In the light of unprecedented attacks by cybercriminals against businesses that span every industry, this question has come to the fore: Is it time to fight back?
As the Founder and CEO of Wisegate, a private, expert peer group for senior-level IT executives, I get to work with some of IT's best and brightest security professionals and have a ringside seat to the discussions that unfold.
Wisegate member Jeff Bardin, Chief Intel Officer at Treadstone 71, says "hacker groups and disruption of business has reached an all-time high and no longer can be ignored. We want to get the adversary' to understand that if they launch an attack against a company, there will be costs to pay."
But members not in favor of going on the offense point to the issue of attribution as a major reason why it won't work: it's too difficult to pinpoint the location and source of many cyberattacks. Yet many security experts say there are some "offense-like" tactics that can drive up the cost of hacking into a corporate network and, if deployed properly, could discourage hackers enough to have a major impact on the threat landscape.
There are interesting questions being raised about how far businesses can go and what types of attacks can actually be effective, says Wisegate member Martin Zinaich, Information Security Officer of the City of Tampa. "It doesn't necessarily have to go from nothing to launching a full out assault against cybercrime infrastructure. It could be much more subtle things like feeding the bad guys misinformation or doing your own reconnaissance."
In fact, many Wisegate members believe there are offensive security measures the good guys can leverage. Misdirection tactics, for example, can be deployed by heavily targeted companies, such as those in the financial or defense sectors.
"We need to start thinking like our adversaries, to look at different approaches and techniques to confuse an attacker," said Wisegate member Tim McCreight, CISO for the Government of Alberta. "We're looking at using ethical or white hat' hackers to check our defenses, and we're approaching our program like we're trying to break into our systems. We need to adopt this mindset, and keep focusing on risks."
Unfortunately, offensive security tactics may have their drawbacks as well. Some companies may want to refrain from specifically targeting hackivist groups since it raises ethical questions and the legality of the practice. In addition, building phony systems and fake credentials may be too costly to deploy.
Wisegate members agree it's hard to agree whether "hacking back" is an acceptable enterprise defense practice when no one can agree what the term means. Offensive security is huge but relatively undefined and it's compounded by the fact that the laws governing it are vague.
Sign up for CIO Asia eNewsletters.