It's time for a debate about the kinds of actions that infosec professionals are allowed to take against attackers, according to CrowdStrike co-founder and CTO Dmitri Alperovitch.
Speaking to AusCERT 2013 on the Gold Coast, Alperovitch says there is precedent for allowing private individuals or companies to take reasonable steps to defend themselves against attack, espionage or theft in the physical world, and these could serve as a model for a dialogue in the world of information security.
While not acting as an advocate of hacking back, he said, security professionals are forced by legislation – and by convention – to take too passive an approach to security. The problem with this is that defences will almost inevitably fail.
It's a simple matter of asymmetry, he said: “The attackers only have to succeed once, you have to succeed all the time.” Only one failure is needed for the attacker to get in, he said, and the pattern of putting a defence in place which is attacked, which is mitigated with a new defence is escalatory.
That's not only a description of the what's going on, but a case of case and effect. Escalating defences don't increase the likelihood of an attacker being caught – and that means the actors, whether they're individuals, corporations or states, remain at large to refine their attacks.
“We keep doing the same thing … and we're losing,” Alperovitch said, because the industry prefers to maintain a focus on improving products and technologies. “This is an adversary-focussed problem, not a security problem,” he said, and “When there's an attack in cyberspace, we call the locksmith instead of the police”.
A focus on attribution – correctly identifying an attacker – should change the dynamic, since identifying the attacker is more powerful than beefing up the network perimeter.
The tools of attribution can include watching the behaviour of the attacker once inside your network, to learn an attacker's “tradecraft”, knowledge that can be shared and used to identify other attacks by the same individual or agence.
It's also important to change the attacker's cost equation – for example by placing false information in their path (and therefore reducing the returns available from an attack).
The point of controversy arises in the discussion of acceptable countermeasures. While stating that he's not an advocate of the “hack back”, Alperovitch believes a formal agreement and framework that allows networks under attack to at least seek to identify the attacker and share that information with others would drag the industry out of its dangerous passivity, he said.
AusCERT 2013 : Day 1 Coverage
AusCERT 2013: Day 2 Coverage