How do you stop a leaderless group of faceless individuals without geographic borders from attacking your systems?
This is the question being asked by many cybersecurity professionals and government agencies. There have been multiple attempts by law enforcement to put a stop to hacktivism, but none have completely succeeded.
My answer to the question: It's not possible. They can't be stopped, they can only be contained, and they know it. So now what?
It's hard to protect yourself from an attack that might materialize in a few hours and without warning. The majority of these attacks are normally politically motivated after something in the news surfaces against the hackers' ideologies.
Whether it's attacking Visa for dropping payment processing for WikiLeaks, DDoS attacks against the former Egyptian regime during the last January's internet blackout, or the PlayStation Network hack after Sony attempted to sue George Hotz, a known hacker.
These attacks are all politically motivated and are against the beliefs of transparency and openness that most of these groups defend. But how is a company or government supposed to stop these attacks from happening?
As I said before, I don't think you can stop it. By arresting group members, which the FBI and other agencies are doing now, is only a Band-Aid.
They're not stopping the problem and could potentially cause revenge attacks and copycat groups to emerge. It's also very hard for Twitter and other sites to remove their feeds due to freedom of speech acts. Even if the feeds were disbled, they'll host their sites or updates in a country that has the appropriate laws to protect them.
Whether you like them or not, hacktivists are to be respected, and their threats should not be taken lightly.
Let me also say that I don't condone their illegal activity. I wish they would work toward another way of achieving their goals, but if they firmly believe in what they're doing is for the good, than we as security professionals have more in common than you might think.
We both want to see the internet secured and believe in the rights of other individuals, but we go about it in different ways. That's the fundamental difference.
Let me also clear up another thing: Hacktivism is not cyberwar. These two words get thrown around a lot today, but they are not interchangeable. Hacktivists are trying to prove their point and are looking to use the internet to do so. They're not engaging in warfare. Even if they're using DDoS attacks against government agencies, this is not war, and should not be considered an act of war.
Let's leave cyberwar to the nation-states, OK?
So what can we do to contain hacktivism? Should we shrug these groups off as a fad, fear them, or prepare ourselves as best we can? There are a few things I think we can do to protect ourselves from these types of attacks, and steps to take if we become a target.
The first way to protect yourself from hacktivism, or any other attack for that matter, is deploying a defense-in-depth architecture. Creating an environment that doesn't rely on a single form of protection and allows for multiple layers of security against your data is key to stopping many attacks deployed by hacktivists.
If we look at what LulzSec did, we'll notice that they mainly used SQL injection to siphon out the majority of their stolen data. This vulnerability is widely known and can be easily fixed with the proper technology and coding. Knowing your infrastructure, testing its security and creating a layered defense will go a long way in not becoming a random victim.
Security awareness is another layer in your defense. Since we've seen hacktivists use phishing e-mails to gain entry to networks, we need to educate our users on security issues and train them to help protect the company.
Another means to protect yourself is to keep udpated on what these groups are doing. The majority of them have Twitter feeds and websites that are open to the public. If we're concerned about what they're doing, we should be following these feeds and keeping an eye on their activity.
As I mentioned earlier, these groups are not to be taken lightly and have garnered our respect, whether we like it or not. So if hacktivists are attacking a particular type of organization that's in the same sector as your company, you should learn from what they did to resopnd and review any plans made that might trigger an attack toward your organization.
We're not to run and hide from hacktivists, but using caution in any situation is always advisable. We never want to call down the thunder unnecessarily.
Lastly, if you're targeted by hacktivists, the best thing to do is keep quiet. Don't go public about the attacks while they're occurring, and especially don't be goaded into dialogue with the hacktivists.
This will cause a feeding frenzy and potentially cause other hacktivists to partake in the attacks. Think Sony here. Bringing in law enforcement, if needed, and speaking with your security teams and service providers to help with protection would be the wisest courses of action. Companies don't want to start a war of words with hacktivists and made to look even more foolish in the public eyes.
Learning to hold one's electronic tongue can go a long way.
So with all this being said, hacktivism is here to stay. It was always here, but during the past year it's been elevated to the limelight through high-profile hacks, volunteer-based DDoS botnets, and hacker groups publicly announcing intrusions and then releasing the data they've pilfered. Even with all the hacker arrests, site shutdowns, and account locks, I don't think this is going to stop hacktivism.
Despite our evolving cyber laws and enforcement, hacktivists are always going to push the boundaries of law, and we, as security professionals, need to position ourselves and the organizations we represent in the safest light as possible.
Hacktivists must be respected, but they shouldn't be completely feared.