Cyberwar: Is Offense the New Defense?

June 21, 2009 — CSO — Tallinn, Estonia -- Eight months after it started spreading, the Conficker worm remains on hundreds of thousands, if not millions, of computer systems. While the furor over the worm has died down, worries over the capabilities of the sleeper botnet continue to concern cybersecurity experts.

The call to do something about the latent threat is growing louder. This week, two German researchers -- Felix Leder and Tillmann Werner, PhD students at the University of Bonn -- advocated attacking back at the botnet, before it's used for another purpose.

"Most counter measures nowadays are reactive, you wait for an attack to happen, and then you take the countermeasure," Werner said at the Conference on Cyber Warfare, an event held by the Cooperative Cyber Defence Centre of Excellence in Tallin. "We need something that will stop the attack in advance."

The two students are well known among security researchers. In March, they discovered a way to detect Conficker-infected machines using network scanning, a method that allowed defenders to detect and remove a large number of compromised hosts. In their latest research, Leder and Werner have focused on four sophisticated botnets -- Conficker, Waledac, Storm and Kraken -- and claim that they have learned enough about each one to successfully attack, and dismantle, the malicious networks.

June 21, 2009 — CSO — Tallinn, Estonia -- Eight months after it started spreading, the Conficker worm remains on hundreds of thousands, if not millions, of computer systems. While the furor over the worm has died down, worries over the capabilities of the sleeper botnet continue to concern cybersecurity experts.

The call to do something about the latent threat is growing louder. This week, two German researchers -- Felix Leder and Tillmann Werner, PhD students at the University of Bonn -- advocated attacking back at the botnet, before it's used for another purpose.

"Most counter measures nowadays are reactive, you wait for an attack to happen, and then you take the countermeasure," Werner said at the Conference on Cyber Warfare, an event held by the Cooperative Cyber Defence Centre of Excellence in Tallin. "We need something that will stop the attack in advance."

The two students are well known among security researchers. In March, they discovered a way to detect Conficker-infected machines using network scanning, a method that allowed defenders to detect and remove a large number of compromised hosts. In their latest research, Leder and Werner have focused on four sophisticated botnets -- Conficker, Waledac, Storm and Kraken -- and claim that they have learned enough about each one to successfully attack, and dismantle, the malicious networks.

See also: What a Botnet Looks Like

"We could do disinfection like an outbreak," Leder told attendees.

The concept, which brings to mind past calls for "good worms" to combat fast spreading infections, is resonating with cyber policy experts and military strategists, many of whom want to draft rules for the use of pre-emptive cyber attacks against potential threats -- whether it's a botnet, online criminal gang or nation-state.

Two U.S. government officials attending the Conference on Cyber Warfare argued that the United States, for one, needs to start making the hard policy decisions that would allow for offensive tactics in cyberspace. Both officials asked that their names and organizations not be used so they could talk freely.

It's logical to assume that the United States, and other countries that actively pursue cyber offense, would have capabilities at least as good as the attacks of cyber criminals, said Herbert S. Lin, study director for the National Research Council's Committee on Offensive Information Warfare.

"We seem to be developing cyber capabilities to improve our overall military posture," Lin said. "Sometimes you have to take the offense to defend."

While the policy surrounding cyber attack capabilities is still nascent, such technologies would give more choices to policymakers, Lin and others on the Committee on Offensive Information Warfare state in a report that will be published later this year by the National Academies Press.