Proactivity is now seen by security teams as a viable solution to the challenge of defending enterprises against the ever-growing threat landscape. This might conjure up images of vigilantes setting out to get revenge for attacks, but the reality is rather different.
In my career I have witnessed organisations that went after those that attacked them to disable their infrastructure or recover their data. Is this wrong in terms of what they’re doing? According to the law, yes. But according to common sense? Well I can certainly see where they were coming from.
Nevertheless, there are some questions which must be seriously considered before adopting an offensive strategy, and some alternative, intelligence-driven collaborative approaches that serve better instead.
Can organisations realistically go on the offensive?
Yes, organisations may just be trying to protect themselves or recover stolen data, but they aren’t necessarily trained to go on the offensive. What if they attack the wrong server or organisation? What if they don’t know how to use the tools they have found and downloaded? What if their actions escalate the cyber war and the attacker decides to completely disable the company in some way that is financially and operationally ruinous?
We, as a security community, have enough trouble finding qualified and trained candidates to defend our networks. Finding or training someone who can properly go on the offense is even more difficult. We can’t have policies or laws that allow blanket protection for organisations going on the offensive when there is no standard or requirements for experience, training, or skill associated with that function.
The idea of select organisations being granted permission to conduct commercial offensive attacks has been thrown out in the past to alleviate the concerns above. However, it still leads into murky water around policy and controlling and monitoring what those select organisations are actually doing.
Do you really know your enemy (and is it a nation state)?
Attributing attacks has always been difficult. Similarities with historical attacks and TTPs might make you think an attack comes from a particular hacking group or country. The reality is that it is easy to mimic an attack from a writing perspective, but when it comes to its construction this becomes much harder. I’ve been part of organisations able to accurately identify individuals and locations, and I’ve been part of organisations that were just making a best guess based on experience and available information. Commercial organisations often blame nation states for various attacks, but these commercial organisations also face a great deal of cyber-crime infrastructure that affects their operations.
The enemy in these scenarios can be rogue-hosting networks such as Internet Service Providers (ISPs) knowingly hosting criminals and criminal activity and offering protection against being cut off. They can also be botnet infrastructures, which are often distributed and are especially hard to take down if you’re a commercial organisation as they can operate undetected for long periods of time, hiding their main command-and-control (C&C) servers behind proxying layers or on other victim systems.
Identifying the true enemy can be out of reach for commercial organisations and getting it wrong is high risk, but they have been taken down when those organisations partner with the right agencies and companies.
A good example is the takedown of the Dridex botnet which targeted online bank accounts and stole millions of dollars between 2011 and 2017. With support from the European authorities, the FBI and National Crime Agency coordinated their efforts to help cyber security experts and law enforcement disinfect thousands of compromised computers.
How can the private and public sectors better collaborate to secure against attacks?
Speaking of collaboration, one of the key issues is crossing the chasm between private and public sector intelligence. This has always been an issue because, once you move past indicators of compromise (IP addresses, domain names, etc.), reporting from the government tends to be classified and not shared throughout industry.
I’m not the first one with this idea, but I would like to see the government start to share its knowledge and expertise around attacks (to include additional context of who, what, where, when, how, why) so organisations can make smart decisions and have better awareness around the attacks they face day in and day out.
The State of Technology This Week
An organisation that’s aiming for proactive cybersecurity needs to ensure it has the intelligence to back up its strategy. “Going it alone” just isn’t possible in the threat environment we face. Instead, collaboration with law enforcement forms the critical foundation for accurately identifying our enemies and giving us any hope of being able to go on the offensive against them.