Offensive security

I have written several times in the past here, here and here about the notion of taking cyber security on the offensive

James Anderson, president of Professional Assurance LLC, says that there is no evidence that governments can protect large firms from cyber attacks. “National security authorities may not even acknowledge that their interests align with a company that has suffered a cyber attack; therefore, companies must think about retaliation,” he says.

Should a company take retaliatory steps beyond simply increasing its own defensive perimeter? The answer depends on the seriousness of the attack and the potential threat from future attacks. Anderson says that simply turning over evidence to law enforcement may not save the company from future cyber attacks. But, if the attack had to do with a government’s critical infrastructure, authorities may take an interest; however, there are no established service levels for government response.

For example, Anderson says some activities that might be considered retaliatory are:

  • legal information gathering to identify attackers,
  • direct blocking of network traffic from specific origins,
  • use of transaction identifiers that label the traffic as suspicious,
  • placement of honeypots,
  • identifying and actively referring botnet details for blacklisting or referral to authorities or industry associations, and
  • certain types of deception gambits against suspected internal malefactors.

This is not the first time that I’ve heard the notion of retaliation using cyber space methods. There are two things wrong with this direction – a) retaliation and using cyber security methods to attack the attackers.

The notion that there are two separate universes,  a physical universe and a cyber universe is wrong. There is one continuum of cyber space and physical space. Forget retaliation and go on the offensive.  That means use counter terror techniques to discover hacker cells, infiltrate and disrupt them in the physical world. The problem of course is the price tag. It’s cheap to mount a cyber attack but if an attacker knew that they would lose their life if they attacked a US government installation with malware, a deterrent would be created.

Retaliation doesn’t create deterrence – at most, retaliation makes people angry. Just look at the reaction of Palestinian terrorists to Israeli retaliation raids.

Retaliation in cyber space is too late, too little.  Instead – I call on the US and other governments to actively combat cyber terror with the same resolve that they attack physical world terrorists.

Related Posts Plugin for WordPress, Blogger...
Tell your friends and colleagues about us. Thanks!
Share this

4 thoughts on “Offensive security

  1. I agree up to a point, if retaliation didn’t create a deterrence then we wouldn’t have jail sentences.
    The alternative is to remain an easy target, a fire to freely pummel, target pratice. US no longer has Costal defense batteries, they don’t work, Lulzsec had second thought about hitting facebook as they do have an active cyber offense, Lulzsec specifically mentioned they wouldn’t hit them again.

    Internet Anthropologist

    1. Gerald
      My post relates to comments by William Lynn III US Deputy Defense:

      In his article several months ago in Foreign Affairs Lynn claims:

      Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.To stay ahead of its pursuers, the United States must constantly adjust and improve its defenses.

      This is absurd. See my post What if Al qaeda got stuxnet?
      The US and its allies should not wait until being attacked and then debate if retaliation is effective or not or how to deny benefit to attackers.
      The US and its allies should be taking a proactive approach using anti-terror methods that work, to combat cyber terrorists.

      Regarding state sponsored cyber attacks, it seems that the US is making strides, primarily in defenses.

Leave a Reply

Your email address will not be published. Required fields are marked *