A noted security expert is advocating the need for the federal government and some private-sector firms to go on the offensive against sophisticated cybercriminals, hunting down and disabling their systems in an attempt to make their activities cost-prohibitive.
We want to get adversary to think that if we launch an attack against a victim, there will be costs to pay.
co-founder and CTO, CrowdStrike
Going on the offensive could deter nation states from conducting offensive cyberstrikes against critical infrastructure, and force financially motivated cybercriminals from targeting certain private-sector companies, said Dmitri Alperovitch, co-founder and CTO of security firm CrowdStrike. Alperovitch spoke to reporters during a conference call about proactive defense on Wednesday. The event was coordinated by organizers of the RSA Conference, one of the security industry's largest annual events.
"Active defense is a euphemism for going outside of your network and taking some action to disrupt, degrade or take down your adversary's infrastructure," Alperovitch said. "It's about taking actions to disrupt them in a business sense as well."
Taking an offensive security approach is emerging as a controversial issue, with some experts calling it potentially dangerous, fanning the flames on terrorist groups, nation-states and other organizations that have the resources to invest in attack tools, new malware and skilled hackers. Experts say it is costly and potentially illegal to go on the offensive because in most cases it is difficult to pinpoint the location and source of many cyberattacks.
"There's a huge difference between striking back through the net and striking back through the courts," said Pete Lindstrom, research director at security research firm Spire Security. "It's intriguing but very dangerous. It's one thing to probe someone and another thing to somehow disable someone or develop a presence on their systems."
Gary McGraw rejects offensive tactics
Software security expert Gary McGraw explains that the U.S. should build proactive defense capabilities rather than pour billions into cyberweapons.
CrowdStrike, hopes to assist organizations in tracing, disrupting and unveiling cybercriminal operations. The organization is being led by George Kurtz, the former CEO of Foundstone and CTO of McAfee, and has built up a cadre of high-profile names, including Shawn Henry, who spent 24 years with the FBI, and most recently Steven Chabinsky, a 17-year FBI veteran who served as the FBI's top cyber-lawyer.
"We want to get adversary to think that if [we] launch [an] attack against a victim, there will be costs to pay," said Alperovitch, who admitted that a fully offensive approach hasn't been broadly tested. He said organizations like Microsoft have found some success with the legal system in getting spam botnets shut down. But many cybercriminals keep returning to their nefarious activities, despite having their operations repeatedly disrupted.
An offensive tactic was put to use more recently by the Georgian Computer Emergency Response Team CERT. In a report (.pdf) issued by that country, the computer forensics teams pinpointed the location of an attacker based on his ISP by luring them with a fictitious document titled "Georgian-Nato Agreement," which contained malware. Georgian officials indicated that the malware enabled them to capture video of a Russian hacker.
"A determined adversary will always get in," Alperovitch admitted, adding that today most offensive security tactics are illegal. "It's conceivable that they will spend $100,000 -- or even a million dollars -- because there is nothing that compares to the return that you will get."
For example, Alperovitch said the private sector has the authority under limited circumstances to go into a server being used for stolen data storage and get the data back. Security teams can use the exact same credentials used by the attacker, taken from network captures, and only access and remove the stolen data. "There are constraints on that," Alperovitch said. "If you can call the FBI or police to take that action, then you do not have authority to take law into your own hands and should follow the normal process."
Spire Security's Lindstrom doesn't completely dismiss a more active approach to cybersecurity. Enterprises could seek court approval to shut down malicious command-and-control servers, as Microsoft has done. Taking out malicious servers is somewhat of a game of "Whac-A-Mole," but over time, it can have a desirable impact, he said.
"We're trained now as security professionals to always say we can't stop someone who has a million dollars to spend on resources," Lindstrom said. "It's prudent to believe that, but not everyone is going to have a million dollars. If you can invade their territory, what would it do to their morale and confidence?"