Is it TIME to PLAY OFFENSE?
There has been a lot of talk in the industry about companies and organizations taking a more offensive cybersecurity position and developing counterattack or hack-back strategies against these attackers. It may sound noble to take the fight to the cybercriminal and punish them directly; however, it could be dangerous and likely expose the company to liability, as attackers generally use compromised servers of innocent people from which to launch attacks. Even though I have experienced multi-gigabyte-per-second distributed denial of service (DDOS) attacks, I have never been a member of the hack-back camp. But that doesn’t mean you have to sit back and take a passive position. Instead, here are three effective, proven actions to help protect critical systems by playing an offensive role.
Implement a Threat Intelligence Program
Threat intelligence involves several key factors, among which are system and human intelligence. One source is internal, that data you obtain from your own systems, employees or business partners. Internal system intelligence includes gains from analyzing network traffic, log files, security appliances, etc. Though it can be harder to analyze, it can be as simple as your help desk seeing an increased number of calls due to system lockouts or employees reporting unusual behavior of other employees.
One of the areas you will want to consider is black holing traffic at the edge router based on traffic patterns and characteristics of the traffic
Another source of intelligence comes externally in many ways, including through opensources that can be gained at no cost, membership in organizations such as one of the sector information sharing and analysis centers (ISACs), and participation in governmental programs. There are even vendors who will automatically feed system information to your analytics engine on a subscription basis.
The U.S. Department of Homeland Security (DHS) has a program called Automated Indicator Sharing (AIS), a system for sharing cyber threat indicators such as malicious IP addresses or the senders of phishing emails. The intent is for private sector partners to set up a server to share indicators with DHS’ AIS server. DHS will send those indicators out to the private sector, in combination with indicators that DHS gets from law enforcement, intelligence and our own efforts to protect the government. Companies get liability protection for the indicators they share with DHS through this system. Companies submitting indicators are anonymized, unless they ask otherwise, STIX/TAXII standards are used, and to get involved, you must sign a brief terms of service and set up a TAXII server.
It is important to distinguish between intelligence and information or data. Intelligence is the product of taking the pieces of information or data and then analyzing it for value and application. This analysis process can include manual, human analysis or a system analytics engine for parsing information. Since the objective of gaining intelligence is to apply it to your environment, the analytics must be in the context of your environment. You may get the juiciest intelligence in history, but if it does not apply to your environment, it just doesn’t matter. For instance, you could get preemptive information on how to stop an imminent attack on Red Hat Linux, but if you don’t have that version of Linux in your environment, it is of little value to you.
So, once you sign up for all the programs mentioned above, how are you going to get through all that information? Some of the intelligence will be obvious such as a bad URL to block, a port to close, an email address to block, etc. But some will require deeper analytics. To be effective, you must have an analytics engine that is capable of systemically parsing through the data to produce the intelligence you need. The analytics should produce a confidence factor, and over time, you will be able to automatically apply the intelligence to your systems.
Fight the Fight as Far Away as Possible
The concept is: The farther away from your environment that you can knock out the bad traffic, the better. One of the areas you will want to consider is black holing traffic at the edge router based on traffic patterns and characteristics of the traffic. Generally your network carrier can help with this. Another consideration is to implement a DNS firewall to drop or redirect traffic that is known to be bad or otherwise has similar characteristics. Even if the traffic is not technically bad, some can still not be good or useful due to how it is configured; therefore, drop it rather than take a chance.
When looking at fighting DDOS, this is where one of the services can help immensely. While you can install your own DDOS protective solution, with the strength of the attacks seen today, it is most advisable to have one of the services that will scrub and knock down traffic outside your perimeter before it becomes a problem.
Dark Web Analytics
Another offensive measure is to gain intelligence through dark web inspection. There is a defined process in how to gain access to the dark web chat rooms and blogs, and without being authenticated, one would not gain this access. This service can identify attacks in the reimplementation phases through chat that can be identified against your company so you can take preemptive measures. Often, this analysis can identify stolen credentials of your employees, system administrators or clients, letting you take preemptive measures such as changing passwords or accounts. Having this information before an attack or illegitimate use prevents needing to defend as the attack unfolds or remediating after it’s over.
Though there are other offensive tactics that could be added to this for you to use, taking a proactive, offensive stance will help prevent attacks and bolster your defensive position. As the old adage goes, the best defense is a good offense.