Offensive Tactics Carry Legal Liability Risks
Security Experts Debate Shifting From Defensive to Offensive Tactics
A few weeks ago at the Aspen Security Forum, Gen. Keith Alexander, National Security Agency director, said the number of attacks against America's critical infrastructure increased seventeenfold between 2009 and 2011. Now as much as ever, some argue, a gap exists between the protection capabilities of today's enterprises and the penetration capabilities of modern attackers.
Bridging that gap has traditionally relied on technologies that could be viewed as reactivesuch as antivirus signatures, firewalls and intrusion-prevention systems. But some say today's threat landscape may require a different approachone that mixes defense with a little more offense.
"It is totally fair to say that traditional approaches are too reactionary," said Eric Ogren, principal with analyst firm The Ogren Group. "AV [antivirus] and [firewalls] are just not clever enough to ferret out new attacks. I believe IT has to become more nimble and agile in managing the infrastructure to prevent attacks from lingering."
In some ways, securing networks and devices has always been a game of catch-up; or perhaps more precisely, whack-a-mole, where new security crises erupt and are resolved with security technology just in time for another one to emerge.
"Each generation of threat advances has resulted in protection advancesmore inspection of inbound email to detect phishing, Web security gateways looking at inbound Web code, next-generation firewalls looking at applications, etc.," said Gartner analyst John Pescatore. "Then the threats make another advance ¦ This will be life until technology stops advancing. There will always be crime and criminal advances and the good guys get to move second."
But with the amount of malware continuing to grow, some security companies are advocating a more proactive defensive strategy. One example of this is CrowdStrike, which is centered on helping companies build security defenses based on better intelligence of hacking crews and what they are after. CrowdStrike CEO and co-founder George Kurtz, an alumnus of security company McAfee, explained that knowing the tactics, tools and goals of hacking groups allows organizations to make informed decisions based on risk.
"If you were in battle," he said, "and you were sitting in the middle of the field, would you be waiting to get bombed or would you want to know that there's an adversary that's over the hill; they are coming from the south; they've got certain capabilities in terms of armament; and if we position ourselves in a certain way, we are going to be better able to protect against their attack, Kurtz said.
What we're talking about is providing this linkage of who, what and why so that you can make risk-based decisions which really have a much greater impact on the business," said Kurtz. With this information in hand, companies can look for ways to make attacks more expensive for hackers by improving defenses with an eye toward the attackers' tactics and goals, he said.
But there are some who take a more aggressive approach. In a survey of 181 attendees at the recent Black Hat USA conference in Las Vegas, security company nCircle found that 36 percent admitted they had engaged in retaliatory hacking in the past.
Offensive Tactics Carry Legal Liability Risks
In a column for SecurityWeek, Radware CTO Avi Chesla argues that cyber-counterattacks should be part of security strategies. A counterattack should include the following steps: detecting and blocking the initial attack, identifying the attack tool, locating weaknesses in the attack tool in real-time or based on previous information, attacking those weaknesses, and slowing down or neutralizing the attack tool.
"Identification of the attack tool used as a vehicle to carry [out] the attack campaign is done though pattern-matching," he explained in the column. "There are hundreds of attack tools used in todays market, each one capable of generating different types of attacks. Each attack tool has some kind of fingerprint, invariant to the attack content itself, which can be detected through different pattern-matching algorithms."
"Attack tools that rely on the operating system TCP congestion control algorithm usually possess a weakness that a counterattack operation could exploit to exhaust the attacking machines stack and CPU resources," he added. "The TCP congestion control and avoidance algorithms are designed to transfer larger chunks of traffic [packets] as long as no traffic congestion is identified [e.g., no packet drops, relatively short round trip time, etc.]."
But entering the world of hacking back can put organizations in a legal minefield. During his talk at Black Hat, Robert Clark, operational attorney for U.S. Cyber Command, noted that organizations could potentially violate laws such as the Computer Fraud and Abuse Act by, for example, hacking an attacker's network and deleting stolen data.
"We're looking to push the legal boundaries of what people can do," Kurtz said. "We're talking to a lot of companies who have had breaches. ¦ They're interested in more of a counter [intelligence] approach."
For example, he said, there are larger companies that have expressed interest in running operations that allow attackers to steal fake intellectual property as a way to combat espionage.
"When you start to have doubt of the validity of the data, [attacking] becomes more costly," he said. "Those are the types of things that some of the bigger, more progressive companies are thinking about. It's got to be very targeted, and you've got to have the intelligence to understand what people are coming after. But they are tired of just sitting back and having this stuff stolen. And if they can do something within the legal bounds to make the adversary's life more difficult and time consuming, everything's on the table."
But that may not be a smart move, argued Pescatore.
"Do you see many banks going on the offense against bank robbers? Or many retail shops going on the offense against shoplifters? Nobecause it would be a bad business decision," he said. "Make your bank harder to break into, your merchandise harder to steal and leave the enforcement and infiltration to the law-enforcement side."