Security Experts Debate Value of Transitioning From Defense to Offense
A few weeks ago at the Aspen Security Forum, Gen. Keith Alexander, National Security Agency director, said the number of attacks against America's critical infrastructure increased seventeenfold between 2009 and 2011. Now as much as ever, some argue, a gap exists between the protection capabilities of today's enterprises and the penetration capabilities of modern attackers.
Bridging that gap has traditionally relied on technologies that could be viewed as reactive-such as antivirus signatures, firewalls and intrusion-prevention systems. But some say today's threat landscape may require a different approach one that mixes defense with a little more offense.
"It is totally fair to say that traditional approaches are too reactionary," said Eric Ogren, principal with analyst firm The Ogren Group. "AV antivirus and firewalls are just not clever enough to ferret out new attacks. I believe IT has to become more nimble and agile in managing the infrastructure to prevent attacks from lingering."
In some ways, securing networks and devices has always been a game of catch-up; or perhaps more precisely, whack-a-mole, where new security crises erupt and are resolved with security technology just in time for another one to emerge.
"Each generation of threat advances has resulted in protection advances more inspection of inbound email to detect phishing, Web security gateways looking at inbound Web code, next-generation firewalls looking at applications, etc.," said Gartner analyst John Pescatore. "Then the threats make another advance This will be life until technology stops advancing. There will always be crime and criminal advances and the good guys get to move second."
But with the amount of malware continuing to grow, some security companies are advocating a more proactive defensive strategy. One example of this is CrowdStrike, which is centered on helping companies build security defenses based on better intelligence of hacking crews and what they are after. CrowdStrike CEO and co-founder George Kurtz, an alumnus of security company McAfee, explained that knowing the tactics, tools and goals of hacking groups allows organizations to make informed decisions based on risk.
"If you were in battle," he said, "and you were sitting in the middle of the field, would you be waiting to get bombed or would you want to know that there's an adversary that's over the hill; they are coming from the south; they've got certain capabilities in terms of armament; and if we position ourselves in a certain way, we are going to be better able to protect against their attack," Kurtz said.
"What we're talking about is providing this linkage of who, what and why so that you can make risk-based decisions which really have a much greater impact on the business," said Kurtz. With this information in hand, companies can look for ways to make attacks more expensive for hackers by improving defenses with an eye toward the attackers' tactics and goals, he said.
But there are some who take a more aggressive approach. In a survey of 181 attendees at the recent Black Hat USA conference in Las Vegas, security company nCircle found that 36 percent admitted they had engaged in retaliatory hacking in the past.
In a column for SecurityWeek, Radware CTO Avi Chesla argues that cyber-counterattacks should be part of security strategies. A counterattack should include the following steps: detecting and blocking the initial attack, identifying the attack tool, locating weaknesses in the attack tool in real-time or based on previous information, attacking those weaknesses, and slowing down or neutralizing the attack tool.