03:07 PM

China Hack Attacks: Play Offense Or Defense?

The Chinese government has been blamed for launching cyber-espionage APT attacks against U.S. businesses. In this debate, two security experts examine how business should respond.

How should U.S. businesses respond to allegations that the Chinese government has been waging cyber espionage using advanced persistent threat (APT) attacks since at least 2006?

Security firm Mandiant recently threw down the gauntlet about these types of attacks, tracing exploits of 141 businesses -- across 20 industries -- to a single group based in China, which it dubbed "APT1."

The existence of such groups isn't in dispute. Indeed, China-based APT gangs appear to have been operating for at least the past six years. Such groups often use spear-phishing emails and attractive-looking but malicious attachments to compromise targeted systems and install a remote-access Trojan (RAT). Attackers then gain a back door onto the targeted network, giving them a jumping-off point for further attacks and reconnaissance, including against a company's business partners.

What is in dispute, however, is how businesses should respond. One school of thought is that they should take a more offensive posture, and gather actionable intelligence for government agencies to carry forward.

Another camp, however, argues that businesses' time and energy would be better spent shoring up defenses and patching known vulnerabilities, to minimize the fallout of the next, inevitable data breach.

In our debate, Shawn Henry, president of CrowdStrike Services, calls for identifying your adversaries and providing this information to law enforcement agencies. John Pescatore, director of emerging security trends at the SANS Institute, says the attacks should drive businesses to focus on their defenses.

What's your view? Use the commenting tool below the article to challenge these experts and share your opinion.

Play Offense

Shawn Henry
Shawn Henry
President, CrowdStrike Services

We have spoken of the cyber threat for far too long. Foreign adversaries have targeted every major organization in this country, and have stolen untold billions of dollars of intellectual property, research and development and corporate strategies and secrets. The volume and sophistication of cyber espionage has increased dramatically during the past five years, and it will grow, unabated, because the financial reward is incalculably high and the risk of negative consequences is almost non-existent.

Our mistake is that we are using the same approach against targeted attack actors, who actually have specific targets in mind and are not going to stop until they have reached their goal. They are relentless. It's not enough to stop their attacks once or twice; they will keep trying until they get in. The problem with existing technologies and defensive tactics is they are too focused on adversary tools (malware and exploits) and not on who the adversary is and how they operate.

This requires us to stop relying solely on "defense." The current cybersecurity approach is "vulnerability reduction," and it has largely failed for the past 20 years. We focus on hardening our networks by "defense-in-depth," using firewalls, anti-virus software, patching vulnerabilities and employing intrusion prevention systems. This approach generally stops those opportunistic actors willing to rob "any data," but the sophisticated, targeted adversary practices crafty offense, and the offense outpaces the defense. While we certainly need to continue with robust defense, we cannot let our guard down. We need to be more proactive and strategic in our approach to the adversary.

Employing a threat mitigation strategy requires an increased ability to detect and identify our adversaries, and to penalize them. This is the identical strategy we employ in the physical world every single day to thwart criminals, spies, and terrorists. They don't refrain from stealing and killing because we're too secure -- hardly! We walk down the street everyday, play in parks, shop in malls and live in houses with glass windows. We're safer, physically, because law enforcement, the intelligence community and the Department of Defense constantly identifies, mitigates, disrupts, arrests and deters the adversary.

In the cyber environment, we must assume adversaries are already inside the perimeter, and we must constantly hunt them on our networks to identify and mitigate their actions. We cannot stand by and wait for them to trip an alarm as they shake the proverbial fence, because sophisticated adversaries jump over the fence, bypassing the intrusion detection "alarm" entirely. Hunting necessitates us acquiring a better site picture of the adversaries…what assets are they targeting, what techniques are they employing, why are they here and who, exactly, are they? This is where intelligence sharing is critical. Companies can use advanced analytical technology to share actionable intelligence, enabling them to correlate data, learn the human aspects of the attack, become more predictive and identify them early enough in the attack cycle to prevent serious consequences.

By no means do I advocate vigilantism, or "hacking back." While I think companies can employ certain "active defense" strategies on their networks to make things much more difficult for the adversary, such as denial and deception campaigns designed to fool them, the primary mitigation role rests with the federal government.

Success in the cyber environment will require unprecedented coordination between private industry -- which as a whole has the ownership and ability to achieve these goals -- and governments, which are primarily authorized to investigate and penalize.

Inevitably we must bring the private sector and the government together to achieve the goal of threat deterrence. The vast majority of the intelligence that will lead to identification of the adversaries resides on private sector networks; they are, in essence, "crime scenes," and the evidence and artifacts of the breach are resident on those networks. That threat intelligence, too, can't be shared periodically via e-mail at human-speed; it needs to be shared among all victims, in real-time, at network speed. The private sector, then, can fill tactical gaps to which the government is blind. This can be done while respecting privacy, a critical and absolutely necessary element of intelligence sharing.

When the adversary is identified, the government can use its resources and actions -- law enforcement, civil, diplomatic, financial, or otherwise -- to mitigate the threat posed by these sophisticated opponents. The consistent threat posed by adversaries will subside only when the cost to operate outweighs any potential gain.

