Data forensics are not enough for security pros looking to fend off targeted attacks, according to CrowdStrikechief and co-founder George Kurtz, who says companies want to take the fight to the adversary.
Defence, detection and details are not enough, Kurtz tells CSO.com.au, claiming companies are increasingly demanding “deception, denial, disruption”.
“They’re moving more into the government mindset of deception,” says Kurtz, pointing to a hypothetical theft of the Northrop Grumman’s B-2 Spirit Stealth Bomber designs.
“Somebody breaks in and steals the plans, but if the plans are wrong and the thing doesn’t fly, think about the cost of that. Think about the scratching of the head that happens when you have that thing and ask ‘Was it real or was it a decoy’?”
Kurtz is among those that fear the nation’s intellectual property is slowly but surely being drained by Chinese Government sponsored hackers, hell bent on undermining the US’s technological edge.
“The majority of [intellectual property theft] stems from China and that’s what I’m intimately involved in; working with big companies who have had massive data breaches,” says Kurtz.
“When you look at the IP and the impact, it’s in the billions of dollars that you can calculate—not just someone saying, ‘Oh, it’s over a billion because they thought it was important’.”
Financial cybercrime that affect individuals and the banking sector through fraud on the other hand is annoying to deal with but comes down to “pure math”.
“You make five billion, you have a billion in fraud, you’re still up four billion. It still makes sense to do what you’re doing,” he said.
Intellectual property theft, however, has national impact which could linger for generations to come.
“When you think about the impact it has on a nation to have its intellectual property that took trillions of dollars to create, simply stolen and then goods and services replicated—putting aside the security implications of that—it’s a huge impact.”
Kurtz’s view is the antithesis to others such as the UK’s Cambridge University security researcher Ross Anderson, who recently attacked a report co-authored by the UK Government and BAE Systems’ security division Detica that estimated the cost of cybercrime, much of it lost through IP theft, was £27 billion a year.
While Anderson urged governments to consider spending less on ‘anticipatory security’ like firewalls and antivirus and more on police capabilities to fight cybercrime, Kurtz argues antivirus type security is necessary ‘basic hygiene’, which for the high value organisation needs to be bolstered with capabilities not just to prevent the attack but identify who the attacker was and what they were after.
“Think about all the companies that get hit. You think they don’t have AV? They all have it, right. So that’s just basic hygiene that keeps out the noise.”
“Most companies like AV companies or companies that just use technology are focussed on, ‘Well, geez I have a piece of malware or a bad file’. The reality is that most companies have an adversary problem, not a malware problem.
While attributing an attack to a specific individual or organisation remains impossible, Kurtz argues that they can be fingerprinted.
“If you understand how they operate, they may change the malware, but you can still understand who’s coming after you. For example, from the physical world, if someone is shooting at you, do you ask is that a 9mm or a 45? Or do you ask who is shooting at me, why are they shooting at me and how do I get it to stop?”
Complex malware like super-spy Flame or a downloader are “digital bullets” and the challenge is to connect the bullets to the shooter.
“There are tell-tale signs,” says Kurtz. “I wouldn’t say with 100 per cent certainty but with a high probability you can begin linking all this together.”