As attackers are seemingly always a few steps ahead of corporate lines of defence, a more active and outward focused approach to security incident response has emerged the past several years. Some call it hunting, the kill-chain or active defence, or will use other terminology to make a clear point: We will no longer sit back and wait passively for attacks to respond to. The often militaristic terms to describe these new lines of defence is a good indication of the proactive and perhaps more aggressive nature of what may better be classed as counter-attack. It is an approach whereby you seek out the attackers before they strike you. Recently JP Morgan announced that it had set up a new cyber defence unit, largely staffed with ex-military cyber warriors. A new security operation centre was subsequently established conveniently close to NSA’s headquarters in order to attract the much needed talent. Is this a trend much in the same way as air force pilots who make their way into commercial aviation following their military careers? Perhaps too early to tell, but there is clear evidence that more organisations are standing up a much more pro-active response to cyber-attacks than we have seen over the past decade or so.
But when does pro-active response turn into hacking back. And what about the legal boundaries of what is permitted and what not, not to mention the many jurisdictions a typical cyber-attack usually spans. My guess is that the courts will have to produce much new jurisprudence on this complicated matter, with legislators trailing behind. This will create somewhat of a paradoxical situation over time, as the very same nation states that will need to pass these new cyber laws will be reluctant to curb their own cyber-war capabilities at the same time.
Most companies however are far removed from establishing hunt teams, and have yet to start with establishing a more organised response to cyber-attacks in an adequate security operation centre. Before doing so an interesting exercise is a reality check on how many of the implemented security controls are preventative in nature versus more detection oriented. As we know that the prevention paradigm is behind us, it is striking to see how much of enterprise security is still based on prevention. In most cases at least seventy percent prevention oriented I wager. With that I am not suggesting that we should do away with preventative security controls altogether, many of them have a place in the mix. However, if you want to move towards an informed and more proactive cyber-defence organisation, you will need to provide your hunt teams with the intelligence gathered from internal and external sources in order for them to be effective. For most this will require a security transformation, a move away from the fortress approach and towards the detection and proactive response paradigm.