Dmitri Alperovitch, cofounder and CTO, CrowdStrike
Lee, who has lectured and written extensively on securing networks and teaches a SANS course on active defense and incident response, contends that the reason so-called “traditional defense” is failing is because, “we don’t do traditional defense.”
He argues that security begins with architecture and what he calls passive defense, and said that, “if you don’t know your network, there’s no way to defend it. The adversary is going to learn what you have, but if you already know that, you’re two steps ahead of them. I’m not saying it’s easy, but it’s doable.”
Beyond that, he said the “cycle of active defense” involves the use of threat intelligence, asset identification and network monitoring, incident response and threat and environmental manipulation.
This, he has written, may involve counterattacks, but, “only inside the defended area and against the capability, not the adversary.”
He likened it to ICBM defense, where the goal is to destroy missiles, not people or cities.
Beyond all that, however, he said hacking back, “is an extremely inappropriate usage of resources. It doesn't return a lot of value.”
Ariel Rabkin, in an interview, said while he agrees that good architecture improves security, the reality is that it would be very expensive to fix the security flaws in large systems.
“In many cases, changing the architecture of a computer system means rewriting it entirely,” he said. “This is very expensive, takes a long time, and incurs all sorts of additional technical risks.”
The cost of a hack back, he said, “does not depend on the complexity of the system being defended. It depends on the intruder's level of talent and the robustness of their systems. As a result, there should be some crossover point where it becomes cheaper to hit back than to strengthen one's passive defenses.”
But Anthony Di Bello, director of strategic partnerships at Guidance Software, said he thinks it is both infeasible and very risky to “deputize” expert civilian security vendors to hack back against suspected attackers.
He acknowledged that the U.S. government has accused hostile nation states (China, North Korea, Iran) of specific attacks, but said he doesn’t think the private sector has that kind of capability, and should not be given law enforcement powers.
“Getting attribution down to the level of identifying a specific individual? I don’t believe many, if any corporations have the technology or skillsets to do that in a repeatable, defensible manner,” he said. “It’s way too easy for attackers to spoof the source of their attacks.”
And he said the escalation risks from hacking back don’t need to be violent to be damaging. “It could result in strained trade relations, disrupt other political negotiations that are ongoing or introduce a lack of trust in technology that my country exports,” he said.
Sign up for Computerworld eNewsletters.