Enough defense: Is it time for an IT security offensive?

Frustrated with the seemingly impossible task of protecting their networks, more security pros are ready to take the fight to the attackers.

With attacks on data and IT infrastructure on the rise -- along with the costs and potential business impact of attacks -- security professionals are starting to express a sense of futility in their work.

This is especially so following the past couple of years, which have included high-profile and successful attacks on companies that would be expected to have the wherewithal to protect their infrastructure, including RSA Security, Google, NASDAQ Directors Desk, Symantec, and many others.

"There's a sense that no matter what you do, what steps are taken, if someone wants to hack your systems, your data, they can," says the security analyst at a midwest manufacturer. "It's becoming insanely frustrating."

The U.S. -- in what some have argued is a move that both shows the importance of the IT infrastructure and the futility of traditional electronic defenses -- last year stated that the government would use military force in retaliation against certain cyber attacks.

"Frustration in the industry has certainly been growing, so much that more on the defensive side have been wondering what could be done to more proactively combat attackers," the analyst says.

Some of the ideas discussed include gathering intelligence about the attackers to share with other enterprises or hand over to law enforcement, establishing honeypots to capture more data about attackers, and even retaliating on specific systems used in attacks.

As we reported last week, Japanese defense engineers, for example, announced that they've developed a digital virus that can track down, identify, and disable attacking systems. Development of the virus began three years ago, and has only been tested on a closed network so far.

Going on the IT offensive, or at least being more proactive in one's defense, isn't a new concept. In 2003, security researcher Tom Liston started work on software he'd hoped would bring more balance to the fight against worms: LaBrea. LaBrea essentially trapped hackers and worms, and forced hackers to break off attacks, while preventing worms from moving on to other computers.

Unfortunately, Liston pulled LaBrea based on concerns about being prosecuted for disseminating a tool that disrupted network communications.

Just as Liston discovered nearly a decade ago, experts today warn that going on the IT security offensive isn't easy or straightforward. "The first and obvious challenge is accurately attributing attacks with the actual attackers," says Scott Crawford, managing research director, Enterprise Management Associates. "It can be difficult to understand where an attack is coming from when you have physical access to analyze the machine. It's much more difficult when the system attacking you is remote."

Crawford adds that the U.S. government is having a hard enough time solving the challenges of attack attribution considering the many ways the origins of attacks can be hidden -- such as through spoofed IP addresses, proxies, and other well-known attack obfuscation techniques -- that it would be next to impossible for enterprises to have much certainty into actual attack origins.

David Mortman, an analyst with the security research and analyst firm Securosis, says -- while not outright offensive retaliatory actions -- there are steps enterprises can take to be more proactive. "It's critical to your threat modeling efforts that you understand your enemy," Mortman says. "That can include installing honeypots and honeynets, and hiring third-party intelligence services. A lot can be said for these types of activities."

Another step forward, Mortman recommends, is joining the Forum of Incident Response and Security Teams (FIRST), or similar organizations. "The biggest and most immediate benefit are the contacts you will make. Should something happen, you know who to call," he says. "Maintaining those contacts with peers and friendly competitors is an excellent way to stay abreast of attack trends. Chances are, if attackers are targeting your competition they are already, or soon will be, targeting you."

However, Mark Rasch, director of cybersecurity and privacy consulting at CSC, warns that there could be significant legal repercussions for organizations that not only go on the offensive and get it wrong -- but also those that take seemingly timid steps, such as operating a honeynet.

"It's easy to get into legal and policy hot water," says Rasch. "A simple example would be if your privacy or website policy state that your organization doesn't collect information about visitors or customers, and then you set up a honeypot," he says. "That's a problem right there."

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter at @georgevhulme.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)