Over the past few months I’ve noticed a disturbing trend in our industry to talk more about “offensive security.” People are writing and tweeting about “active defenses” or “strikeback capabilities” but it all points to a movement that is at best a confusing use of terminology and at worst a dangerous allocation of resources for almost any organization.
I get the appeal though. Offense is much sexier than defense. Competitions are won by scoring more points than your opponent, not having your opponent score fewer points than you. The hero in almost every action story will eventually make the bad people pay in some violent fashion. Even within security the amount of discussion around successful hacks, the results of scans and pen-tests, and what’s the latest vulnerability still dominates what we write and read.
With the increase in targeted attacks we know that there’s someone behind the attacks. There’s a real, live person running the attack and wouldn’t it be great if we could cause them some frustration and maybe even fear?
But the cold reality is affecting any network or system outside of your own organization’s responsibility will create a ton of liability for you with potentially little effect on the attacker. Do you know that the IP that is the source of the attack is owned by the attacker, or is it an unknowing bot? Is even the command and control IP ranges owned by the attacker or are you impacting another victim?
So striking back shouldn’t even be discussed but what about “active defenses?” Well in my opinion we already have maybe less sexy sounding but more accurate names for this idea: incident handling and intelligence.
Incident handling covers a wide set of activity but in my experience many organizations need to focus on the basics of Identify, Contain, Eradicate, and Recover before they get into advanced plays like honey-nets. Still, there's numerous things you can do within your own systems to frustrate and impact an attacker. Look at the whole process of targeted attacks and understand how you can respond against not only Incursion, but Discovery and Capture as well.
Intelligence is the real frontier for how we can “actively” improve our defenses. Being able to correlate the particular markers within an attack to the controlling persons is very valuable. If you know who is attacking you in addition to what, you’re able to go beyond responding to what your logs are telling you and focus your defenses on the known methods in use and objectives the attacking persons are trying to accomplish. But intelligence can’t be done alone. We must share information in a trusted environment to create as comprehensive a picture of what those attackers are capable of doing. I’m hopeful we’ll see great strides in this area in the new year.