Thoughts on the Active Defense Debate

Wednesday, June 24, 2015

Joseph Pizzo


I’d like to take a moment of your time to talk about the hacking the hackers debate. I recently read the article Hack the Hackers? The Debate Rages On, and the two themes were do it and don’t do it.

Both sides had great points and it almost seemed to me like there was somewhat of an agreement.

It appears to me that on the side opposing an active defense strategy, knowledge is the problem. I am not referring to the knowledge of the individuals and their ability to break into the bad guy’s systems and networks, my take away is that the knowledge of internal networks, data value, and location are the knowledge issues.

I also agree that if you don’t know your network, valuable assets and resources, and where your intellectual property is stored developing an active defense strategy of hacking back is futile.

There is a mantra among infosec vendors: People, Process, and Technology. I have heard this from nearly every sales rep, director and VP at every company I have worked, and from every vendor I have worked with, for the past twenty years. It isn’t a bad mantra either.

In fact, it creates a thought process around the base of business problems as they relate to addressing those problems.

It makes sense that if you have a plan that includes a policy and process to defend, detect and respond that you have an advantage. Having a good foundation that goes through a periodic peer review and regular updates to address emerging threats and technology provides the building blocks of a stronger security posture.

The best security practitioners have a plan and in most cases work to build the plan into a process and then this becomes a policy.

Another part of the mantra, technology, is the part that addresses a business problem. This is where a majority of vetting is applied. A problem emerges or rises to the top, research on a solution is started, vendors and professionals gather to offer solutions, more research is conducted, testing occurs on the proposed solutions and somewhere down the line a decision is made to address the problem.

Often there is a large amount of scrutiny on the technical solution. Features and functions are run through the gamut, security of the solution is verified, tested and validated by vendors and purchasers, proof of concepts are run and an based on a successful actionable success criteria the problem is addressed through a build or buy approach.

People (expertise) is the last part of the mantra. Largely, this is an approach to teach about the technologies that are introduced to solve the business problem being addressed.

This consists of the one on one knowledge transfers between vendor engineers and customer end user, executive to executive solution explanation, presentation delivery, formal training and continued education.

It is part of the process of selling, purchasing and building solutions to real security issues. Solution expertise can be very impactful to an organization or an individual.

It can lead to millions of dollars of savings, a new practice that creates envy in an industry, a strong referenceable security practice and team visibility in an organization where executives can feel secure and proud of the achievements of their team members.

It can also lead to recognition, the development path of a career, certification of knowledge and a cool badge or title on the business card of an individual that displays how hard they have worked to accomplish something of value.

People, in my opinion, the most important part of the mantra. This also leads back to the discussion of hacking the hackers.

We develop knowledge as we need it. I am going to wager that a large majority of those of us in the InfoSec community studied some form of CompSci at some point. I am also going to wager that though we had some really amazing instructors, professors and mentors, we did a bunch of the learning on our own.

My point is that we are all Autodidacts. Meaning that we are a population of self-educating professionals. This includes those of us with advanced degrees and education, because in reality, institutions of higher learning cannot teach everything.

We read, research and test technologies in order to have a better understanding, and because what we do is fun and cool. We are at an exciting time where information is at our fingertips and can be obtained from multiple sources at anytime from nearly anywhere.

This should give us the drive to learn better methodologies to defend our resources. Sadly, however, this supports the anti active defense hack the hacker strategy.

There is a small portion of this community that has the deep skill set to stage a response attack. I’m not sure if the lack of the skillset is related to learning priorities, time, fear (of failure or success), and interest or comfort level. Maybe it is because of where we are in our careers or what we have learned that pushed us forward.

The future does look brighter though. Today, children as young as four and five have access to technology learning resource like Raspberry Pi and entry level programming resources, IDTech camps (paid camp) provide learning experiences that make technology cool and fun and there are free resources to learn and expand the mind of today’s youth in large part to the general technology community.

My hope is that the generation of children being raised today will have both the attack and defense skills to tackle the business problems of now and the future.

Rafal Los (@Wh1t3Rabbit on twitter), director of solutions research & development at Accuvant, was quoted in CSOOnline’s article saying he “believes if defenders do what attackers have been doing – learning about their adversaries’ tactics, capabilities and tools – they will be more successful…” and “defenders need to know much more about their own environment.”

I believe that he is absolutely correct. However, I also see this as a challenge to organizations to improve their defense. Organizations large and small need to run a better defense and get better at securing their assets, only then should an attack response be considered.

This was cross-posted from the Dark Matters blog. 

Budgets Enterprise Security Policy Security Awareness Security Training
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.