Cyber attack retaliation a bad idea, says international panel

Retaliatory cyber attacks are not a good idea, an international panel has told a joint security practitioners conference in Chicago

Retaliatory cyber attacks are not a good idea, an international panel has told attendees of a joint session of the ASIS International and (ISC)2 2013 annual congresses in Chicago.

Although security practitioners' ability to trace the source of cyber attacks is improving, they said it is seldom possible to do this with total certainty, particularly in the most sophisticated attacks.

But even where attribution is possible, retaliation is not good because it typically leads to an escalation of attacks and an increase in complexity, said Scott Borg, chief of the US Cyber Consequences Unit.

“We already know attackers are able to dodge every defence trick and, as we get better at attribution, attackers will go to increasingly sophisticated methods, and then we are in trouble,” he said.

Dave Tyson, senior director of global information security at SC Johnson & Son, said that, when eBay sought to take action against someone selling eBay fraud kits, he went after the company with all he could.

“It took eBay a lot of time, effort and money to put this guy in jail,” Tyson said.

Global collateral damage

Unintended consequences and collateral damage mean extreme care and caution need to be exercised when considering retaliatory attacks, said Hord Tipton, executive director of (ISC)2.

Crawford Samuel, project leader at the International Cyber Security Protection Alliance (ICSPA), said retaliatory attacks could have a global effect and consequences.

The panel said that, instead of concentrating on attribution with a view to retaliation, organisations should learn who is most likely to attack them, what they are likely to target and how.

“Knowing the 'who, what and how' will enable organisations to develop a more focused security strategy and stronger defence posture,” said Adam Meyers, director of intelligence at security firm CrowdStrike.

“Organisations can’t defend against everything, but if you know who is likely to attack, what they are likely to target and the methods they are likely to use, it makes defence much easier.”

Borg said the paradox was that, by taking a broader view and making the effort to analyse attackers and their methods, organisations can narrow down what they need to defend.

“It allows security practitioners to be a lot more focused,” Borg said.

However, he said security teams are still likely to be distracted by all the essentially ineffective things they need to do for compliance reasons.

“Compliance has typically been the enemy of good security,” he said.

How to win

As an alternative to retaliatory strikes, Borg said organisations should look at the economics involved. “If defenders can make the cost of attacks higher than the gain, then they have won,” he said.

Samuel said another key strategy is to ensure people across the whole organisation have the security knowledge and awareness to support technical cyber defence measures.

“Long-term strategic planning should include education programmes to ensure that future generations of employees will know instinctively how to mitigate threats and get the business up and running in the event of an attack,” Samuel said.

Christopher Ling, executive vice-president at Booz Allen Hamilton, said determined attackers will probe an organisation until they get in.

“Technical measures are just one dimension of security. If people are not trained, it makes it much easier for attackers to succeed."

Traditional information security is mainly about technical measures, but now, said Samuel, it needs to span the whole organisation and include physical security, HR, security awareness training and support from the executive level to communicate the security message across the whole business.

Gaps in physical and cyber security overlap

Borg said experience with critical national infrastructure operations had shown the areas of greatest weakness are where physical and cyber overlap.

“The physical security teams are not worried about cyber and vice-versa, which results in gaps. Physical and cyber security teams need to communicate, but in some cases they never meet,” he said.

The panel said other areas that need attention include poor security practices of third party suppliers, and the fact that many organisations are not doing the basics in blocking and tackling attackers.

The reason that the basics are so often neglected is that security practitioners are overwhelmed by the huge number of threats and compliance tasks they are facing.

The panel said this underlines the importance of working smarter to enable security practitioners to focus only on the issues that really matter.

Read more on Hackers and cybercrime prevention