News Threat Intelligence
The Enterprise Strikes Back
Gathering intel on cyberespionage and cybercrimine attackers and baiting them with fake information are some of the ways victim organizations are going on the offensive
The art of deception for protecting intellectual property or confidential company information was around long before the Internet: Financial institutions have been known to drop a phony prospectus at a client site during a merger and acquisition negotiation to derail any snooping by competitors.
Now with the new normal that defense alone won't stop a determined hacker from getting inside -- and he's probably already there -- some organizations are looking at the age-old offensive strategy of deceiving corporate spies with bogus information or other trickery to keep them off track. It's all part of a shift among some security firms to make it more cost-prohibitive and painful for the bad guys to hack, as well as to gather intelligence on the attacker to help better protect yourself.
More Security Insights
White PapersMore >>
Dmitri Alperovitch, co-founder and CTO at CrowdStrike, says the concept of more offensive approaches like deceptive tactics is critical to surviving today's threats. You can't just stick with the conventional defense strategies and technologies, he says: "Otherwise, you might as well open up all of the doors and let them take what they want. Offense needs to be a key component of your strategy," Alperovich says. "It would be great if the government were doing this for us ... and stopping" Chinese cyberspionage, but that's not happening, he says.
"The private sector has to take responsibility for this and acting on their own. We don't mean hacking back as offense: That's illegal," he says. "The use of deception can be very powerful and a strategic advantage."
If a U.S. firm is competing for business with a Chinese company that's hell-bent on getting access to its negotiation documents, there's no way to stop that. "What documents would you like them to read?" he says. Placing decoy documents on a server can help keep the deal confidential, according to Alperovitch.
[ Chinese cyberspies and traditional cybercriminals are relying on some of the same malware tools -- and some cyberspies even appear to be moonlighting. See The Intersection Between Cyberespionage And Cybercrime. ]
CrowdStrike is helping companies come up with this type of offensive-driven strategy, he says. "We'll identify the adversary, what they are after, and who they are. The next step is, what are you going to do with this? We help companies craft a strategy," he says.
But pinpointing the geographic location of a hacker -- China or Russia, for example -- alone isn't enough intelligence to fight back. "That's not terribly important. You want to get granular attribution: know the people involved, who's giving them the orders, not [just that] this guy is from China," Alperovitch says.
Knowing an attacker used a particular tool to automate his attack can be useful when it comes to legal action or deception, for example, he says.
Clouding the picture these days is that cybercriminals and cyberspies are employing many of the same hacking tools, typically remote access Trojans. That can make tool intelligence a bit tricky. "The problem I see is researchers who focus exclusively on malware or tools. They are really constrained on what they can determine," says Richard Bejtlich, CSO at Mandiant.
Instead, you have to study how the attacker used the tool, what password he used, and the infrastructure he used, Bejtlich says. "All of those pieces make up a mosaic" that helps identify groups of attackers, he says.
That type of knowledge can help shape a deception strategy, security experts say.
There are pitfalls to analyzing the origin of an attack, however. One dangerous assumption victim organizations sometimes make is that a bot problem isn't as big of a deal as an advanced persistent threat-type attack. "You should not segregate what you believe to be a traditional e-crime attack and push it off to the side. [Don't] leave those machines unremediated just because they are botnets and 'not important' and you just worry about APT," says Greg Hoglund, CTO at ManTech CSI and founder of HBGary.
Just because it's a bot infection doesn't mean it's harmless. "Keep in mind that every single one of those bots has the potential to drop a shell onto that computer and to exfiltrate files out of the network. To make the assumption it's not being used is a dangerous assumption," he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.