For a fee, one organization will provide a system that detects and can hit back at hackers with its own arsenal of attacks. But this isn't some anonymous group on an underground crime forum. Instead, Pervade Software, a legitimate and public facing information security business based out of Cardiff, Wales, sells a platform designed for private companies to retaliate against hackers with DDoS and other digital attacks.
The company's products are a sign of an industry grappling with the idea of 'hacking back', where victims of cyberattacks strike back, and comes as the US considers legislation that would make such counter-attacks legal for US companies.
"We cannot continue to simply sit there on the ropes and be battered," John Davies, managing director of Pervade, told Motherboard in a phone interview.
Pervade offers a selection of more traditional defensive products, such as OpView for keeping tabs on a client's network. But the company's OpIndex dark web monitoring tool also includes "offensive cyber capabilities," according to a company brochure.
The system allows a user to report a particular IP address, according to a source who received a demo of Pervade's products. If the internet service provider or server host doesn't take any action, the user can then click an "Attack" button, and select various options from a drop-down menu.
By viewing the source code on Pervade's password protected demo website, it's possible to see the various attack options apparently available to a user. A section of the code mentions different types of DDoS attacks, which flood a target with traffic or requests until it crawls to a halt, and SQL injection (SQLi). SQLi is an ancient but still sometimes effective attack that can let hackers steal site databases or gather information about a target. Both the DDoS and SQLi options can be used against targets on either the dark or normal web, according to the demo code.
The attack panel also includes "Aggression" and "Scale" options, which stretch across from 1 to 10. And although it would not necessarily be considered a form of attack, code in the demo lays out options for conducting port and vulnerability scans of a target, meaning users may be able to detect security issues with a server that they could then exploit. Or as Davies suggested, carrying out a more aggressive scan may be enough to get an attacker to back off and remove a company's server from a list of targets.
"It's simply a toolset," Davies said, adding that Pervade does not provide any servers for actually carrying out an attack. Instead, the software is more of a platform where clients could incorporate an aggressive response if they wanted to.
"The point of using our software is to automate responses," Davies said. "We sell knives. If you use it to cut a chicken, that's up to you. If you use it for something else, that's also up to you."
Although it is unclear how any of the company's customers have actually used these sorts of attacks, Pervade has clients in the gaming, health, and hedge-fund sectors, Davies said.
"Yes they're using it, but I don't have details of how they're using it," he added, he added, talking about Pervade's customers more generally.
Under US law, it would likely be illegal for a private company to use Pervade's products or similar ones to launch counter-attacks. The same goes for the UK: a counter-attack, such as a DDoS, would probably be breaking the law.
"That doesn't mean it's illegal elsewhere," Davies said, pointing to South America and Iceland in particular. "For an international software company, game on," he added.
Hacking back is something of an open secret in the information security world. In 2014, Bloomberg reported that the FBI probed whether US financial institutions disabled servers used by Iran to attack company websites. Soon, the practice might become legal. In March, a Republican congressman proposed a "cyber self defense" bill which would allow companies to strike back, something which senior law enforcement officials have urged against. Former FBI Director James Comey said private companies getting into this space could disrupt criminal investigations and create confusion.
That probably won't stop some cyberattack victims though.
"Hopefully there will be a little bit of freedom, particularly for companies that really need it: critical national infrastructure, financial institutions, large scale data processors," Davies said.
"This isn't going away," he added.