Think Information. Think Security.
A noted security expert is advocating the need for the federal government and some private-sector firms to go on the offensive against sophisticated cybercriminals, hunting down and disabling their systems in an attempt to make their activities cost-prohibitive.

Going on the offensive could deter nation states from conducting offensive cyberstrikes against critical infrastructure, and force financially motivated cybercriminals from targeting certain private-sector companies, said Dmitri Alperovitch, co-founder and CTO of security firm CrowdStrike. Alperovitch spoke to reporters during a conference call about proactive defense on Wednesday. The event was coordinated by organizers of the RSA Conference, one of the security industry's largest annual events. "Active defense is a euphemism for going outside of your network and taking some action to disrupt, degrade or take down your adversary's infrastructure," Alperovitch said. "It's about taking actions to disrupt them in a business sense as well."

Taking an offensive security approach is emerging as a controversial issue, with some experts calling it potentially dangerous, fanning the flames on terrorist groups, nation-states and other organizations that have the resources to invest in attack tools, new malware and skilled hackers. Experts say it is costly and potentially illegal to go on the offensive because in most cases it is difficult to pinpoint the location and source of many cyberattacks. "There's a huge difference between striking back through the net and striking back through the courts," said Pete Lindstrom, research director at security research firm Spire Security. "It's intriguing but very dangerous. It's one thing to probe someone and another thing to somehow disable someone or develop a presence on their systems."

CrowdStrike, hopes to assist organizations in tracing, disrupting and unveiling cybercriminal operations. The organization is being led by George Kurtz, the former CEO of Foundstone and CTO of McAfee, and has built up a cadre of high-profile names, including Shawn Henry, who spent 24 years with the FBI, and most recently Steven Chabinsky, a 17-year FBI veteran who served as the FBI's top cyber-lawyer.

An offensive tactic was put to use more recently by the Georgian Computer Emergency Response Team CERT. In a report (.pdf) issued by that country, the computer forensics teams pinpointed the location of an attacker based on his ISP by luring them with a fictitious document titled "Georgian-Nato Agreement," which contained malware. Georgian officials indicated that the malware enabled them to capture video of a Russian hacker. For example, Alperovitch said the private sector has the authority under limited circumstances to go into a server being used for stolen data storage and get the data back. Security teams can use the exact same credentials used by the attacker, taken from network captures, and only access and remove the stolen data. 

Spire Security's Lindstrom doesn't completely dismiss a more active approach to cybersecurity. Enterprises could seek court approval to shut down malicious command-and-control servers, as Microsoft has done. Taking out malicious servers is somewhat of a game of "Whac-A-Mole," but over time, it can have a desirable impact, he said. "We're trained now as security professionals to always say we can't stop someone who has a million dollars to spend on resources," Lindstrom said. "It's prudent to believe that, but not everyone is going to have a million dollars. If you can invade their territory, what would it do to their morale and confidence?"

Cross-posted from: Search Security

Leave a Reply.