In-depth

Hacking back: active defence for the enterprise

is striking back an advisable strategy for the enterprise? Davey Winder has been investigating.

When security start-up CrowdStrike - co-founded by former McAfee Vice President of Threat Research Dmitri Alperovitch and with the likes of former FBI cyber crime chief Shawn Henry on board - announced an 'active defence' platform it got people talking.

Hardly surprising when you consider that CrowdStrike's Falcon managed service employs threat model more common in military circles to not only alert the enterprise to real-time intrusion but, crucially, engage a strategy which could include counter-intelligence gathering or feeding fake data back to the bad guys.

In the CrowdStrike press release announcing the appointment of retired US Air Force Colonel Mike Convertino as senior director of strategic operations and CISO, he's described as formerly being Commander of the 318th Information Operations Group (an information warfare outfit within the US Air Force) and his current role is to assist customers "in leveraging CrowdStrike's proprietary technology to hunt for adversaries on their networks and strike back as appropriate."

Is striking back an advisable strategy?

CrowdStrike defines an active defence strategy as one that "focuses on raising costs and risks to the adversary and attempts to deter their activities" as opposed to the passive model that relies on fortification and breach detection. Within this definition, CrowdStrike talk of the active defence strategy model supporting four primary use cases, namely: attack detection, attribution, flexibility of response, and intelligence dissemination. The description of the 'flexibility of response' use case includes actions such as "deception, containment, tying up adversary resources, and creating doubt and confusion" and 'intelligence dissemintaion' talks of facilitating "corrective and deterrent action."

This has, perhaps unsurprisingly, prompted much debate within the IT security industry surrounding the topic this year, especially when coupled with that Convertino job description which includes language such as 'strike back when appropriate.'

IT Pro has been talking to IT security industry experts to try and get a better understanding of active defense as an enterprise strategy. We started by considering whether it should be considered as another data protection layer or not?

Ilia Kolochenko is CEO of information security services provider High-Tech Bridge and a lecturer on cyber crime at HES-SO University, Switzerland. He told IT Pro that this really depends upon how you define active defence in the first place.

"If by using this term we mean hack the hacker then my answer is to avoid such tactics" Kolochenko warns. "First of all, you never know who is in front of you, and you risk attacking a powerful hacker group who was hacking your network for money or fun, but after receiving a counter-attack may continue their attack on principle."

Obviously, such a scenario could aggravate the situation, and you may discover that the hacker group has a new goal of harming your infrastructure and destroying as much data as possible now. Also, as Kolochenko points out, you may never be sure how far the hackers are ready to go and one day you may simply realise that you don't have enough budget to continue the war.

"Don't forget that using economies of scale, hackers can resist much longer than you in a cyber conflict" Kolochenko says.

"Hackers almost never attack from their own machines, but use chains of already-compromised systems as proxies.  Therefore you take a legal risk by hacking the 'hacker' who could be an international corporation or governmental network."

Corey Nachreiner, director of security strategy at WatchGuard, agrees that if you consider active defence as enticing an attacker with a Trojanised file or launching a full-on cyber attack against them it should probably be avoided at all costs.

He also warns that even if you just think of it as a "fancy term for trying to gather forensic data about your attacker" then you need to consider how actionable that data may really be as attribution can be difficult on the internet.

"Attackers often leverage proxies in their attacks," Nachreiner says. "If they know you are analysing their code, they may start to inject false flags into it to throw you off their trail. While gathering this data is nice, is there anything your business will really, legally be able to do with it?"

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

Google’s about to push everyone into two-factor authentication
Security

Google’s about to push everyone into two-factor authentication

6 May 2021
Defense Dept. expands vulnerability disclosure program to all publicly accessible defense systems
ethical hacking

Defense Dept. expands vulnerability disclosure program to all publicly accessible defense systems

5 May 2021
Security researchers take control of a Tesla via drone
ethical hacking

Security researchers take control of a Tesla via drone

5 May 2021
Best free malware removal tools 2021
Security

Best free malware removal tools 2021

5 May 2021

Most Popular

Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021