Offensive Cybersecurity: Theory And Reality - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity

Offensive Cybersecurity: Theory And Reality

Can you -- and should you -- strike back at attackers? It's a complex question with ethical, legal, technical and practical considerations.

InformationWeek Green - Jan. 21, 2013 InformationWeek Green
Download the entire Jan. 21, 2013, issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree for each of the first 5,000 downloads.

Storage Innovation

Faced with the failure of preventive security, going on the attack is an appealing concept. But is it worth the risk? Israeli anti-spam startup Blue Security thought so. The company created a technology that let customers fire back at spammers by blasting opt-out messages to the source of unwanted email; the company maintained centralized control by researching the origin of spam. Essentially, it went on the offense in a big way by creating a botnet -- an army of computers launching denial-of-service attacks through the Internet. Its technology might have made a real dent in spam operations. Then, in mid-2006, Russian mobsters warned Blue Security to stop operations and threatened to launch their own counterattacks. In the face of ongoing attacks, CEO and founder Eran Reshef returned funds to investors and killed the company.

Blue Security faced other challenges, too. Botnet attacks harm the Internet infrastructure and could be considered illegal. Most network operators shied away, so the company was constantly looking for hosting. Still, getting threatened by the Russian mob is a whole other level of intimidation. Organized malware and spam is a big business, and the criminals aren't likely to back off in the face of anything a typical company can throw at them.

Even so, the appeal of striking back is understandable. Whether the damage is a distributed denial-of-service attack (DDoS) forcing a website off the Internet or malware stealing intellectual property, attacks hurt companies. We've spent millions on information security, and what have we to show for it? Most defenses are static, set in advance so attackers can learn to bypass them at their leisure. Most coping mechanisms are reactive. We respond only after a threat is discovered -- if it's discovered -- and probably too late.

Our full report on offensive cybersecurity free with registration.

This report includes 21 pages of action-oriented analysis. What you’ll find:
  • Strategic Security Survey data on the top reasons for increased vulnerability
  • Top breach/espionage threats: cybercriminals tied for No. 1
Get This And All Our Reports

The U.S. military has maintained for some time that it is legally justified in using military force to retaliate against a cyber attack. Presidential Policy Directive 20, signed by President Obama in October after Congress didn't pass the Cybersecurity Act, establishes standards for the federal government's response to attacks, and cybersecurity is specifically addressed in the 2013 National Defense Authorization Act. But for those of us without drones at our disposal, it's still too soon to go on the offensive. I believe the time will come that companies can do so, but for now the legal, ethical, operational and technological challenges are too daunting.

Who's The Attacker?

Even trying to figure out who's responsible for an attack against your systems is difficult. In international law, if a missile is launched from one country into another, we know the entity responsible, regardless of who actually pushed the button. On the Internet -- with millions of compromised computers belonging to botnets -- can a country, or a service provider for that matter, be held responsible for actions by systems in its jurisdiction?

A few years ago, a friend who is a U.S. federal law enforcement officer was tasked with fighting online financial fraud, specifically phishing. He soon discovered the IP address of a computer behind one attack. His team kicked in the owner's door, only to find a family completely clueless that their computer was being used in the phishing scheme. This is called the Trojan horse defense, in which the device owner claims to be unaware: "A hacker broke into my computer."

To read the rest of the article,
Download the Jan. 21, 2013 issue of InformationWeek

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
1/25/2013 | 7:09:20 PM
re: Offensive Cybersecurity: Theory And Reality
The concept of offensive security is definitely attractive, but in reality, it can be a slippery slope. What seems to make the most sense "offensively" is fighting back with disinformation or phony data if you know the attacker is inside, for example.

Kelly Jackson Higgins, Senior Editor, Dark Reading
IT Careers: 10 Industries with Job Openings Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/27/2020
How 5G Rollout May Benefit Businesses More than Consumers
Joao-Pierre S. Ruth, Senior Writer,  5/21/2020
IT Leadership in Education: Getting Online School Right
Jessica Davis, Senior Editor, Enterprise Apps,  5/20/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Flash Poll