itestro - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

The future of active cyberdefense

Cyberthreats are becoming more advanced, with more companies turning to offensive security tactics to combat them. #GRCChat-ters predict how companies can navigate the unclear waters of active cyberdefense.

Active cyberdefense, sometimes called "hacking back," is no longer just a term bandied about by federal officials with access to top-level security clearance. These days, companies in the private sector are also turning to offensive tactics, particularly as cyberattacks become more sophisticated.

But the terrain is dangerous. "You're responding to an adversary with bytes when they're used to responding with bullets. They're not operating in a world where they're simply going to compromise your host and deface your website. They're going to come back shooting," warned Adam O'Donnell, chief architect at security vendor Sourcefire Inc.

Because active cyberdefense isn't a black-and-white issue, particularly considering the many questions that surround its legality, companies looking to pursue a more offensive security stance must take care should they decide to go after malicious actors. In this #GRCChat recap, SearchCompliance Twitter followers and editors share their predictions for the murky future of active cyberdefense.

What is the future of active cyberdefense? Will more companies 'hack back'?

SearchCompliance Site Editor Ben Cole and Senior Managing Editor Rachel Lebeaux provided an initial overview of, and outlook for, proactive cyberdefense, speculating that more private companies will take matters into their own hands as a growing number are targeted by advanced attacks -- which will necessitate further involvement from the U.S. government and regulators:

One of the reasons security experts can't agree about what offensive security involves, as Lebeaux hinted, is the lack of clear legal parameters around the issue. The primary U.S. regulation that governs active cyberdefense activities is the 1984 Computer Fraud and Abuse Act (CFAA), which penalizes anyone who exceeds authorized network access. The law is vague, however, because the legal definition of access ranges from physical access of a computer to crossing the barrier of any given network. Companies that have experienced a data breach often aren't clear on the legal limits of responsive action.

As Randy Sabett, attorney at ZwillGen PLLC, explains, "If you now come back at [the attacker] yourself or maybe you hire one of these companies, the thing that you have to worry about is, 'Are the activities that you're engaged in, or that you've authorized someone to engage in, potentially violating the CFAA?'"

Many companies are becoming frustrated by their frequent inability to defend themselves against sponsored foreign attacks, as participants Dan Sanders and Forvalaka41 noted:

There is, however, progress being made in terms of aid and protection from the U.S. government. Tweet chatter Mark Underwood linked to a promising Air Force Research Laboratory (AFRL) announcement detailing research topic areas in cyberdefense that will receive federal funding:

For companies not fortunate enough to receive such funding, specialization in offensive tactics is costly. Underwood suggested that companies outsource the security capabilities they lack, or those for which it's difficult to secure funding:

Outsourcing is easier said than done, however, and isn't a fit for all companies, as renowned security expert Bruce Schneier writes in his blog. In deciding which security capabilities to assign out, Schneier's rule of thumb is to outsource expert assistance such as forensics and vulnerability assessments, but never management.

Underwood wasn't as optimistic about the promise of offensive strategies such as hacking back; instead, he argued that companies need to focus on bolstering their cyberdefenses. He pointed to Home Depot's failure to adequately protect its customers' information, which contributed to the data theft of 56 million payment cards:

Among the industry-standard security practices Home Depot failed to put in place? It used outdated antivirus systems and an in-store payment system that didn't include encryption software, and -- according to former employees -- its technology executives preferred to institute "C-level security" due to the higher costs of tighter installations.

Underwood drove home the point that while there are malware campaigns that get past even the best security defenses (such as the 19-year-old Microsoft OLE vulnerability), they are the exception rather than the rule. Data breaches usually occur as a result of holes in organizations' security strategies:

How about you? Do you think the future of cybersecurity lies in proactive defense or cyberoffense? Let us know in the comments section below.

Next Steps

Read our previous #GRCChat recaps on the blurry line between offensive security and cybercrime, as well as on active cybersecurity examples and warnings. Then, get advice on taking a proactive security approach from 2014 MIT Sloan CIO Symposium.

Dig Deeper on Vulnerability assessment for compliance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Proactive defense or cyberoffense: Which camp are you in and why?
Where cyber-security is concerned I most assuredly fall into the proactive defense camp of protection. Maintaining the latest apps and patches for cyber-security gives the needed proactive defense against malware attacks, hacks, phishing and any other form of cyber attacks. Going on the cyber-offense has the risk of angering the people behind the attempted hacks and may lead to more attacks on my system. This is why I fall into the proactive defense camp.
Good point carol482- companies that go on the "cyberoffense" and fight hackers with more hacking could end up making things worse. Proactive cyberdefense, with infosec personnel staying on top of new security vulnerabilities and staying out ahead of potential threats rather than reacting to them, is a great way to stay prepared for new threats while also staying away from potential legal concerns that stem from "hacking back" efforts.  
Maybe I'm confused, but isn't proactive defense a form of cyberoffense? I think all companies need to be as well versed as they can be when it comes to protecting data, provisioning personnel, and securing their property. If this has to be done actively, then do it. The payoff is that hackers will look for softer targets and hopefully leave your data alone. Seems like common sense to me.