The discussion about the viability of enterprises to go on the offense against cybercriminal gangs is reaching a fevered pitch, with most experts questioning the legality of striking back at attackers. But security experts point out that there are some “offensive-like” tactics that have the ability to drive up the cost of hacking into a corporate network, and if deployed properly, the techniques could have a major impact on the threat landscape.
“There are interesting questions about how far one can go and what types of attackers striking back will actually be effective against,” said Hugh Thompson, chief security strategist at Sunnyvale, Calif.-based Blue Coat Systems Inc. and RSA Conference program committee chairman. Thompson said he anticipates a greater discussion about offensive tactics in sessions at the annual security event scheduled at the end of February. “It doesn’t necessarily have to go from zero to launching a full out assault against cybercrime infrastructure. It could be much more subtle things like feeding people misinformation.”
The issue of going on the offensive has been raised by a number of firms, including Seattle-based security firm Crowdstrike, whose co-founder and CTO Dmitri Alperovitch insisted that it is not out of the question to take some action to disrupt, degrade or take down an adversary’s infrastructure. “We want to get the adversary to think that if they launch an attack against a victim, there will be costs to pay,” Alperovitch said during a conference call with reporters late last year. Those opposed to going on the offense raise the issue of attribution as a major factor why offensive security won’t work. They say it’s too difficult to pinpoint the location and source of many cyberattacks.
Software security expert Gary McGraw explained that the U.S. should build proactive defense capabilities rather than pour billions into cyberweapons. McGraw likens the use of offensive cyberweapons to “unleashing the cyber-rocks from inside of our glass houses since everyone can or will have cyber-rocks.”
“Even in the case of verifiable attribution and controlled proliferation, it is not clear how a purely cyber preemptive or retaliatory strike would incapacitate the target’s offensive cyber-capabilities,” McGraw said in a column on the issue.
There are other offensive security tactics that sidestep the issue of attribution altogether. Deceptive tactics can be deployed by the most targeted companies, such as those in the financial or defense sectors, experts said. Creating multiple environments, phony documents and other fake systems could help trip up an attacker, said Paul Kurtz, managing director at Baltimore-based, CyberPoint International. Kurtz said it helps drive up the cost of hacking and could help eliminate some cybercriminal operations.
“There are lots of interesting people out there with interesting experience, who can think like the bad guys,” Kurtz said. “So it’s about thinking of what is going to throw the bad guys off.”
Offensive security tactics have one major drawback: Building and maintaining phony environments is costly, Kurtz said. Private sector firms also want to refrain from specifically targeting hacking groups since it raises ethical questions and the legality of the practice, he said.
“I’m not advocating punching back, but there are a lot of large enterprises that are tired of taking it on the chin,” Kurtz said.
The interest in conducting offensive cybertactics is coming from enterprises in the financial sector, government contractors and government agencies, said Tom Kellermann, vice president of cybersecurity at Cupertino, Calif.-based Trend Micro Inc. Kellermann is an advocate of custom sandboxing, because he says it can help organizations study how a threat manifested in the environment, how it moved laterally and what it did for command and control. You can attribute an attack to a specific actor with 95% accuracy, Kellerman said.
“The thing to understand is that this doesn’t solve your problem,” Kellermann said. “It tells you how you were hunted, who is hunting you, and where they might live.”