Playing cyber defense is not enough to win

Sometimes offensive attacks are a necessary part of the game

While the San Francisco 49ers are leading the NFL in defense, the New Orleans Saints currently hold the number one slot for total offense. In the overall league rankings, though, neither of those two teams rank in the top 10. 

What's the takeaway? Winning isn't strictly about strong offense or impenetrable defense. NFL league leaders advance to the top because they know how to balance the two; they know how to play the game.

To address the growing number of attacks on the US government and private sector systems, President-elect Donald Trump's cybersecurity plan aims to, "Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately."

The proposition begs the question of whether the security industry needs to consider whether preemptive, offensive cyber attacks are the wave of the future.

Jeff Bardin, CIO of Treadstone 71, said that counterstriking is being done to some degree, though quietly. "In cybersecurity, if the team is only focused on defense, they will never be able to score. They can't win the game," said Bardin.

Those using offensive attacks do so quietly because, "The cyber laws are not clearly defined," Bardin said. "The government makes counterstrikes because they are defending the country under the laws of warfare, but they won't defend against civilian infrastructure."

Private citizens have the right to defend themselves and their homes against criminals, but "If a person tries to break into your 'cyber house', the law hasn't been clearly defined," said Bardin.

If, however, offensive attacks are viewed through a cyber/property perspective, rather than a legal perspective or even a capabilities perspective, it is reasonable to believe that offensive hacks fall within the confines of the wider idea of self defense.

In their 2011 research paper, "Mitigative Counterstriking: Self-defense and Deterrence in Cyberspace," arguing for the use of active defense, Professor Jay P. Keban and Carol M. Hayes, University of Illinois wrote, "Passive defense methods are not used consistently enough to have a perfect deterrent effect, and are all but useless against attacks utilizing zero-day exploits."

The problem with commercial offensive cyber attacks is that no private enterprise wants to talk about (or admit to using) the strategy for fear of legal liability issues. Keban and Hayes argued, "Mitigative counterstriking is also legally justifiable under several areas of domestic and international law, and can be made consistent with other areas of law by amending the law or by reinterpreting it."

Jeff Bardin, CIO of Treadstone 71

Dave Aitel, CEO and owner, Immunity, agreed that while the law is pretty clear in most cases, there has traditionally been some flexibility with interpreting it. "We’ve been using prosecutorial discretion to make it not such a big deal for when big companies break the law for what we think are pretty good reasons," Aitel said.

When Google played a little tit for tat with the Chinese, they weren't prosecuted. "On its face, what Google did was illegal," said Aitel. It's entirely possible but far less plausible that Google is not alone in its decision to retaliate against a known attacker.

Perhaps it is time for the larger industry to have an open and honest conversation about the proper and necessary role of offensive security and to consider broader interpretations of the law?

In a recent blog post, Aitel proposed, "We want to have a chilling effect on cyber economic espionage while providing the beginnings of the ability to deal with wide ranging international systemic threats such as the Mirai worm, leveraging the deep bench of penetration testing talent and resources available in the private sector to do this without impacting our intelligence community missions."

Aitel's proposition, if it comes to fruition, could create an arm of law enforcement that would build a reliable partnership between the government and the private sector.  Short of that happening, though, should enterprises be engaging in offensive attacks?

"I do believe we should do it. I think people are doing it, and a lot of people are putting structure around that," said Bardin. Because security in the commercial sector is largely about passive defense, those teams that rank top in defense aren't leading in the league overall.

"It's not working," said Bardin, "this passive defensive model of sit, wait stop, limit data. Most people don't properly build their infrastructure, most developers don't build security in." 

From his experiences in law enforcement, serving as a CSO, and working as a security consultant, Larry Johnson, CSO, Cybersponse said, "Offensive is the last resort."

One concern with counter striking is that there is nothing definitive, said Johnson, so they could end up in a game of whac-a-mole. "Yes, you could wipe them out, but they could pop up somewhere else. Nothing is ever 100 percent offensive."

What's more important is being able to gather intelligence, which is best done by involving law enforcement. "You could really end up starting a cyberstorm, so I recommend always involving law enforcement, particularly because of de-conflication," said Johnson.

Conflict resolution demands concession, and in most cases diplomacy wins over many other tactics. "Law enforcement will work with the company and shortly thereafter they can go offensive, but I'd never go offensive without law enforcement," Johnson said.

Because security functions in nearly equal parts proactive and active mode, the best way to minimize potential damage is by limiting the human error through security awareness

When those processes and procedures are in place, and they have an incident response plan, they can test them which will lead to important conversations. "They can talk about offensive attacks to disrupt attacks in process so that you know you are in compliance and that you have the right to do this or that," Johnson said.

The bigger challenge to winning the game is not in offense or defense as much as it is in planning. Johnson said, "If you plan for it and everyone has looked at it and signed off, you don't have to worry, but a lot of companies don't plan for it."

Because there seems to be some ambiguity in interpreting the law, aggressively responding might not be the most prudent path. Dana Simberkoff, chief compliance and risk officer at AvePoint, said that outside of attacking their attackers, there are lots of things enterprises can do to be proactive.

"Understand the data that you hold, the more valuable, the more likely you are to be attacked," Simberkoff said. Companies that collect more data than they need and keep it forever in the hopes that it will someday be useful are putting their data at greater risk.

"It's counterintuitive to best security practices. Even Snowden was not particularly creative. That should have been able to have been prevented," said Simberkoff. The mistakes aren't necessarily in the technical part of defense, but in the human errors.

"I've worked with privacy and security teams that definitely believe that responding in an aggressive way is the approach they should take, but I still feel like most vulnerabilities can be addressed by education and good policies and procedures," Simberkoff said.

That's why the teams that are topping the ratings charts in the NFL aren't the ones who are ranking first in either offense or defense. They are the ones that are holistically playing a better game. 

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)