AusCERT 2013: World needs debate about “hack-back” rules of engagement

It's time for a debate about the kinds of actions that infosec professionals are allowed to take against attackers, according to CrowdStrike co-founder and CTO Dmitri Alperovitch.

Speaking to AusCERT 2013 on the Gold Coast, Alperovitch says there is precedent for allowing private individuals or companies to take reasonable steps to defend themselves against attack, espionage or theft in the physical world, and these could serve as a model for a dialogue in the world of information security.

While not acting as an advocate of hacking back, he said, security professionals are forced by legislation – and by convention – to take too passive an approach to security. The problem with this is that defences will almost inevitably fail.

It's a simple matter of asymmetry, he said: “The attackers only have to succeed once, you have to succeed all the time.” Only one failure is needed for the attacker to get in, he said, and the pattern of putting a defence in place which is attacked, which is mitigated with a new defence is escalatory.

That's not only a description of the what's going on, but a case of case and effect. Escalating defences don't increase the likelihood of an attacker being caught – and that means the actors, whether they're individuals, corporations or states, remain at large to refine their attacks.

“We keep doing the same thing … and we're losing,” Alperovitch said, because the industry prefers to maintain a focus on improving products and technologies. “This is an adversary-focussed problem, not a security problem,” he said, and “When there's an attack in cyberspace, we call the locksmith instead of the police”.

 

A focus on attribution – correctly identifying an attacker – should change the dynamic, since identifying the attacker is more powerful than beefing up the network perimeter.

The tools of attribution can include watching the behaviour of the attacker once inside your network, to learn an attacker's “tradecraft”, knowledge that can be shared and used to identify other attacks by the same individual or agence.

It's also important to change the attacker's cost equation – for example by placing false information in their path (and therefore reducing the returns available from an attack).

The point of controversy arises in the discussion of acceptable countermeasures. While stating that he's not an advocate of the “hack back”, Alperovitch believes a formal agreement and framework that allows networks under attack to at least seek to identify the attacker and share that information with others would drag the industry out of its dangerous passivity, he said.

 

AusCERT 2013 : Day 1 Coverage

AusCERT 2013: Users, cats more likely hack culprits than cyber-espionage: Trustwave

AusCERT 2013: Home-electronics gear’s UPnP as insecure in Australia as rest of world: Metasploit

AusCERT 2013: Big data skills help beat the bad guys, says HP

In pictures: AusCERT 2013 Day One

Dell targets ANZ security opportunities as SecureWorks debuts locally

AusCERT 2013: NBN users need security professionals’ help, says Google

AusCERT 2013: Day 2 Coverage

AusCERT 2013: Police urge banks to install ATM chip technology 

AusCERT 2013: World needs debate about “hack-back” rules of engagement

Tags hacksecurity#Auscert2013newsDmitri AplerovStrikecyberspa

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Get Powerful Protection for All of Your Mobile Devices

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.