Last weekend information security professionals from around the globe gathered in a conference forum for the 2013 Suits and Spooks Conference in Washington, DC. The focus was on offense as a defensive tactic, often referred to as “active defense”. I was both an attendee and a speaker / panel moderator at the conference. The event was awesome. It featured collaboration and intellectually driven discourse on matters of extreme importance to our industry. Heated discussions seemed to be taking place everywhere –hallways, foyers and of course in the session rooms.
The first panel that I was on dealt with a particularly challenging topic: bringing the fight to the adversary. For most people in our space, when they hear or read statements that espouse bringing the fight to the adversary their thoughts immediately drift towards offensively driven “hack back” scenarios. My experiences on this panel however couldn’t have been more to the contrary. We discussed castle building (explain or include link to a definition) and the failures of current and traditional operational security models. This discussion also touched on how our inability to effectively see traditional operational security models through to fruition could be indicators of what the performance of the unskilled enterprise might look like should they engage in a truly offensive capacity. In the end, all of us agreed that the current United States code was clear on what is and what is not deemed legal (never mind the ethical arguments). We came to the conclusion that unless forcefully compelled by the courts, offensive measures were likely troublesome at best and disastrous at worst. This panel forced me to rethink the topic of offensive measures and in some ways reposition my own beliefs.
I believe that offensive security measures (when thoughtful and measured) can be effective. I believe advanced active defensive strategies, when applied in a lean forward manner, can provide organizations a great deal of insight into who their adversaries truly are, what they want and how they are attempting to go about gaining access to the target assets in question. Surprisingly, while most strongly agreed that attribution was critically important when defending an attack there was notable dissent on the subject. I believe that active defense begins with the basics and though I am skeptical of the way in which many organizations operate in respect to the basics of information security, I advocate a hard-lined approach to the basics in order to prepare for advanced threats.
So what does this all mean? How does an organization that has its act together with respect to the basics get to the point to where they can effectively lean forward into an advanced active defense? For starters they can try to understand what they expect from themselves and their adversaries. Red Teaming is a tried and true test of one’s readiness. If an organization fails a Red Team engagement than they need to revisit those areas found susceptible, remediate and re-engage. If the organization in question has conducted Red Team engagements and passed with flying colors than they should begin looking at technology and methodology that will allow them to meet their aggressors head on.
Understanding who your adversaries are (and are not) will make this process smoother. Understanding what it is about you that makes you a likely target for an adversary also aids in the process of preparedness and when conducted in an intellectually honest manner can save vital resources necessary for other purposes. Technology such as honeynets & honeypots (regardless of the ethical questions they pose) can be invaluable tools for attack definition and attribution. One cannot gain an insight into who is banging on their door threatening to break in if one does not have a vantage point that allows them to characterize their adversary. The application of false flag data or advanced network segmentation can also thwart and confuse potential adversaries. In the end a lean forward approach sees an organization taking pre-emptive measures against a threat actor prior to his arrival (when possible).
Does your organization utilize an active defense (offensive as a defense) strategy? Is there any justification for “hacking back”? How critical is attribution when defending attacks?