response

Reports of a 'hack back' DDoS attack by Sony stirred up acceptable use questions.

Distributed denial-of-service attacks are generally designed to prevent legitimate users from accessing a Web site or service. Advanced DDoS attackers are increasingly using a customized mix of techniques to attack targeted victims in ways all too similar to advanced persistent threats, says John Pescatore, director of emerging trends at the SANS Institute. He looks at the current denial-of-service landscape and associated costs in his article "DDoS defense planning falls short."

But what would happen if the tables were turned?

In early December, reports of a "hack back" DDoS attack by Sony stirred up acceptable use questions. Two unnamed sources told Re/Code that Sony was using hundreds of computers in Asia to launch DDoS attacks against sites that had posted stolen data from a breach at Sony Pictures Entertainment in an attempt to block access to intellectual property (movies) and other sensitive data. Security analysts without direct knowledge of the DDoS attacks pointed to torrent poisoning, which soon followed, as the more likely scenario. DDoS is illegal and against most Internet service providers' acceptable use policies, which would prohibit companies like Sony from using these tactics, they argued. But are people who are accessing stolen property and data legitimate users of websites?

Sony's ongoing security woes -- the PlayStation Network was DDoSed on December 25 and slow to come back online -- have unleashed a hornet's nest of security concerns and hotly debated issues: How far should companies be allowed to go to protect their intellectual property and employee data against further exposure after a hacking incident and extortion that resulted in a seismic data breach?

These questions are focusing more attention on data-driven security projects in 2015. In the January/February issue of Information Security magazine, authors Adam Rice and James Ringold outline the promise of using data security analytics to track the APT lifecycle in their article, "Man versus machine data." The hard issues around intellectual property protection and the steps enterprises and vendors are taking to address them are covered in my article,"Heat from the Breach."

The heightened attention going forward on information security will bring new opportunities for security professionals. But as most of IT security managers know all too well, once intellectual property and PII is in the wild, all bets are off.

About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.

This was last published in January 2015

Dig Deeper on DDoS attack detection and prevention