Hacking back: active defence for the enterprise
is striking back an advisable strategy for the enterprise? Davey Winder has been investigating.
When security start-up CrowdStrike - co-founded by former McAfee Vice President of Threat Research Dmitri Alperovitch and with the likes of former FBI cyber crime chief Shawn Henry on board - announced an 'active defence' platform it got people talking.
Hardly surprising when you consider that CrowdStrike's Falcon managed service employs threat model more common in military circles to not only alert the enterprise to real-time intrusion but, crucially, engage a strategy which could include counter-intelligence gathering or feeding fake data back to the bad guys.
In the CrowdStrike press release announcing the appointment of retired US Air Force Colonel Mike Convertino as senior director of strategic operations and CISO, he's described as formerly being Commander of the 318th Information Operations Group (an information warfare outfit within the US Air Force) and his current role is to assist customers "in leveraging CrowdStrike's proprietary technology to hunt for adversaries on their networks and strike back as appropriate."
Is striking back an advisable strategy?
CrowdStrike defines an active defence strategy as one that "focuses on raising costs and risks to the adversary and attempts to deter their activities" as opposed to the passive model that relies on fortification and breach detection. Within this definition, CrowdStrike talk of the active defence strategy model supporting four primary use cases, namely: attack detection, attribution, flexibility of response, and intelligence dissemination. The description of the 'flexibility of response' use case includes actions such as "deception, containment, tying up adversary resources, and creating doubt and confusion" and 'intelligence dissemintaion' talks of facilitating "corrective and deterrent action."
This has, perhaps unsurprisingly, prompted much debate within the IT security industry surrounding the topic this year, especially when coupled with that Convertino job description which includes language such as 'strike back when appropriate.'
IT Pro has been talking to IT security industry experts to try and get a better understanding of active defense as an enterprise strategy. We started by considering whether it should be considered as another data protection layer or not?
Ilia Kolochenko is CEO of information security services provider High-Tech Bridge and a lecturer on cyber crime at HES-SO University, Switzerland. He told IT Pro that this really depends upon how you define active defence in the first place.
"If by using this term we mean hack the hacker then my answer is to avoid such tactics" Kolochenko warns. "First of all, you never know who is in front of you, and you risk attacking a powerful hacker group who was hacking your network for money or fun, but after receiving a counter-attack may continue their attack on principle."
Obviously, such a scenario could aggravate the situation, and you may discover that the hacker group has a new goal of harming your infrastructure and destroying as much data as possible now. Also, as Kolochenko points out, you may never be sure how far the hackers are ready to go and one day you may simply realise that you don't have enough budget to continue the war.
"Don't forget that using economies of scale, hackers can resist much longer than you in a cyber conflict" Kolochenko says.
"Hackers almost never attack from their own machines, but use chains of already-compromised systems as proxies. Therefore you take a legal risk by hacking the 'hacker' who could be an international corporation or governmental network."
Corey Nachreiner, director of security strategy at WatchGuard, agrees that if you consider active defence as enticing an attacker with a Trojanised file or launching a full-on cyber attack against them it should probably be avoided at all costs.
He also warns that even if you just think of it as a "fancy term for trying to gather forensic data about your attacker" then you need to consider how actionable that data may really be as attribution can be difficult on the internet.
"Attackers often leverage proxies in their attacks," Nachreiner says. "If they know you are analysing their code, they may start to inject false flags into it to throw you off their trail. While gathering this data is nice, is there anything your business will really, legally be able to do with it?"