When WannaCry struck, companies across the globe feared they would be next until an unsuspecting hero emerged, sink-holing the worm with a kill switch. Since then, security defenders across all sectors have been trying to devise their own kill switch, acutely aware of the negative consequences that could come with activating the mechanism.
The term “kill switch” generally refers to a way to disconnect specific networks from the internet in the event of a serious attack, and traditionally it has only been employed in emergency situations. They often are discovered by researchers after an attack has been detected, but they also can be built-in mechanisms.
In the context of cyberthreats, though, “a kill switch relates to stopping the attack itself, as opposed to just preventing its effects while the attack is still ongoing, which many defenses focus on,” said Sean Newman, director of product management at Corero Network Security.
How Does the Kill Switch Work?
Depending on whether the kill switch is built into the malware or discovered by the target, the way it works will differ. Those built-in by the malware authors are there so attackers could shut down operations if they suspected they were at risk of being discovered.
“In these cases, the kill switch not only ceases any external communications from the malware, it often results in the malware completely removing itself from any infected systems, stopping processes that are running, deleting any associated files and even going to the lengths of removing any incriminating system log entries,” Newman said.
The earlier companies can detect the attack and activate the kill switch—if there is one that can be activated—the less chance of significant damage from the attack. But, even if attackers have built a kill switch into the malware, security researchers typically only discover them after an attack.
For defenders attempting to isolate networks from the internet, it’s a matter of designing control points that can be activated quickly and across a domain, said Willy Leichter, vice president of marketing for Virsec. “The more challenging part is detection and having enough confidence that a real attack is underway to justify disrupting business,” he said.
Can the Kill Switch Be Used to Prevent Cyberattacks?
For those organizations that are targets of an attack, the kill switch is reactive, and, in most cases, using it can only limit the degree of damage from an attack. In short, a kill switch does not prevent an attack from occurring. “Given that the kill switch would be highly disruptive to most businesses, and downright dangerous for critical infrastructure systems, it’s unlikely that businesses would want this to be automatically triggered,” Leichter said.
If defenders are able to devise their own kill switch to use once they know they’re under attack, they can block external communications as a first step to shutting down the attack. Even this approach is complicated by the reality that attackers increasingly are finding new ways to disguise their communications, often leveraging other legitimate services, which makes it more difficult to recognize and shut down.
Despite the difficulties, there are examples of defenders successfully devising a kill switch, as was the case in response to a massive Memcached DDoS attacks earlier this year. “In this case, analysis obtained from our system was able to identify every source of traffic in each attack and use that to send a command directly to each abused Memcached server to disarm it,” Newman said.
Good News, Bad News
While there have been discussions of granting a central authority the ability to stop all internet traffic in the case of a major cyberattack, the kill switch would still be reactionary. In short, it’s not a silver bullet.
Because every cyberattack is unique, there is no universal kill switch—short of disabling all internet traffic. Consider the impact that such a decision could have across the healthcare industry, for example, where lives depend on internet-connected devices.
Stopping an attack in its tracks does limit the potential widespread damage that could happen if the attack were to continue to spread. “When an attack is detected early enough in its propagation cycle, this central authority would flip a switch to instruct all internet service providers to stop routing traffic, hence stopping the propagation of the malware outside the boundaries of local area networks,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.
However, the reality is that there is no guarantee that all attacks will be detected very early in their life cycle, particularly when it comes to self-propagating malware. “In those cases, a central kill switch disabling the internet may not be effective,” Hahad noted. “When cyberthreat actors know this kill switch capability exists, they will just ensure that all malware goes through these two stages in their life cycle.”
Also worth considering are the downsides of activating a kill switch. Disabling the internet can have adverse consequences across different sectors, many of which the industry has yet to grasp. Given the dire consequences—whether financial, reputational or worse—defenders must weigh the risks and rewards of making that critical choice to activate a kill switch.