We face significant challenges in our efforts to combat the cyber threat. We must start by opening the debate on the limitations of the existing defensive-only security model and the necessity for a threat deterrence model.

I am optimistic that by strengthening partnerships, effectively sharing actionable intelligence, and successfully identifying our adversaries, with continued defensive measures, we can best protect commercial and critical infrastructure from grave damage. By jointly working together to achieve a safer cyber environment, we can shine a light on our adversaries and stop them in their tracks, instead of constantly telling victims to "just do more."

Shawn Henry is the president of CrowdStrike Services, a security technology firm focused on helping enterprises protect their most sensitive information. He retired from the FBI in 2012 as Executive Assistant Director, where he had responsibility for, among other things, FBI cyber strategy and operations worldwide.

Play Defense

John Pescatore
John Pescatore
Director, Emerging Security Trends, SANS

Consider this common scenario: your CFO clicks on a phishing email. Her PC, lacking numerous patches, gets compromised and the attacker takes advantage of the CFO's over-privileged account to log into the engineering database and steal the crown jewels of your corporate intellectual property. Six weeks later, when the compromise is finally discovered, your CEO is stomping towards you, and the InfoSec magical genie appears before you and says: "I have a way back machine and will send you back in time to the day before the compromise. You can have one new piece of knowledge to prevent the attack. What do you choose?"

Whether the attack came from a PLA commander in Beijing, a hacktivist in Helsinki or a clever teenager in Toledo shouldn't even make the top 5 things you would wish to know beforehand -- it is the attack and the vulnerabilities exploited that matter, not who launched the attack.

You see, there is a major difference between physical attacks and cyber attacks. In physical attacks, size matters. No bank can protect itself against a tank or a jet aircraft. However, that is not the case in the cyber world. That scenario above has been launched for years by cybercriminals, hacktivists and vandals -- and in recent years received a lot of press because governments are now doing so, as well. Every one of those attacks exploits the same vulnerabilities or deficiencies in critical security controls. Fix those and it doesn't matter who launched the attack. The attack is prevented, avoided or mitigated.

Have you noticed that in this wave of press about advanced targeted attacks some companies have admitted having their entire business compromised, while others have said the first stage got in but the attack failed, and still others have not had to say anything? The companies that pay attention to the blocking and tackling of minimizing vulnerabilities, shielding the unavoidable and leaning forward to detect unusual events not only stay more secure, but also usually end up spending a smaller percentage of revenue to achieve a higher level of security -- without needing to know who actually launched those attacks.

There is also a major difference between what business can and should do about attacks, and what law enforcement and governments should do. Banks don't chase bank robbers. Police departments don't prevent retail shrinkage (shoplifting and employee theft). Defense contractors don't create phony factories to keep industrial spies busy. Fighting back against attackers may sound good but it never, ever makes good business sense.

The best business strategy is the security program that avoids vulnerabilities and risks wherever possible, and minimizes the damage of the inevitable successful attack. Entering into active defense-fueled mutually assured destruction scenarios may have merits at the national defense level but never makes sense at the business level.

Look, it isn't glamorous but the best information security programs are just like the best offensive lines in football. They are the most successful when no one hears about them at all. To keep the quarterback from being sacked, they don't need to know the names of the blitzing linebackers -- they need to know what tactics the attackers use, they need to plug the gaps and they need to jump on the ball when the "skill positions" fumble.

Governments should focus on national security issues, law enforcement on chasing and punishing criminals and businesses should focus on protecting their customers' data and their stakeholders' interests. Mixing those up inevitably ends up with the quarterback sacked and the other team running away with the game.

John Pescatore joined SANS in January 2013 after more than 13 years as Gartner's lead security analyst. Prior to Gartner he ran consulting groups at Trusted Information Systems and Entrust in the firewall and PKI areas and spent 11 years building secure systems for GTE. He began his career at the National Security Agency followed by the U.S. Secret Service.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
User Rank: Apprentice
3/12/2013 | 6:20:43 PM
re: China Hack Attacks: Play Offense Or Defense?
Both sides have merrit. However, I advocate a three pronged strategy:
* If you have something worth stealing, assume that someone will try. This necessitates defense.
* Do cooperate with authorities to identify intruders and thieves.
* Assume that someone will eventually succeed in stealing information. With this in mind, follow a divide and conquer strategy of separating related pieces of data or keeping details needed to process the information separate from the information. By the time the thieves realize what is missing you may be a step ahead of them. Even better, provide fake data that appears to be the missing part and make that data somehow an embarrassment to the thieves.
Dave D
Dave D,
User Rank: Apprentice
3/12/2013 | 6:31:29 PM
re: China Hack Attacks: Play Offense Or Defense?
In following up with John's football anology, sometimes your best offense is not always a great defense. I think there needs to be a balance between defensive and offensive cyber attack strategies. Both sides make good points however, I believe while keeping abreast of the latest protective techniques, some energy should be directed toward offensive initiatives to curb cyber attacks.
User Rank: Moderator
3/12/2013 | 11:16:47 PM
re: China Hack Attacks: Play Offense Or Defense?
Unlike other readers, I can speak with a bit more insight, since we've been under a cyber attack since last December.
I agree with John, in that your system should be as near hack-proof as you can make it. To date, not a single attack vector has succeeded, so we must have done something right.
We minimise the impact on ourselves, by getting our IDS to immediately generate a new firewall rule, for every identified hack attempt. It also generates an email to the ISP, identifying the IP address of the attacking zombie, and a clue as to where to find the malware (eggdrop bot/psybnc).
Our offence strategy, if you can call it that, is in the form of an abuse file, sent back by apache, containing 1500 lines of 'Attempted Abuse' messages which, at least, delay the next line of the hack script, long enough for the firewall to be in a position to stop it. For good measure, the last line of the abuse file is a series of ANSI escape codes, designed to screw up any ANSI terminal running a script.
Having had little joy from communicating with CERT, in the 51 countries from which attacks are emanating, we recently contacted SANS and, at least, get the impression that they know what they're doing.
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
3/13/2013 | 12:02:55 AM
re: China Hack Attacks: Play Offense Or Defense?
I agree with Shawn Henry that the private sector can do more to share actionable security information within appropriate verticals, but it also seems like both sides are arguing, correctly, that businesses should focus on creating a robust set of defenses, and let law enforcement and government agencies handle prosecution or retaliation.

