violetkaipa - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Offensive security in the enterprise: Examples, advice and cautions

In IT, offensive security can involve methods other than 'hacking back.' In this #GRCChat recap, participants offer examples of active defense tactics, as well as advice on when to go on the offensive.

The pervasiveness of cyberattacks today has more enterprises seriously considering an offensive security strategy. But the fluid definition of active cyberdefense, the ethical and legal issues that surround it, and a host of other variables have many debating whether such a response is really practical and effective in impeding hackers. Additionally, there are many risks associated with offensive tactics such as "hacking back," including potential counter-attacks, collateral damage and more.

Because of the costs, implications and unknowns of offensive cybersecurity, it probably shouldn't be a first resort, the participants in SearchCompliance's latest #GRCChat agreed, but it has its place in the enterprise. Here, our editors and Twitter followers offer examples of effective offensive security methods, as well as tips on how organizations should evaluate their environment before deciding to practice active cyberdefense.

What are some examples of effective active cyberdefense?

SearchCompliance Site Editor Ben Cole pointed to some forms of active defense that entail an organization luring attackers into its network -- with fictitious documents, for example -- and then monitoring their activity:

Another tactic that can confuse hackers, Cole and tweet jammer Mark Underwood agreed, is placing beacon files in locations that might interest them. When attackers access the files, they set off an alert:

In addition to decoy files, other deceptive strategies that may confuse attackers include creating honey pots, or fake environments and systems.

Senior Managing Editor Rachel Lebeaux noted that some companies hire hackers to penetrate their own systems and networks to seek out vulnerabilities, a practice known as penetration (pen) testing. These individuals are sometimes called white hat or ethical hackers:

Perhaps one reason pen testing is underused is because many companies don't allocate enough funding for it, Dave Shackleford, founder and principal consultant of Voodoo Security, told sister site SearchSecurity. "They want to just kind of get it done, and that leaves a lot open, unfortunately."

How can companies determine what vulnerabilities are best targeted proactively?

It would be unrealistic, not to mention almost impossible, for organizations to apply security controls to every system, process, data or user, which is where risk assessments come into play. As Cole illustrates, these assessments not only shed light on which risks are associated with which systems, but also provide guidance on how to best protect those assets:

Another key aspect of an effective risk assessment? It must offer insight into the extent to which an organization will be affected, should a specific system or data asset become unavailable, participant Dan Sanders noted:

Participant Forvalaka41 suggested that known threats -- those detected by your security infrastructure, as opposed to unknown threats, which show up as abnormal patterns in system data -- are not good candidates for an active cyberdefense approach:

Forvlaka41 also questioned the cost-effectiveness of pursuing active cyberdefense as compared with investing in security engineering, software and building systems with fewer vulnerabilities:

Underwood pointed out that in addition to many security experts, venture capitalists tend to be leery of active cyberdefense. He pointed to security startup Illumio's adaptive security approach as an example of investors favoring a less offensive security method:

How do you define active cyberdefense, and do you use offensive security tactics in your organization? Let us know in the comments section below.

Next Steps

Read our first recap on walking the fine line between active cyberdefense and cybercrime. Then, head over to SearchSecurity to get various experts' take on what offensive security involves.

Dig Deeper on Vulnerability assessment for compliance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What proactive tactics do you use to foil hackers?
Currently, I still use the traditional methods that involve patching any loopholes that could be privy to hackers. I am keen to understand how I can possibly corrupt data as a proactive measure to foil any hacking attempts. This means that once I detect suspicious activity on my network, the trick here is to move any sensitive data to a location that is unknown to a hacker, thus leading the hacker to steal wrong information.
Stay current with patches and fixes. Monitor network activity and lock down sensitive data. Education for users to prevent hacks, viruses and phishing scams are a must as well. Sometimes it's little things that get overlooked and open your system to SQL injections and worse.
That is a good idea - rather than resorting to illegal hacking activities companies can plant bogus data and allow this information to be hacked. This might also be a good way to  prosecute hackers- see where this useless information turns up and who stole it. 
Stay up to date, check to make sure we are not letting back doors stay open, and currently we're doing regular scans on our applications to try to fin possible vulnerabilities.
agreed on the basics like constant monitoring, staying up to date on patches and educating users -- it's easy to focus on the latest and greatest tools and let other things fall by the wayside.
Log management. Strong passwords. Understanding security strategy. Visiting only trusted online locations and vendors. Easy.
Great points, folks. I'm all for implementing the security basics we've known about for decades and also agree that security by obscurity can work in many situations. I know it's easier for me to say being on this side of the table, but the research shows time and time again that we are failing in these areas.