Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:36 PM
Connect Directly

The Enterprise Strikes Back

Gathering intel on cyberespionage and cybercrimine attackers and baiting them with fake information are some of the ways victim organizations are going on the offensive

The art of deception for protecting intellectual property or confidential company information was around long before the Internet: Financial institutions have been known to drop a phony prospectus at a client site during a merger and acquisition negotiation to derail any snooping by competitors.

Now with the new normal that defense alone won't stop a determined hacker from getting inside -- and he's probably already there -- some organizations are looking at the age-old offensive strategy of deceiving corporate spies with bogus information or other trickery to keep them off track. It's all part of a shift among some security firms to make it more cost-prohibitive and painful for the bad guys to hack, as well as to gather intelligence on the attacker to help better protect yourself.

Dmitri Alperovitch, co-founder and CTO at CrowdStrike, says the concept of more offensive approaches like deceptive tactics is critical to surviving today's threats. You can't just stick with the conventional defense strategies and technologies, he says: "Otherwise, you might as well open up all of the doors and let them take what they want. Offense needs to be a key component of your strategy," Alperovich says. "It would be great if the government were doing this for us ... and stopping" Chinese cyberspionage, but that's not happening, he says.

"The private sector has to take responsibility for this and acting on their own. We don't mean hacking back as offense: That's illegal," he says. "The use of deception can be very powerful and a strategic advantage."

If a U.S. firm is competing for business with a Chinese company that's hell-bent on getting access to its negotiation documents, there's no way to stop that. "What documents would you like them to read?" he says. Placing decoy documents on a server can help keep the deal confidential, according to Alperovitch.

[ Chinese cyberspies and traditional cybercriminals are relying on some of the same malware tools -- and some cyberspies even appear to be moonlighting. See The Intersection Between Cyberespionage And Cybercrime. ]

CrowdStrike is helping companies come up with this type of offensive-driven strategy, he says. "We'll identify the adversary, what they are after, and who they are. The next step is, what are you going to do with this? We help companies craft a strategy," he says.

But pinpointing the geographic location of a hacker -- China or Russia, for example -- alone isn't enough intelligence to fight back. "That's not terribly important. You want to get granular attribution: know the people involved, who's giving them the orders, not [just that] this guy is from China," Alperovitch says.

Knowing an attacker used a particular tool to automate his attack can be useful when it comes to legal action or deception, for example, he says.

Clouding the picture these days is that cybercriminals and cyberspies are employing many of the same hacking tools, typically remote access Trojans. That can make tool intelligence a bit tricky. "The problem I see is researchers who focus exclusively on malware or tools. They are really constrained on what they can determine," says Richard Bejtlich, CSO at Mandiant.

Instead, you have to study how the attacker used the tool, what password he used, and the infrastructure he used, Bejtlich says. "All of those pieces make up a mosaic" that helps identify groups of attackers, he says.

That type of knowledge can help shape a deception strategy, security experts say.

There are pitfalls to analyzing the origin of an attack, however. One dangerous assumption victim organizations sometimes make is that a bot problem isn't as big of a deal as an advanced persistent threat-type attack. "You should not segregate what you believe to be a traditional e-crime attack and push it off to the side. [Don't] leave those machines unremediated just because they are botnets and 'not important' and you just worry about APT," says Greg Hoglund, CTO at ManTech CSI and founder of HBGary.

Just because it's a bot infection doesn't mean it's harmless. "Keep in mind that every single one of those bots has the potential to drop a shell onto that computer and to exfiltrate files out of the network. To make the assumption it's not being used is a dangerous assumption," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows a remote attacker to leak cross-origin data via a crafted HTML page.
PUBLISHED: 2021-04-14
An SQL Injection issue in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows an administrative user to execute arbitrary SQL commands via a username in api/security/userinfo/delete.
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
PUBLISHED: 2021-04-14
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system funct...