Tired of having malware punch you in the face? The time's not right to hit back, but here are moves to make now.

Michael A. Davis, CTO of CounterTack

January 18, 2013

4 Min Read

InformationWeek Green - Jan. 21, 2013

InformationWeek Green - Jan. 21, 2013

InformationWeek Green

InformationWeek Green

Download the entire Jan. 21, 2013, issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree for each of the first 5,000 downloads.


Storage Innovation

Storage Innovation

In our dive into the theory behind offensive cybersecurity, Gadi Evron summarized the legal and ethical problems of fighting back against an attacker. There are also some purely tactical problems: How do you know you're not blasting some grandmother in Akron whose PC is a zombie? Are you prepared to come under the glare of organized criminals?

I share Evron's outlook that for most, if not all, nongovernmental entities it's too soon to go down the path of all-out, offensive security counterattacks. Many other security professionals agree, and you can get a good summary of the academic and government research on cyber espionage, cyber deterrence and cyber offense by reading a recent post by Dave Dittrich, a member of the HoneyNet Project: "No, Executing Offensive Actions Against Our Adversaries Really Does Have High Risk (Deal With It)."

But you can do a lot more than read and hope. Here are some ways to take action now that will at least let your team start taking a more offensive security mindset.

Step 1: Do active risk analysis to know what attackers may strike at, and how.

Intelligence gathering is an arduous task for even well-funded government agencies, so it is highly unlikely that your company can achieve the level of detail required for true cyber intelligence about attackers. Further complicating intelligence gathering is that private-sector chief information security officers don't share details of successful breaches, even though such collaboration would be critical to understanding and linking methods and attackers. But that's another article.

For now, focus your effort on the intelligence gathering you do control: knowledge of your own systems, networks and business.

Strategy: Cybersecurity on the Offense

Our full report on offensive cybersecurity free with registration.

This report includes 21 pages of action-oriented analysis. What you’ll find:

  • Strategic Security Survey data on the top reasons for increased vulnerability

  • Top breach/espionage threats: cybercriminals tied for No. 1

Get This And All Our Reports

Conventional cyber defense involves security engineers trying to figure out what attackers can do, how they might break in and what system holes could be exploited. But this is where IT could learn from traditional engineering disciplines, which take a more proactive approach. For example, mechanical engineers are taught to approach problems using failure analysis. This technique involves identifying the conditions where a failure can occur instead of trying to figure out what failures can occur. Think of an explosion caused by an oily rag. Without oxygen, oil, the rag and fire that ignites everything, an explosion won't happen. Yet most security engineers trying to keep their networks from being blown wide open look for flames via log data (the attack) rather than finding the oxygen, oily rags and sparks -- what must be present for an explosion.

Your intelligence gathering needs to focus on identifying hazardous conditions. You will then learn each condition also has a subset of conditions, and this chain continues until you have an addressable condition. For example, instead of trying to detect or prevent a zero-day exploit from installing malware on a machine, ensure that the conditions for a breach are not present. Eliminate easily guessed passwords, weak permissions on files and folders, and administrative permissions, all which are under your control, instead of trying to figure out where and how any given piece of malware, which you don't control, might strike.

This approach requires that your security team know how attackers accomplish their mischief once inside, and that means spending time learning how exploits, penetration testing and underlying applications work. This isn't easy, but it's why mechanical engineers spend years being trained about potential conditions.

While there are several failure-analysis methods, including Alex Hutton's Risk Fish, discussed recently in Dark Reading, here's how we recommend you go about it:

To read the rest of the article,
Download the Jan. 21, 2013 issue of InformationWeek

About the Author(s)

Michael A. Davis

CTO of CounterTack

Michael A. Davis has been privileged to help shape and educate the globalcommunity on the evolution of IT security. His portfolio of clients includes international corporations such as AT&T, Sears, and Exelon as well as the U.S. Department of Defense. Davis's early embrace of entrepreneurship earned him a spot on BusinessWeek's "Top 25 Under 25"
list, recognizing his launch of IT security consulting firm Savid Technologies, one of the fastest-growing companies of its decade. He has a passion for educating others and, as a contributing author for the *Hacking Exposed* books, has become a keynote speaker at dozens of conferences and symposiums worldwide.

Davis serves as CTO of CounterTack, provider of an endpoint security platform delivering real-time cyberthreat detection and forensics. He joined the company because he recognized that the battle is moving to the endpoint and that conventional IT security technologies can't protect enterprises. Rather, he saw a need to deliver to the community continuous attack monitoring backed by automated threat analysis.

Davis brings a solid background in IT threat assessment and protection to his latest posting, having been Senior Manager Global Threats for McAfee prior to launching Savid, which was acquired by External IT. Aside from his work advancing cybersecurity, Davis writes for industry publications including InformationWeek and Dark Reading. Additionally, he has been a partner in a number of diverse entrepreneurial startups; held a leadership position at 3Com; managed two Internet service providers; and recently served as President/CEO of the InClaro Group, a firm providing information security advisory and consulting services based on a unique risk assessment methodology.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights