Security Experts Debate Offensive Strategy

Sean Michael Kerner,

For most enterprises, taking offensive action against cyber-attackers is probably not the best strategy, according to an International Information Systems Security Certification Consortium panel

When it comes to modern enterprise IT security, the best defence isn’t necessarily about having a good offence. A panel of experts at the International Information Systems Security Certification Consortium (ISC2) Security Congress’ 2013 event debated the issue of cyber-offensive strategies on 27 September. The panel concluded that offensive strategies are probably not the right approach for most, if not all, enterprise IT shops.

The concept behind the panel was to talk about whether it made sense for enterprises to take offensive action against cyber-threats, Adam Meyers, vice president of intelligence at security vendor CrowdStrike, explained. Vigilantism is unlikely to ultimately be successful, he said, adding that enterprises don’t need to focus on how to get back at an attacker.

Mitigating risks

“What enterprises need to do is focus on delivering security that is effective,” Meyers told eWEEK. “The way you make it effective is by knowing who is coming after you, how they are coming after you and what they are going to use against you.”

security privacy government fisa google © Everett Collection ShutterstockWith the right intelligence, an enterprise can effectively defend and mitigate the risks from modern attacks. CrowdStrike is strongly focused on security intelligence overall; its Falcon platform fuses real-time detection of targeted attacks with actionable security intelligence.

Understanding what an attack and an attacker is all about offers an organisation a variety of options for response, Meyers said, adding that enterprises can stop an attack or perhaps even watch an attack in order to learn more about the attacker. An attack can also be an option to provide false information to the attacker, he said.

When it comes to engaging in some form of discourse with an attacker, caution is called for, said Hord Tipton, executive director of ISC2. “I would be nervous about engaging with an attacker in a retaliatory fashion,” Tipton said.

There is so much data available today, and understanding how and when to use it is a big question for IT security professionals, Tipton said. In terms of tipping off and sharing information with government agencies, such that one of them could take action, Tipton also advises caution.

“Not to second-guess all of our three-letter US government agencies, but all of them have a lot of access to a lot of data,” Tipton said.

International law

From an offensive perspective, Tipton said he considers the capacity to take some form of action a political question. International laws often fail to address the issue of offensive cyber-security actions and what the consequences should be, he said.

Enterprise organisations are simply not suited or prepared to conduct offensive actions, Meyers said. “There is a reason why the military is involved in that sort of thing,” Meyers said. “They can effectively gauge what collateral damage, if any, might occur and forecast what the outcome might be.”

For Tipton, going after attackers is like fighting the mythical hydra. “You cut off one head, and nine grow back,” Tipton said. “We have to start out on the defensive end of the skirmish.”

Do you know all about IT and the law? Take our quiz.

Originally published on eWeek.