Offensive Cybersecurity: Theory And Reality - InformationWeek
Government // Cybersecurity
12:25 PM

Offensive Cybersecurity: Theory And Reality

Can you -- and should you -- strike back at attackers? It's a complex question with ethical, legal, technical and practical considerations.

InformationWeek Green - Jan. 21, 2013 InformationWeek Green
Download the entire Jan. 21, 2013, issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree for each of the first 5,000 downloads.

Storage Innovation

Faced with the failure of preventive security, going on the attack is an appealing concept. But is it worth the risk? Israeli anti-spam startup Blue Security thought so. The company created a technology that let customers fire back at spammers by blasting opt-out messages to the source of unwanted email; the company maintained centralized control by researching the origin of spam. Essentially, it went on the offense in a big way by creating a botnet -- an army of computers launching denial-of-service attacks through the Internet. Its technology might have made a real dent in spam operations. Then, in mid-2006, Russian mobsters warned Blue Security to stop operations and threatened to launch their own counterattacks. In the face of ongoing attacks, CEO and founder Eran Reshef returned funds to investors and killed the company.

Blue Security faced other challenges, too. Botnet attacks harm the Internet infrastructure and could be considered illegal. Most network operators shied away, so the company was constantly looking for hosting. Still, getting threatened by the Russian mob is a whole other level of intimidation. Organized malware and spam is a big business, and the criminals aren't likely to back off in the face of anything a typical company can throw at them.

Even so, the appeal of striking back is understandable. Whether the damage is a distributed denial-of-service attack (DDoS) forcing a website off the Internet or malware stealing intellectual property, attacks hurt companies. We've spent millions on information security, and what have we to show for it? Most defenses are static, set in advance so attackers can learn to bypass them at their leisure. Most coping mechanisms are reactive. We respond only after a threat is discovered -- if it's discovered -- and probably too late.

Our full report on offensive cybersecurity free with registration.

This report includes 21 pages of action-oriented analysis. What you’ll find:
  • Strategic Security Survey data on the top reasons for increased vulnerability
  • Top breach/espionage threats: cybercriminals tied for No. 1
Get This And All Our Reports

The U.S. military has maintained for some time that it is legally justified in using military force to retaliate against a cyber attack. Presidential Policy Directive 20, signed by President Obama in October after Congress didn't pass the Cybersecurity Act, establishes standards for the federal government's response to attacks, and cybersecurity is specifically addressed in the 2013 National Defense Authorization Act. But for those of us without drones at our disposal, it's still too soon to go on the offensive. I believe the time will come that companies can do so, but for now the legal, ethical, operational and technological challenges are too daunting.

Who's The Attacker?

Even trying to figure out who's responsible for an attack against your systems is difficult. In international law, if a missile is launched from one country into another, we know the entity responsible, regardless of who actually pushed the button. On the Internet -- with millions of compromised computers belonging to botnets -- can a country, or a service provider for that matter, be held responsible for actions by systems in its jurisdiction?

A few years ago, a friend who is a U.S. federal law enforcement officer was tasked with fighting online financial fraud, specifically phishing. He soon discovered the IP address of a computer behind one attack. His team kicked in the owner's door, only to find a family completely clueless that their computer was being used in the phishing scheme. This is called the Trojan horse defense, in which the device owner claims to be unaware: "A hacker broke into my computer."

To read the rest of the article,
Download the Jan. 21, 2013 issue of InformationWeek

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
1/25/2013 | 7:09:20 PM
re: Offensive Cybersecurity: Theory And Reality
The concept of offensive security is definitely attractive, but in reality, it can be a slippery slope. What seems to make the most sense "offensively" is fighting back with disinformation or phony data if you know the attacker is inside, for example.

Kelly Jackson Higgins, Senior Editor, Dark Reading
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll