Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

08:37 PM

Security Teams Need Better Intel, More Offense

Adversaries go through five steps to prepare and execute an attack, but defenders only react to the last two steps. It's time for defenders to add intelligence gathering, counterintel, and even offense to the game, security experts say

The recipe for a cyberattack is straightforward: Attackers gather intelligence on the target's systems, research vulnerabilities, exploit those weaknesses, gain control of the systems, and conduct post-exploitation operations.

Click here for more of Dark Reading's Black Hat articles.

Yet for the first three parts of attackers' operations, most defenders do nothing. Only after attackers act on a corporate network -- the fourth step -- does a victim's security team becomes aware of the attack. In a presentation at the SOURCE Boston security conference last week, independent security consultant Iftach Ian Amit told attendees that defenders need to do better.

"We are basically just waiting to be attacked," he said.

Increasingly, security experts are recommending that companies become more aggressive in gathering information on their attackers. Companies need to gather or buy intelligence on adversaries and should consider more active counterintelligence operations, Amit said. Rather than hunker down behind the firewall, like defenders of a medieval castle, security analysts should explore the landscape. To match attackers' first steps, defenders should model their organization's threats, gather intelligence, and correlate the data to pinpoint possible threats, he said.

"We can be much more active" in defending our networks, Amit said. "Counterintel is fair game ... Everything around is yours; you better know everything that goes on out there."

The case for more active defense has gained adherents over the past few years. In 2009, the then-classified Comprehensive National Cyber Initiative -- the U.S. government's cybersecurity strategy -- reportedly relied heavily on the concept of a defense that adapts to the offense. Rather than focusing on all vulnerabilities equally, for example, defenders can use data from actual attacks to help them create specific defenses to protect critical infrastructure and corporate networks.

Support for more active responses to attacks has grown as well. In 2009, two researchers presenting at the Conference on Cyber Warfare in Tallin, Estonia, argued that some groups be allowed to shutter botnets on behalf of the victims. With the Microsoft Active Response for Security (MARS) program, Microsoft has essentially done just that -- shutting down four botnets in the past two years and showing that offensive actions can help protect defenders.

[Microsoft's Zeus botnet case demonstrates the risks and challenges associated with takedowns when multiple groups are tracking the same botnet. See Botnet Takedowns Can Incur Collateral Damage.]

While many companies are satisfied with keeping a passive defense, others chafe at the constant stream of attacks and their inability to attack back, said Ken Silva, senior vice president for cyberstrategy at information technology contractor ManTech International.

"I will tell you that companies today are getting very frustrated with the continuous landscape of compromise," Silva says. "They feel incredibly helpless, so they are looking for the next thing they can do ... The measures that companies will take to defend themselves is going to escalate."

Silva does not condone attacking the attacker, however. Active intelligence-gathering, yes. But targeting attackers can easily backfire, he warns. If attackers are staging attacks from another company's servers, for example, then defenders who attack back can damage an innocent party's server and are putting themselves in legal jeopardy.

"There are a lot of risks on a number of levels," Silva says.

The legal pitfalls can be serious, acknowledged consultant Amit. He stressed that companies should consult with their lawyers to make sure that they are abiding by all laws. However, companies need lawyers that will seek creative legal solutions to the problems, Amit said.

"Get a real lawyer -- not one who will tell you, 'No, you can't do that,'" he said. "Get a lawyer who will tell you, 'You can't do it like this, but if we put a server over there, then, yeah, you can do that.'"

Operating out of Israel, Amit has infiltrated communities of adversaries targeting his clients to gather intelligence, he told attendees at SOURCE Boston. In one case, he replaced a remote access Trojan with a compromised version that could allow defenders to track they users of the software. In another case, his client replaced a program that creates fully undetectable malware with a version that would send defenders the signature of any code created with the program.

The need for such tactics are relatively rare, says Phil Lin, director of product marketing for FireEye, a maker of products to detect advanced threats. Counterintelligence does not mean that defenders need to attack back. Instead, they can employ other tactics, such as honeypots and threat intelligence, to better understand attackers.

Yet even Lin can understand the frustration of defenders unable to permanently stop attackers' activities.

"It is definitely fair to say that customers and enterprises are very frustrated with the current state of cybersecurity," he says. "But what people choose to do about that frustration is the point in question."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/27/2012 | 6:23:24 AM
re: Security Teams Need Better Intel, More Offense
Prescott Small
Prescott Small,
User Rank: Apprentice
4/25/2012 | 3:54:48 PM
re: Security Teams Need Better Intel, More Offense
-While I agree with much of the article the idea of doing anything to get the
attention of attackers is a bad one.- I spent the majority of last year
researching many of the concepts in this artcile and published the reults in a
peer reviewed paper through SANS.org titled:

Defense in
Depth: An Impractical Strategy For a Cyber
World [ISBN: 1469934922]



For one, a
Counter-attack would not be legal and secondly the ethics of a counter attack
would be questionable at best. Thirdly, at the minimum, counter attacking would
not be cost effective or practical for those practicing Cyber-Defense with their
existing challenges and strained resources. A counter attack from the public
sector would not have a return on investment, would likely result in escalation
of the attack and increase costs with little to no measurable benefit for the
effort. For evidence of this opinion one need only take a look at the reactions
from groups like Anonymous and their attacks against HB Gary or PayPal. There is
no profit in provocation. (Associated Press, 2011; Goodin, 2011; Lennon, 2011;
McMillan, 2011)
User Rank: Ninja
4/25/2012 | 1:49:53 AM
re: Security Teams Need Better Intel, More Offense
But targeting attackers can easily backfire, he warned. If attackers are staging attacks from another company's servers, for example, defenders who attack back can damage an innocent party's server and are putting themselves in legal jeopardy."
Good point here.-
Brian Prince, InformationWeek/Dark Reading Comment Moderator
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
The affected product is vulnerable to integer overflow while parsing malformed over-the-air firmware update files, which may allow an attacker to remotely execute code on SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, C...
PUBLISHED: 2021-05-07
The affected product is vulnerable to an integer overflow while processing HTTP headers, which may allow an attacker to remotely execute code on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK v...
PUBLISHED: 2021-05-07
Proofpoint Enterprise Protection (PPS/PoD) before 8.17.0 contains a vulnerability that could allow an attacker to deliver an email message with a malicious attachment that bypasses scanning and file-blocking rules. The vulnerability exists because messages with certain crafted and malformed multipar...
PUBLISHED: 2021-05-07
VMware vRealize Business for Cloud 7.x prior to 7.6.0 contains a remote code execution vulnerability due to an unauthorised end point. A malicious actor with network access may exploit this issue causing unauthorised remote code execution on vRealize Business for Cloud Virtual Appliance.
PUBLISHED: 2021-05-07
LivingLogic XIST4C before 0.107.8 allows XSS via feedback.htm or feedback.wihtm.