Hacking back: active defence for the enterprise

is striking back an advisable strategy for the enterprise? Davey Winder has been investigating.

When security start-up CrowdStrike - co-founded by former McAfee Vice President of Threat Research Dmitri Alperovitch and with the likes of former FBI cyber crime chief Shawn Henry on board - announced an 'active defence' platform it got people talking.

Hardly surprising when you consider that CrowdStrike's Falcon managed service employs threat model more common in military circles to not only alert the enterprise to real-time intrusion but, crucially, engage a strategy which could include counter-intelligence gathering or feeding fake data back to the bad guys.

In the CrowdStrike press release announcing the appointment of retired US Air Force Colonel Mike Convertino as senior director of strategic operations and CISO, he's described as formerly being Commander of the 318th Information Operations Group (an information warfare outfit within the US Air Force) and his current role is to assist customers "in leveraging CrowdStrike's proprietary technology to hunt for adversaries on their networks and strike back as appropriate."

Is striking back an advisable strategy?

Advertisement - Article continues below
Advertisement - Article continues below

CrowdStrike defines an active defence strategy as one that "focuses on raising costs and risks to the adversary and attempts to deter their activities" as opposed to the passive model that relies on fortification and breach detection. Within this definition, CrowdStrike talk of the active defence strategy model supporting four primary use cases, namely: attack detection, attribution, flexibility of response, and intelligence dissemination. The description of the 'flexibility of response' use case includes actions such as "deception, containment, tying up adversary resources, and creating doubt and confusion" and 'intelligence dissemintaion' talks of facilitating "corrective and deterrent action."

This has, perhaps unsurprisingly, prompted much debate within the IT security industry surrounding the topic this year, especially when coupled with that Convertino job description which includes language such as 'strike back when appropriate.'

IT Pro has been talking to IT security industry experts to try and get a better understanding of active defense as an enterprise strategy. We started by considering whether it should be considered as another data protection layer or not?

Ilia Kolochenko is CEO of information security services provider High-Tech Bridge and a lecturer on cyber crime at HES-SO University, Switzerland. He told IT Pro that this really depends upon how you define active defence in the first place.

"If by using this term we mean hack the hacker then my answer is to avoid such tactics" Kolochenko warns. "First of all, you never know who is in front of you, and you risk attacking a powerful hacker group who was hacking your network for money or fun, but after receiving a counter-attack may continue their attack on principle."

Obviously, such a scenario could aggravate the situation, and you may discover that the hacker group has a new goal of harming your infrastructure and destroying as much data as possible now. Also, as Kolochenko points out, you may never be sure how far the hackers are ready to go and one day you may simply realise that you don't have enough budget to continue the war.

Advertisement - Article continues below

"Don't forget that using economies of scale, hackers can resist much longer than you in a cyber conflict" Kolochenko says.

"Hackers almost never attack from their own machines, but use chains of already-compromised systems as proxies.  Therefore you take a legal risk by hacking the 'hacker' who could be an international corporation or governmental network."

Corey Nachreiner, director of security strategy at WatchGuard, agrees that if you consider active defence as enticing an attacker with a Trojanised file or launching a full-on cyber attack against them it should probably be avoided at all costs.

He also warns that even if you just think of it as a "fancy term for trying to gather forensic data about your attacker" then you need to consider how actionable that data may really be as attribution can be difficult on the internet.

"Attackers often leverage proxies in their attacks," Nachreiner says. "If they know you are analysing their code, they may start to inject false flags into it to throw you off their trail. While gathering this data is nice, is there anything your business will really, legally be able to do with it?"

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020