There is a new trend in IT security, Active Defence. The name sounds innocuous enough, but in reality it is a pivot point in Information Security. The concept is simple, strike back. When a hacker attacks you, you attack the hacker.
Frustrated by the inability for the law to take actions against attackers from across the globe an increasing number of organisations are taking the law in to their own hands by taking retaliatory action.
The reprisals have a broad range from delaying and diversion tactics to full on black hat responses. It has been known for organisations to hire contract hits, to hack the assailants systems, likely against US and a number of other jurisdiction law.
Traditionally responses to previous hacking attacks would be more conventional, including deep forensic analysis, backup and recovery and defence in depth. However this generates a significant work stream for the organisation. When attacked, if your only response is fix the damage and reinforce the defences, there is little motivation for the hackers to not continue to attack you, until they break your defences again, and you need to initiate a cleanup.
The Active Defence strategy is an attempt to halt this cycle. The former head of cybercrime investigations at the FBI, Shawn Henry, recently joined CrowdStrike, an organisation that provides it enterprise customers a menu of active responses.
Once a breach has been detected it can waste a hackers time by giving them access to honey pot systems while they attempt to identify the culprit. This can include providing their own downloaded Trojans disguised as valuable data files. The Trojans capability could be as simple as sending identification information, such as source IP, logged on username, and host name back to the originating organisation, or a more complex Trojan checking in to a command and control system allowing it to execute updated commands.
CrowdStrike co-founder Dmitri Alperovich does not recommend that companies try to breach attackers computers, but accept that organisations need a stronger response than traditional countermeasures.
CrowdStrike suggests it is common place for organisations that are negotiating with a Chinese company for them to have their emails compromised, giving the Chinese negotiators the upper hand in negotiations. The recommended countermeasure in this instance would be deception, planting false emails within the system.
Earlier this year in April, Department of Homeland Security Secretary Janet Napolitano told the San Jose Mercury News that officials had been contemplating authorizing “proactive” private-entity attacks, although there has been little follow-up comment.
Facebook took small steps un that direction when in January they named the Russian players behind the malicious “Koobface” software that spread through spam on its social network, earning the gang an estimated US$2 million.
It is likely this new trend in offensive security will only get stronger, the concern is, like any war, that it quickly escalates.