Last week’s DDOS attacks launched by Anonymous in response to SOPA legislation revealed one very interesting response.  According to a Fox News report, the justice department actually pulled its own website offline last Thursday, in a pre-emptive response to the threat of planned activity by the notorious hacktivist group.  The report states:

“But the intelligence official tells a slightly different story, saying there were signs early on a cyberassault was imminent. The denial of service attack on the justice department website brought a surge of Internet traffic — raising it from 50 hits a minute to beyond 1,000 hits — at which point the DOJ took the site offline to install filters based on the incoming IP addresses.”

A couple of things are revealed here.  For one, there appears to be active monitoring of statistics on this particular site.  It also reinforces the logical assumption that a body of response is monitoring the Anonymous public facing channels such as Twitter and their Anonops webpages.  From the technology point of view, it indicates that an unnamed technology was put in place to respond to this threat based on incoming IP address.  What is most significant in analyzing these is that all these components have been strung together in response to an incoming threat.  Such a construct is the mark of a multifaceted effort of technology, statistical and threat analysis matrix and is unified by the ability at some level to make the call that enacted the action of taking the site offline.

The following quote from General Dale Meyerrose from Harris Corp is very telling:

“The [fear] that someone is actually going to suffer the consequence for carrying out either a propaganda, a retribution or maybe even a trial run of some future operation is, is really the key, the element of this whole thing.”

Kyt Dotson’s article refers to the dark cloud tactics employed by Anonymous, namely LOIC distribution through social media that exponentially expanded the group’s potential attack vector:

“[…] this is already a common tactic, it just became more effective this round because of the proximity to the SOPA blackout. The general public had already been primed to look for social media messages about government censorship so when Megaupload.com suffered under the heel of government, tweets claiming to contain links supporting #OpMegaupload became interesting and anyone clicking those links became (however briefly) part of the DDoS attack. “

The crux of the matter is that it appears demonstrably that in this case that the response went beyond a mere repair and restore operation, but enacted an analysis and conclusion that a threat was being enacted and the subsequent best available operation was put into motion.  One question lingers in this analyst’s mind and that is whether such a security response matrix has been implemented on other sensitive systems, and whether they will be effective against more sophisticated attacks that may result in data leakage.  The technology and more importantly methodology are there, and have existed for some time in principle.  Again, it’s the unison of threat analysis and response where it will be interesting to see if our most sensitive national information systems stand to ensure better protection.