Why Security Teams Need To Play More Offense

Anonymous: 10 Facts About The Hacktivist Group

The recipe for a cyber-attack is straightforward: Attackers gather intelligence on the target's systems, research vulnerabilities, exploit those weaknesses, gain control of the systems, and conduct post-exploitation operations.

Yet for the first three parts of attackers' operations, most defenders do nothing. Only after attackers act on a corporate network--the fourth step--does a victim's security team becomes aware of the attack. In a presentation at the SOURCE Boston security conference last week, independent security consultant Iftach Ian Amit told attendees that defenders need to do better.

"We are basically just waiting to be attacked," he said.

Increasingly, security experts are recommending that companies become more aggressive in gathering information on their attackers. According to Amit, companies need to gather or buy intelligence on adversaries and should consider more active counter-intelligence operations. Rather than hunker down behind the firewall like defenders of a medieval castle, security analysts should explore the landscape. To match attackers' first steps, Amit said, defenders should model their organization's threats, gather intelligence, and correlate the data to pinpoint possible threats.

"We can be much more active [in defending our networks,]" Amit said. "Counter-intel is fair game ... Everything around is yours; you better know everything that goes on out there."

The case for more active defense has gained support over the past few years. In 2009, the then-classified Comprehensive National Cyber Initiative--the U.S. government's cybersecurity strategy--reportedly relied heavily on the concept of a defense that adapts to the offense. Rather than focusing on all vulnerabilities equally, for example, defenders can use data from actual attacks to help them create specific defenses to protect critical infrastructure and corporate networks.

Support for more active responses to attacks has grown as well. In 2009, two researchers presenting at the Conference on Cyber Warfare in Tallin, Estonia, argued that some groups be allowed to shutter botnets on behalf of the victims. With the Microsoft Active Response for Security (MARS) program, Microsoft has essentially done just that--shutting down four botnets in the past two years and showing that offensive actions can help protect defenders.

[ Microsoft's Zeus botnet case demonstrates the risks and challenges associated with takedowns when multiple groups are tracking the same botnet. See Botnet Takedowns Can Incur Collateral Damage. ]

While many companies are satisfied with keeping a passive defense, others chafe at the constant stream of attacks and their inability to attack back, said Ken Silva, senior vice president for cyber strategy at information technology contractor ManTech International.

"I will tell you that companies today are getting very frustrated with the continuous landscape of compromise," Silva said. "They feel incredibly helpless, so they are looking for the next thing they can do ... The measures that companies will take to defend themselves is going to escalate."

Read the rest of this article on Dark Reading.

When picking endpoint protection software, step one is to ask users what they think. Also in the new, all-digital Security Software: Listen Up! issue of InformationWeek: CIO Chad Fulgham gives us an exclusive look at the agency's new case management system, Sentinel; and a look at how LTE changes mobility. (Free registration required.)