A decade ago I had a discussion with my then boss about how to respond to inbound attacks. It was clear then that the current methods of defense were wrong by any measure you care to use. They haven't gotten any better in a decade. They've only increased in cost and complexity. The basic failure can be demonstrated by the metaphor of feudal Europe, since I know all of you are aware of your western civ history. Our current defense methods are akin to various forms of dumping molten lead onto the Visigoths below are 'fortified' walls. The problem is that the Visigoths are already in our land, destroying things along their way to the castle. Of course the metaphor breaks down because these Visigoths replicate in place; get stronger, faster and more sinister in their siege weapons with nothing more than the passage of time and no matter how many we disable there are always more than there were a minute ago.
So what to do? Given that the attack is always through an intermediate entity, I propose using a biological analog to address it. Treat it is a diseased state and execute a vaccination. Since the intermediate system has already been compromised, as is demonstrated by the fact that it is currently an intermediate for an attack, it would be best to rest control of it from its current commander. We can certainly discuss what that means or how to accomplish it, but that is the best solution. Remove the Visigoths from battle rather than attempting to thwart their attack on us. The other side of this equation, and the thing its success depends on is automation. The takeover system must be able to respond to the attack within a few packets and rest control a short time later. Otherwise you have accomplished nothing. Waiting until the entire village is infected with Ebola before you send in the inoculant will only result in more deaths. Waiting for a human being to respond is similarly inappropriate in this situation.
This is not an attack. It is a method of removing resources from an attacker. If the takeover were done correctly, say leaving the affected machine in a state where it was no longer vulnerable to the exploit the attacker used originally to take control, you have in fact helped the Internet over all. You have inoculated another machine and the pool of available resources to attackers has diminished. If you can do it fast enough you can rest an entire farm from its nefarious controlling entity and put them back at square one. This method levels the playing field as every attack is therefore a chance to lose all your resources. It requires no coordination to execute, no notice since the machine is already infected, and there is no data breach involved.
The real question is can it be done?
Give me a minute.....