Government // Cybersecurity
News
1/18/2013
12:25 PM
50%
50%

Offensive Cybersecurity: Theory And Reality

Can you -- and should you -- strike back at attackers? It's a complex question with ethical, legal, technical and practical considerations.

InformationWeek Green - Jan. 21, 2013 InformationWeek Green
Download the entire Jan. 21, 2013, issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree for each of the first 5,000 downloads.

Storage Innovation

Faced with the failure of preventive security, going on the attack is an appealing concept. But is it worth the risk? Israeli anti-spam startup Blue Security thought so. The company created a technology that let customers fire back at spammers by blasting opt-out messages to the source of unwanted email; the company maintained centralized control by researching the origin of spam. Essentially, it went on the offense in a big way by creating a botnet -- an army of computers launching denial-of-service attacks through the Internet. Its technology might have made a real dent in spam operations. Then, in mid-2006, Russian mobsters warned Blue Security to stop operations and threatened to launch their own counterattacks. In the face of ongoing attacks, CEO and founder Eran Reshef returned funds to investors and killed the company.

Blue Security faced other challenges, too. Botnet attacks harm the Internet infrastructure and could be considered illegal. Most network operators shied away, so the company was constantly looking for hosting. Still, getting threatened by the Russian mob is a whole other level of intimidation. Organized malware and spam is a big business, and the criminals aren't likely to back off in the face of anything a typical company can throw at them.

Even so, the appeal of striking back is understandable. Whether the damage is a distributed denial-of-service attack (DDoS) forcing a website off the Internet or malware stealing intellectual property, attacks hurt companies. We've spent millions on information security, and what have we to show for it? Most defenses are static, set in advance so attackers can learn to bypass them at their leisure. Most coping mechanisms are reactive. We respond only after a threat is discovered -- if it's discovered -- and probably too late.

Our full report on offensive cybersecurity free with registration.

This report includes 21 pages of action-oriented analysis. What you’ll find:
  • Strategic Security Survey data on the top reasons for increased vulnerability
  • Top breach/espionage threats: cybercriminals tied for No. 1
Get This And All Our Reports

The U.S. military has maintained for some time that it is legally justified in using military force to retaliate against a cyber attack. Presidential Policy Directive 20, signed by President Obama in October after Congress didn't pass the Cybersecurity Act, establishes standards for the federal government's response to attacks, and cybersecurity is specifically addressed in the 2013 National Defense Authorization Act. But for those of us without drones at our disposal, it's still too soon to go on the offensive. I believe the time will come that companies can do so, but for now the legal, ethical, operational and technological challenges are too daunting.

Who's The Attacker?

Even trying to figure out who's responsible for an attack against your systems is difficult. In international law, if a missile is launched from one country into another, we know the entity responsible, regardless of who actually pushed the button. On the Internet -- with millions of compromised computers belonging to botnets -- can a country, or a service provider for that matter, be held responsible for actions by systems in its jurisdiction?

A few years ago, a friend who is a U.S. federal law enforcement officer was tasked with fighting online financial fraud, specifically phishing. He soon discovered the IP address of a computer behind one attack. His team kicked in the owner's door, only to find a family completely clueless that their computer was being used in the phishing scheme. This is called the Trojan horse defense, in which the device owner claims to be unaware: "A hacker broke into my computer."

To read the rest of the article,
Download the Jan. 21, 2013 issue of InformationWeek

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
1/25/2013 | 7:09:20 PM
re: Offensive Cybersecurity: Theory And Reality
The concept of offensive security is definitely attractive, but in reality, it can be a slippery slope. What seems to make the most sense "offensively" is fighting back with disinformation or phony data if you know the attacker is inside, for example.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.