Offensive hackers should be part of enterprise DNA

MIAMI —Immunity Inc kicked off the Infiltrate 2016 conference  this morning with a warm welcome from Dave Aitel at the Fontainbleau Hotel. Keynote speaker, Nate Fick CEO at Endgame, spoke from both his military and private sector experience about what needs to happen in order to secure the future of the digital enterprise and the digital world.

Addressing the crowd of offensive hackers, Fick offered advice for both the government and private fronts. “Continuing to do the same will not work,” Fick said, which is why the tools that are more flexible and easily modifiable have become more popular.

“We need discontinuity in the adoption cure,” Fick said, “but you can’t hack back. Hacking back is stupid, for many reasons not just that it is illegal.” He argued that while it is illegal, laws change. “Remember it used to be illegal to drink a beer in this country, and it was legal for a kid to work in a coal mine,” he said.

Beyond the issue of legality, hacking back is, what Fick described as, climbing up the escalatory ladder, which you can’t do successfully unless you have the right tools. The tools and the power or ability to use them legally has historically been granted to the government.

Certainly the perspectives of government and private sector vary when it comes to many topics, including security. A self-proclaimed optimist, Fick said, “We can do as much to adversaries with defense as we can do with offense.” There are, however, changes that need to happen in both the government and the private sector in order to bring down adversaries.

The government, said Fick, “Needs to define declaratory policies that outline a shared understanding of the red lines. What is espionage? What constitutes an offense?” Once those red lines are clearly defined, there needs to be an escalatory policy, which includes a series of moves and counter-moves rather than escalating to the greatest use of force.

In addition, the government needs to educate the public that digital offense is not intrinsically bad. “We traditionally venerate kinetic offense,” said Fick, “but computer offense has always seemed sleazy.” If the laws of offensive hacking are to evolve, the connotation of the word ‘hacker’ and the work that they do in digital offense needs to change.

The next generation of cyber security experts must possess offensive capabilities. Enterprises and government need to develop better policies to attract the talent of those who are perhaps secret experts concealing their offensive skills in the digital shadows.

Fick said that the tactic of digital offense is increasingly being “integrated into kinetic offense.” The problem therein is that,”The government will be tempted to hack more killers and kill more hackers.” All the more reason why clear policies need to be established and tough and sometimes uncomfortable questions like “What level of hacking warrants a bullet?” need to be answered, Fick said.

These are important questions that impact not only the digital world. These are societal issues, and in order for the current perceptions about offensive hacking to shift, everyone needs to be educated, but (as one attendee noted) there are no schools for pen testers.

In the private sector, enterprises have focused on prevention, but Fick said, “They need to spend more on detection and remediation, on next generation tools rather than last generation tools.”

The companies of the future that will be able to withstand the shifts in the security industry are those that build diverse teams. “Diversity is a wellspring of innovation,” said Fick, “whether it is gender, background, or perspective,” he continued. When experienced people with a wide range of perspectives come together, it makes for effective problem solving.

Those who have the skills to think like an adversary and be a stealthy and invisible attacker will have the greatest offensive success. “By stealthy,” said Fick, “I mean using domain credentials, hardening tools, and signature diversity.”

There are no silver bullet solutions to issues in security, Fick said, but if we can change policies, continue to advocate for STEM education, and rely on companies that build better tools, we can take down adversaries. “Being proactive, aggressive, and offensive are the essential skills for the next generation of success,” said Fick who noted that 25% of Endgame employees are attackers.

By creating a culture and environment that is appealing to a larger group of people, Fick said, enterprises will build better relationships with those who have been marginalized and often undervalued in the security world.