Hacking back: active defence for the enterprise

Features
By Davey Winder
published

is striking back an advisable strategy for the enterprise? Davey Winder has been investigating.

Compare that to just passively reporting a breach to the authorities which can often feel like control has been taken even further out of your grasp.

"However, it s much more productive for an enterprise to focus on what they can both manage and control," says Rhodri Davies, managed security services chief technologist at HP Enterprise Security.

"Actively being aware of what is happening within your enterprise and optimising your defences accordingly is a positive process. But, going a step further than this and executing an aggressive active response is of little benefit to an enterprise, both legally and practically."

Can active defence (depending how you define it) be part of an approach to dealing with targeted attacks? Certainly. Should it be the only part of the approach? "Definitely not," according to Rob Sloan, head of response at Context Information Security.

"There is one way to reduce your risk of being successfully attacked and that is to continually improve your defences, monitor your network, hosts and logs for nefarious activity, and expect that at some point you will be compromised and be ready to respond quickly to the incident and have sufficient data to support an investigation," Sloan insists.

If an organisation is at that point they could consider what an active defence strategy could do for them, what additional risks it may carry and what (if any) benefits it would bring.

"Decision makers should not be swayed by the sexiness of taking the fight back to the attackers," Sloan concludes.

The reason that it's sexy is, perhaps, down to the principle being deeply rooted in topological warfare. Fortunately, this really does bear no resemblance to warfare within corporate computer networks.

"Active defence only makes sense if you think you can actually deter your attacker, which is plausible but difficult, since you've got all the problems of attribution to deal with," claims Marcus Ranum, CSO at Tenable Network Security. That's why counter-attack strategies are oft-discussed but seldom implemented, and certainly have not become part of the day-to-day IT security landscape.

"Part of what's going on is that the relevant authorities are seen to be fairly powerless," Ranum adds. "The idea of hiring a private army might seem attractive at first - but this is just going to make the environment more ugly."

Davey Winder
Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.