IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
In-depth

Hacking back: active defence for the enterprise

is striking back an advisable strategy for the enterprise? Davey Winder has been investigating.

When security start-up CrowdStrike - co-founded by former McAfee Vice President of Threat Research Dmitri Alperovitch and with the likes of former FBI cyber crime chief Shawn Henry on board - announced an 'active defence' platform it got people talking.

Hardly surprising when you consider that CrowdStrike's Falcon managed service employs threat model more common in military circles to not only alert the enterprise to real-time intrusion but, crucially, engage a strategy which could include counter-intelligence gathering or feeding fake data back to the bad guys.

In the CrowdStrike press release announcing the appointment of retired US Air Force Colonel Mike Convertino as senior director of strategic operations and CISO, he's described as formerly being Commander of the 318th Information Operations Group (an information warfare outfit within the US Air Force) and his current role is to assist customers "in leveraging CrowdStrike's proprietary technology to hunt for adversaries on their networks and strike back as appropriate."

Is striking back an advisable strategy?

CrowdStrike defines an active defence strategy as one that "focuses on raising costs and risks to the adversary and attempts to deter their activities" as opposed to the passive model that relies on fortification and breach detection. Within this definition, CrowdStrike talk of the active defence strategy model supporting four primary use cases, namely: attack detection, attribution, flexibility of response, and intelligence dissemination. The description of the 'flexibility of response' use case includes actions such as "deception, containment, tying up adversary resources, and creating doubt and confusion" and 'intelligence dissemintaion' talks of facilitating "corrective and deterrent action."

This has, perhaps unsurprisingly, prompted much debate within the IT security industry surrounding the topic this year, especially when coupled with that Convertino job description which includes language such as 'strike back when appropriate.'

IT Pro has been talking to IT security industry experts to try and get a better understanding of active defense as an enterprise strategy. We started by considering whether it should be considered as another data protection layer or not?

Ilia Kolochenko is CEO of information security services provider High-Tech Bridge and a lecturer on cyber crime at HES-SO University, Switzerland. He told IT Pro that this really depends upon how you define active defence in the first place.

"If by using this term we mean hack the hacker then my answer is to avoid such tactics" Kolochenko warns. "First of all, you never know who is in front of you, and you risk attacking a powerful hacker group who was hacking your network for money or fun, but after receiving a counter-attack may continue their attack on principle."

Obviously, such a scenario could aggravate the situation, and you may discover that the hacker group has a new goal of harming your infrastructure and destroying as much data as possible now. Also, as Kolochenko points out, you may never be sure how far the hackers are ready to go and one day you may simply realise that you don't have enough budget to continue the war.

"Don't forget that using economies of scale, hackers can resist much longer than you in a cyber conflict" Kolochenko says.

"Hackers almost never attack from their own machines, but use chains of already-compromised systems as proxies.  Therefore you take a legal risk by hacking the 'hacker' who could be an international corporation or governmental network."

Corey Nachreiner, director of security strategy at WatchGuard, agrees that if you consider active defence as enticing an attacker with a Trojanised file or launching a full-on cyber attack against them it should probably be avoided at all costs.

He also warns that even if you just think of it as a "fancy term for trying to gather forensic data about your attacker" then you need to consider how actionable that data may really be as attribution can be difficult on the internet.

"Attackers often leverage proxies in their attacks," Nachreiner says. "If they know you are analysing their code, they may start to inject false flags into it to throw you off their trail. While gathering this data is nice, is there anything your business will really, legally be able to do with it?"

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Iranian hackers ramp up attacks against IT services sector
hacking

Iranian hackers ramp up attacks against IT services sector

19 Nov 2021
TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022