In-depth

Hacking back: active defence for the enterprise

is striking back an advisable strategy for the enterprise? Davey Winder has been investigating.

27 Jul 2013

Shutterstock

Compare that to just passively reporting a breach to the authorities which can often feel like control has been taken even further out of your grasp.

"However, it s much more productive for an enterprise to focus on what they can both manage and control," says Rhodri Davies, managed security services chief technologist at HP Enterprise Security.

"Actively being aware of what is happening within your enterprise and optimising your defences accordingly is a positive process. But, going a step further than this and executing an aggressive active response is of little benefit to an enterprise, both legally and practically."

Can active defence (depending how you define it) be part of an approach to dealing with targeted attacks? Certainly. Should it be the only part of the approach? "Definitely not," according to Rob Sloan, head of response at Context Information Security.

"There is one way to reduce your risk of being successfully attacked and that is to continually improve your defences, monitor your network, hosts and logs for nefarious activity, and expect that at some point you will be compromised and be ready to respond quickly to the incident and have sufficient data to support an investigation," Sloan insists.

If an organisation is at that point they could consider what an active defence strategy could do for them, what additional risks it may carry and what (if any) benefits it would bring.

"Decision makers should not be swayed by the sexiness of taking the fight back to the attackers," Sloan concludes.

The reason that it's sexy is, perhaps, down to the principle being deeply rooted in topological warfare. Fortunately, this really does bear no resemblance to warfare within corporate computer networks.

"Active defence only makes sense if you think you can actually deter your attacker, which is plausible but difficult, since you've got all the problems of attribution to deal with," claims Marcus Ranum, CSO at Tenable Network Security. That's why counter-attack strategies are oft-discussed but seldom implemented, and certainly have not become part of the day-to-day IT security landscape.

"Part of what's going on is that the relevant authorities are seen to be fairly powerless," Ranum adds. "The idea of hiring a private army might seem attractive at first - but this is just going to make the environment more ugly."