Blackhat keynote speaker Shawn Henry, the former executive assistant director of the FBI’s Criminal, Cyber, Response and Service Branch, started off the day after opening remarks from Jeff Moss, founder of Blackhat. Moss wondered if now was the time for the cyber-security sector to take a more aggressive/offensive approach. Jeff mentioned working for a former
Blackhat keynote speaker Shawn Henry, the former executive assistant director of the FBI’s Criminal, Cyber, Response and Service Branch, started off the day after opening remarks from Jeff Moss, founder of Blackhat. Moss wondered if now was the time for the cyber-security sector to take a more aggressive/offensive approach. Jeff mentioned working for a former employer years back, a firewall manufacturer who had a product that would launch specially crafted code in response to an attacker, sort of an early offensive DoS attack. This was an early attempt by security professionals to cause pain by going on the offensive.
But since DoS attacks aren’t exactly a legal offensive tactic nowadays, what to do? He recommends civil action, a la recent Facebook actions where attackers were sued in civil court. But what happens when attackers are overseas? Mr. Moss is hopeful that responding in a civil manner would “encourage” other countries to implement legal protections to stop current and future attack attempts abroad.
What can we do besides sue? Mr. Henry proposes advancing technologies like deception, network decoys and other trickery, along with heavy network segmentation as a possibility to turn the tide. He also pushes for more legislation that would make tactics more effective at nabbing bad actors. But this sort of legislative pressure is famous for riling up privacy pundits, who are sure to respond with counterpoints to perceived privacy erosion. Still, he argues current laws are archaic and do not allow adequate response to the current threatscape.
In the meantime, Mr. Henry says today’s headlines reflect only a tiny sliver of what is actually happening, attack-wise. Companies, he said, vastly under-report hacks, and in fact the FBI frequently has the dubious honor of notifying companies that they have been breached after their private data has been found in the public domain during other investigations.
To give an idea of the total size of attacks, Mr. Henry estimates close to 90% of the REAL attack activity is happening in the classified environment, sort of “below the water line” to use an iceberg analogy. This means we are only seeing a tiny slice of an even tinier slice of the real threat, to use his characterization.
He calls the Internet a great attack equalizer, allowing any of the billions of Internet users to plan and possibly launch an attack, and paints this threat theater as one of the top threats faced in the world today, aside from WMD. And Internet threats are far easier to carry out than deploying Weapons of Mass Destruction.
But all attacks aren’t created equal, the motivations vary. If, for example, a company you plan to do business with has conducted network exploits against you, they may already know what kind of financial position you are in, what intellectual property you really have, and would therefore be in a much stronger negotiation position, possibly tilting the tables heavily in their favor. Mr. Henry compares this to taking a test where you already know all the answers, and therefore are HEAVILY favored to win.
What does he recommend? First he tries to glean wisdom from more tradition physical attacks and adapt them to the attacker.
- These include:
- Denial and deception – Keeping the attackers out of your core network by sending them on wild goose chases using network tricks
- Decoys Serve up fake information, designed to foil attempts to gain intelligence, sort of poisoning their intel, and helping them along with same wild goose chase
- Raise the network defense bar cause them considerable pain (and the cost of buying more advanced tools), make them spend months of effort trying to get in
- Heavy use of defense-in-depth tactics don’t put all the crown jewels one level deep from the perimeter, but make attackers have to penetrate multiple levels
- Log everything you can This will help greatly when trying to find a smoking gun during an investigation. This means both inbound and outbound traffic, and especially watch for abnormal outbound traffic, a telltale sign something bad is happening.
Will it be enough? These steps will certainly raise the bar of difficulty for people attacking companies, and therefore raise the cost to the attacker, which is a major factors when an attacker picks a target. If the costs become too high, they may go elsewhere or give up. They may also pick an easier target to exploit, and your company would be out of harm’s way.
But tactics change, and so does the threatscape. And if the last several years are any indication of what’s yet to come, hang on for a wild ride. Also, the old boxing admonition to protect yourself at all times certainly still applies.