Drew Conry-Murray
Editor, Network Computing
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
3/13/2013 | 4:06:10 AM
re: China Hack Attacks: Play Offense Or Defense?
As much as I'd like to say that I agree with playing offense here, you can't play offense until you've got a strong defense. It's an absolute must to keep everything as current as possible - OS patches, application patches, security appliance firmware, and user knowledge.

All of the latest and greatest security technology in the world can be defeated if the "man in the loop" fails to act in a secure manner. As long as users are involved, there is a risk of failure, period.

If you assume that the enemy is within your perimeter already, do you block ingress or egress? How do you determine if the enemy is there - given sufficient time and sophistcated attacks, can you depend on any system you have detecting that they're there? At that point, do you shut everything down and do a full security sweep? Hardly - business has to keep running, especially when a global economy dictates it.

From the play offense point of view, your INFOSEC folks are always going to be seen as playing catch-up and while that may be true in some instances... I think that from a management point of view, you're adding more stress to a group that's usually quite well enough stressed as it is.

Andrew Hornback
InformationWeek Contributor
User Rank: Apprentice
3/13/2013 | 12:46:22 PM
re: China Hack Attacks: Play Offense Or Defense?
Stealing is stealing, stolen assets should be retrieved, and thieves should be punished. If you have valuable physical assets to protect, you place them in a secure location and lock the doors. And if a thief breaks in and steals them, you catch the thief, retrieve the stolen assets, and administer justice. How is this so different? Of course you have to have good defense, but the thieves have broken in and stolen valuable assets. How about we retrieve the value of that which was stolen by our government not repaying loans from the offenders? How about we administer justice by having ICANN remove the offenders connectivity from the Internet altogether for some period of time? The thieves have been identified, so let's recover the value of what was stolen and punish the thieves.
User Rank: Apprentice
3/13/2013 | 6:37:50 PM
re: China Hack Attacks: Play Offense Or Defense?
Why not direct these comments to the Republicans and the Chamber of Commerce, who opposed a bill in Congress that would have promoted a government/private sector partnership in this area.
Destroying Angel
Destroying Angel,
User Rank: Apprentice
3/13/2013 | 6:45:59 PM
re: China Hack Attacks: Play Offense Or Defense?
Shawn Henry is PART of the way there. The rest of the way involves congressionally bonded and licensed cyber privateers. The deterrence factor would cover not only cyberthieves but rogue governments as well. You want absolute proof that deterrence works? Notice how those zany pranksters at Anonymous backed down from attacking drug cartels. Maybe something about seeing body parts (theirs, their families', and their friends') scattered in public places made them reconsider.
User Rank: Apprentice
3/14/2013 | 4:38:51 AM
re: China Hack Attacks: Play Offense Or Defense?
I don't think it's one or the other. It's both at the same time. You should absolutely have the lasted patches, virus definitions, firewall defenses, etc. in place. That is a fundamental part of IT's job in any company. But there needs to be a much better offensive component as well. If there is no penalty for the attacker other than they just didn't get any data (because of good defenses), there is no deterrent for future attempts. We need specialized law enforcement groups that actively counter hack threats. I also like the idea in another comment of licensed privateers that are hired to go after specific targets.
User Rank: Apprentice
3/14/2013 | 4:42:57 PM
re: China Hack Attacks: Play Offense Or Defense?
Espionage is an older human profession and pasttime than prostitution. In fact, the Garden of Eden story is about a God spying on an Adam and Eve as they tried to hack the Tree of Knowledge!
And so, the distinction between offense and defense in this "game of life" is as relative and moot as the illusory distinction between good and evil itself. It all depends on viewpoint of the side you are presently playing for.
The simple premise is that if you have something worth protecting, you will have to protect it. And if you hire a CFO or a Guardian Angel that is stupid enough to follow a phishing link in an email, then you probably aren't very good at protection and you deserve to get hacked.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.