Hacking back: active defence for the enterprise
is striking back an advisable strategy for the enterprise? Davey Winder has been investigating.
A security team can then use this information to respond to the attack dynamically by feeding the attacker dummy information. However, Thacker isn't convinced that active defense is the way forward and instead urges organisations to adopt and improve active security capabilities and make blocking the attack a priority.
"Too many organisations are still focused on passive security elements" Thacker warns. "Bringing in active controls with real-time event correlation capabilities to help set the severity of an incident is often much more effective. In my opinion, focusing on kill-chain correlation is more effective than an active defence strategy."
Catalin Cosoi, chief security strategist at Bitdefender, is even more vehement in his stance against the 'striking back' interpretation of active defence that some proponents of the idea perpetuate in their marketing language.
"Under no circumstances should active defence extend to tampering with systems and hardware other than those you own," Cosoi insists.
"Not only is it a bad idea, it's also illegal in most jurisdictions. Counter-hacking might be 'okay' in a national security context, but even then it's still not easy, or necessarily desirable, as it escalates a conflict. Leave policing to policemen, and shooting bad guys to action heroes."
But, just for a moment, let's leave behind the contentious issue of definition and semantics and assume that 'active defence' is to be taken seriously. Let's say that you've used such a platform to identify who has attacked you (ignoring for a moment that it might not actually be who you think it is) what should you do with that information?
If you can identify where a cyber attack came from it should be reported to the relevant authorities, simple as. That would seem to be obvious. Apart from the small detail that it's hardly ever as simple as that.
"Knowing who perpetrated the attack, unless from the inside, is not always as important for organisations as knowing why and how," explains Ross Brewer, vice president and managing director for international markets at LogRhythm.
"With the right security tools in place, every piece of activity within the IT infrastructure is captured and stored for analysis, allowing the reconstruction of patterns of behaviour as required."
There seems little doubt, and it's hardly a contentious issue, that gaining as much insight as possible regarding a breach will enable organisations to understand exactly what happened and what made it possible in the first place. "This level of intelligence is invaluable as it allows security vulnerabilities to be detected and fixed," Brewer concludes.
Espion information security consultant, Robert Fitzpatrick, argues that the most invaluable part of threat intelligence is actually the *sharing* of that intelligence.
"If you can" Fitzpatrick advises "with a certain degree of confidence, attribute an attack to a foe, is it important other organisations can also then use this intelligence. Treating your industry like an ecosystem is vital to keeping attackers at bay."