Jan 23, 2013
Offense is the new defense for private-sector security professionals, some pundits would have you believe. Whether you call it "hacking back" or old-fashioned eye-for-an-eye retaliation, offensive security calls for profiling and, if possible, individually identifying an attacker and taking countermeasures to harm the attacker's systems. Governments have experimented with offensive security and have their own reasons and hesitations around pursuing it. For the private sector, though, it's a controversial approach that IT and business leaders should understand.
Why the focus on offense? In conventional warfare, all things being equal, defense is the stronger position. Defenders can marshal resources over time, while attackers need to maintain supply lines. Defenders can continuously fortify, while attackers can usually tap their main advantage -- surprise -- only once. However, in the cyber world, the attacker has the clear advantage. Firewalls and other controls are structured ahead of time; attackers can choose where they wish to strike and how. Attackers can test their tactics endlessly against defenses, such as when malware authors check if their creations are detected by antivirus products, for negligible cost and effort. To gain access and establish a beachhead requires only one vulnerability. Defenders, however, must protect everything -- hence the focus on managing based on risk. As a result, IT is reactive, responding with all the precision of a whack-a-mole player.