Over the past few months I’ve noticed a disturbing trend in our industry to talk more about “offensive security.” People are writing and tweeting about “active defenses” or “strikeback capabilities” but it all points to a movement that is at best a confusing use of terminology and at worst a dangerous allocation of resources for almost any organization. I get the appeal though. Offense is much sexier than defense. Competitions are won by scoring more points than your opponent, not having your opponent score fewer points than you. The hero in almost every action story will eventually make the bad people pay in some violent fashion. Even within security the amount of discussion around successful hacks, the results of scans and pen-tests, and what’s the latest vulnerability still dominates what we write and read. With the increase in targeted attacks we know that there’s someone behind the attacks. There’s a real, live person running the attack and wouldn’t it be great if we could cause them some frustration and maybe even fear? But the cold reality is affecting any network or system outside of your own organization’s responsibility will create a ton of liability for you with potentially little effect on the attacker. Do you know that the IP that is the source of the attack is owned by the attacker, or is it an unknowing bot? Is even the command and control IP ranges owned by the attacker or are you impacting another victim? So striking back shouldn’t even be discussed but what about “active defenses?” Well in my opinion we already have maybe less sexy sounding but more accurate names for this idea: incident handling and intelligence. Incident handling covers a wide set of activity but in my experience many organizations need to focus on the basics of Identify, Contain, Eradicate, and Recover before they get into advanced plays like honey-nets. Still, there's numerous things you can do within your own systems to frustrate and impact an attacker. Look at the whole process of targeted attacks and understand how you can respond against not only Incursion, but Discovery and Capture as well. Intelligence is the real frontier for how we can “actively” improve our defenses. Being able to correlate the particular markers within an attack to the controlling persons is very valuable. If you know who is attacking you in addition to what, you’re able to go beyond responding to what your logs are telling you and focus your defenses on the known methods in use and objectives the attacking persons are trying to accomplish. But intelligence can’t be done alone. We must share information in a trusted environment to create as comprehensive a picture of what those attackers are capable of doing. I’m hopeful we’ll see great strides in this area in the new year.
@Will V, I see two big stumbling blocks:
The first is the legal requirements and liability regarding breaches. In general this is a good thing for people, but there needs to be some sort of safe harbor to shield orgnaizations from potential liability before they will be willing to open up and collaborate. It's not a get out of jail free card but orgs need to be comfortable to collaborate while things are in motion in order to provide real value.
The second is a trusted network. I've seen it happen frequently on a local or vertical level where everyone knows everyone but the capability to scale up, to really get the value from a wide set of participants is a challenge. Anonimity can help but reduces value of the information and credibility.
Thanks for your question!
Well said, Paul. How can we get to that point where information sharing is the norm? Too often we find that victims of cyber-attacks are unwilling to discuss the particulars of their incident for fear of being seen as weak or unprepared. It's a huge PR disaster for many firms.
Good one.