AusCERT 2013: World needs debate about “hack-back” rules of engagement

It's time for a debate about the kinds of actions that infosec professionals are allowed to take against attackers, according to CrowdStrike co-founder and CTO Dmitri Alperovitch.

Speaking to AusCERT 2013 on the Gold Coast, Alperovitch says there is precedent for allowing private individuals or companies to take reasonable steps to defend themselves against attack, espionage or theft in the physical world, and these could serve as a model for a dialogue in the world of information security.

While not acting as an advocate of hacking back, he said, security professionals are forced by legislation – and by convention – to take too passive an approach to security. The problem with this is that defences will almost inevitably fail.

It's a simple matter of asymmetry, he said: “The attackers only have to succeed once, you have to succeed all the time.” Only one failure is needed for the attacker to get in, he said, and the pattern of putting a defence in place which is attacked, which is mitigated with a new defence is escalatory.

That's not only a description of the what's going on, but a case of case and effect. Escalating defences don't increase the likelihood of an attacker being caught – and that means the actors, whether they're individuals, corporations or states, remain at large to refine their attacks.

“We keep doing the same thing … and we're losing,” Alperovitch said, because the industry prefers to maintain a focus on improving products and technologies. “This is an adversary-focussed problem, not a security problem,” he said, and “When there's an attack in cyberspace, we call the locksmith instead of the police”.


A focus on attribution – correctly identifying an attacker – should change the dynamic, since identifying the attacker is more powerful than beefing up the network perimeter.

The tools of attribution can include watching the behaviour of the attacker once inside your network, to learn an attacker's “tradecraft”, knowledge that can be shared and used to identify other attacks by the same individual or agence.

It's also important to change the attacker's cost equation – for example by placing false information in their path (and therefore reducing the returns available from an attack).

The point of controversy arises in the discussion of acceptable countermeasures. While stating that he's not an advocate of the “hack back”, Alperovitch believes a formal agreement and framework that allows networks under attack to at least seek to identify the attacker and share that information with others would drag the industry out of its dangerous passivity, he said.


AusCERT 2013 : Day 1 Coverage

AusCERT 2013: Users, cats more likely hack culprits than cyber-espionage: Trustwave

AusCERT 2013: Home-electronics gear’s UPnP as insecure in Australia as rest of world: Metasploit

AusCERT 2013: Big data skills help beat the bad guys, says HP

In pictures: AusCERT 2013 Day One

Dell targets ANZ security opportunities as SecureWorks debuts locally

AusCERT 2013: NBN users need security professionals’ help, says Google

AusCERT 2013: Day 2 Coverage

AusCERT 2013: Police urge banks to install ATM chip technology 

AusCERT 2013: World needs debate about “hack-back” rules of engagement

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags hacknews#Auscert2013Dmitri AplerovStrikecyberspa

More about ANZ Banking GroupDellGoogleHPSecureWorksTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Richard Chirgwin

Latest Videos

More videos

Blog Posts