cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
adi111
Newcomer II

Security a Defense or Offense

As per the old saying "The best defense is a good offense". Since we have created most of our security models based on the Army to secure our systems. It is our requirement to create a security Doctrine for our cyber security as well. May be most of the countries who are anticipating or preparing for cyber warfare already had one in place. 

 

The question i often ask myself is can we follow the same approach when we create/plan our security solutions. Why not attack the attacker to secure our assets ? Do we have enough capability to do so ?  Let me know your thoughts.

5 Replies
Beads
Advocate I

Below is part of your puzzle. I would consider what we do in InfoSec to be much at all comparable to modern military tactics/combined arms. Most InfoSec defenses still look like a castle defense with tall walls and no "air defense", etc.

 

Most organizations I have consulted for are still in the assume breach stance, thinking that the bad guys are already in but not detected. Few organizations have the security maturity to assume otherwise but this requires a budget larger than the security wallet generally can tolerate.

 

As far as going on the offense, go for it. You will loose against a much better prepared opponent as your dealing with a class of hacker that should be considered to be at the professional mercenary not the local militia.

 

There is also legislation in the House of Representatives making it legal for private organizations to "fight back" against hacking attacks. This idea has been tried before and again unless your really willing and able to take on a bad nation state actor I would SERIOUSLY counsel against kicking that hornets nest unless you and your organization is fully prepared to fight 7/24/365 and still loose. Some organizations are already in this battle and its expensive. 

 

Harden your network as best your budget allows but stay out of the InfoSec war business unless you are fully prepared to take serious casualties.

 

https://www.cyberscoop.com/ppd-20-white-house-national-security-council-cyber-warfare-tactics/

CISOScott
Community Champion

Here is how I see offensive vs. defensive in INFOSEC today.

Defensive security means passive and reactive only security. You find a virus and then remediate it. You find an intrusion and you stop it.

Offensive means you are actively searching for threats and trying to eliminate/stop them as fast as possible.

Most companies do not have the manpower to effectively do offensive security so they remained chained to the defensive posture trying to fight the fight as best they can. I am gathering metrics now so that I can help my agency see the need to hire more people to start implementing proactive security.

I can already see that I will need to provide training to my current security resources as they have not received any training except on the job.

CISOScott
Community Champion

Also you would have to have some VERY good people to do attack-back type of services. You would have to be able to be almost 100% certain of your target or else face the consequences of attacking the wrong person (i.e. a hosting service, or worse yet- a compromised but unwilling/unknowing host, the bad guys were doing their attacks through.)

 

 

Baechle
Advocate I

Ken,

 

I think your comments in this thread are on the right path.  First, hack-back has some severe liabilities from the standpoint of misattribution (were you hacking-back the hacker, or another victim that was used as a pivot?).  Second, I think that what we’re looking to do here is change the big security apparatus from being a reactive machine to a proactive one.

 

Being proactive doesn’t mean being offensive, or even hacking-back.  Being proactive means going a little beyond the baseline security measures.  Installing “Tripwires” on your password database, hardening outbound Firewall rules instead of just the inbound ones, installing a SEIM aggregator/dashboard and starting to get a feel for your system’s behavior baseline are all low-level examples.  A more extreme example is installing a honey-net, or exposing decoy documents with beacons to help you identify the sources of traffic you need to cut off (for a paper on the topic, see http://ids.cs.columbia.edu/sites/default/files/DecoyDocumentsCameraReadySECCOM09.pdf).

 

Proactive doesn’t mean that you need to leave your network.  There’s still lots of work to do at home…

 

Sincerely,

 

Eric B.

 

Deyan
Contributor I

Nice topic mate, really nice. I guess we can make a parallel with the real world can we? No country has offense forces right? Each country has a minstry of defense, secretary of defense etc. of defense..... these people and assets execute the offense as well, however in our area specifically i do not see how cyber defenders could proactively attack the hackers before they attack them.... it's like.... having a shop in a questionable neighborhood and proactively defend yourself against thieves or hooligans... can you really do that? Can a team of 4-5 it sec people that run scans all day, check logs, administer security appliances, really start writing and distributing malware to potential hackers in order to catch the them - doesnt this turn them in hackers themselves? Really twisted situation i'd say...