Hacking back: active defence for the enterprise

is striking back an advisable strategy for the enterprise? Davey Winder has been investigating.

A security team can then use this information to respond to the attack dynamically by feeding the attacker dummy information. However, Thacker isn't convinced that active defense is the way forward and instead urges organisations to adopt and improve active security capabilities and make blocking the attack a priority.

"Too many organisations are still focused on passive security elements" Thacker warns. "Bringing in active controls with real-time event correlation capabilities to help set the severity of an incident is often much more effective. In my opinion, focusing on kill-chain correlation is more effective than an active defence strategy."

Catalin Cosoi, chief security strategist at Bitdefender, is even more vehement in his stance against the 'striking back' interpretation of active defence that some proponents of the idea perpetuate in their marketing language.

"Under no circumstances should active defence extend to tampering with systems and hardware other than those you own," Cosoi insists.

"Not only is it a bad idea, it's also illegal in most jurisdictions. Counter-hacking might be 'okay' in a national security context, but even then it's still not easy, or necessarily desirable, as it escalates a conflict. Leave policing to policemen, and shooting bad guys to action heroes."

But, just for a moment, let's leave behind the contentious issue of definition and semantics and assume that 'active defence' is to be taken seriously. Let's say that you've used such a platform to identify who has attacked you (ignoring for a moment that it might not actually be who you think it is) what should you do with that information?

If you can identify where a cyber attack came from it should be reported to the relevant authorities, simple as. That would seem to be obvious. Apart from the small detail that it's hardly ever as simple as that.

"Knowing who perpetrated the attack, unless from the inside, is not always as important for organisations as knowing why and how," explains Ross Brewer, vice president and managing director for international markets at LogRhythm.

"With the right security tools in place, every piece of activity within the IT infrastructure is captured and stored for analysis, allowing the reconstruction of patterns of behaviour as required."

There seems little doubt, and it's hardly a contentious issue, that gaining as much insight as possible regarding a breach will enable organisations to understand exactly what happened and what made it possible in the first place. "This level of intelligence is invaluable as it allows security vulnerabilities to be detected and fixed," Brewer concludes.

Espion information security consultant, Robert Fitzpatrick, argues that the most invaluable part of threat intelligence is actually the *sharing* of that intelligence.

"If you can" Fitzpatrick advises "with a certain degree of confidence, attribute an attack to a foe, is it important other organisations can also then use this intelligence. Treating your industry like an ecosystem is vital to keeping attackers at bay."

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020