Hacking back: active defence for the enterprise
is striking back an advisable strategy for the enterprise? Davey Winder has been investigating.
When security start-up CrowdStrike - co-founded by former McAfee Vice President of Threat Research Dmitri Alperovitch and with the likes of former FBI cyber crime chief Shawn Henry on board - announced an 'active defence' platform it got people talking.
Hardly surprising when you consider that CrowdStrike's Falcon managed service employs threat model more common in military circles to not only alert the enterprise to real-time intrusion but, crucially, engage a strategy which could include counter-intelligence gathering or feeding fake data back to the bad guys.
In the CrowdStrike press release announcing the appointment of retired US Air Force Colonel Mike Convertino as senior director of strategic operations and CISO, he's described as formerly being Commander of the 318th Information Operations Group (an information warfare outfit within the US Air Force) and his current role is to assist customers "in leveraging CrowdStrike's proprietary technology to hunt for adversaries on their networks and strike back as appropriate."
Is striking back an advisable strategy?
CrowdStrike defines an active defence strategy as one that "focuses on raising costs and risks to the adversary and attempts to deter their activities" as opposed to the passive model that relies on fortification and breach detection. Within this definition, CrowdStrike talk of the active defence strategy model supporting four primary use cases, namely: attack detection, attribution, flexibility of response, and intelligence dissemination. The description of the 'flexibility of response' use case includes actions such as "deception, containment, tying up adversary resources, and creating doubt and confusion" and 'intelligence dissemintaion' talks of facilitating "corrective and deterrent action."
This has, perhaps unsurprisingly, prompted much debate within the IT security industry surrounding the topic this year, especially when coupled with that Convertino job description which includes language such as 'strike back when appropriate.'
IT Pro has been talking to IT security industry experts to try and get a better understanding of active defense as an enterprise strategy. We started by considering whether it should be considered as another data protection layer or not?
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Ilia Kolochenko is CEO of information security services provider High-Tech Bridge and a lecturer on cyber crime at HES-SO University, Switzerland. He told IT Pro that this really depends upon how you define active defence in the first place.
"If by using this term we mean hack the hacker then my answer is to avoid such tactics" Kolochenko warns. "First of all, you never know who is in front of you, and you risk attacking a powerful hacker group who was hacking your network for money or fun, but after receiving a counter-attack may continue their attack on principle."
Obviously, such a scenario could aggravate the situation, and you may discover that the hacker group has a new goal of harming your infrastructure and destroying as much data as possible now. Also, as Kolochenko points out, you may never be sure how far the hackers are ready to go and one day you may simply realise that you don't have enough budget to continue the war.
"Don't forget that using economies of scale, hackers can resist much longer than you in a cyber conflict" Kolochenko says.
"Hackers almost never attack from their own machines, but use chains of already-compromised systems as proxies. Therefore you take a legal risk by hacking the 'hacker' who could be an international corporation or governmental network."
Corey Nachreiner, director of security strategy at WatchGuard, agrees that if you consider active defence as enticing an attacker with a Trojanised file or launching a full-on cyber attack against them it should probably be avoided at all costs.
He also warns that even if you just think of it as a "fancy term for trying to gather forensic data about your attacker" then you need to consider how actionable that data may really be as attribution can be difficult on the internet.
"Attackers often leverage proxies in their attacks," Nachreiner says. "If they know you are analysing their code, they may start to inject false flags into it to throw you off their trail. While gathering this data is nice, is there anything your business will really, legally be able to do with it?"
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.