Companies unlikely to pursue 'active defense' strategy

There're pros to actively defending corporate networks from cyberattacks by creating "honeypots" and other distractions, but most companies unlikely to have budgets or right manpower to do so, observers note.

Companies looking to pursue an "active defense" to protect their corporate networks and information would benefit more than just passively shoring up their security environment following a breach. Not every company will have the right people or financial resources to do so though, security observers note.

Reuters in June reported that hacked companies are no longer being passive after an attack, but are pursuing cybercriminals by engaging in "active defense" or "strike back" tactics. These responses would range from modest steps to distract and delay a hacker to more controversial measures such as hacking the hackers' systems.

"Not only do we put out the fire, but we also look for the arsonist," said Shawn Henry, the former head of cybercrime investigations at the Federal Bureau of Investigations (FBI) who joined cybersecurity company CrowdStrike, in the report.

CrowdStrike's founder, George Kurtz, told ZDNet Asia that taking a more aggressive stance with cyberdefense may better help companies fend off adversaries.

Elaborating, Kurtz said security challenges have worsened over the past few years as seen by the sophisticated malware such as Stuxnet and Duqu, which targets key infrastructure installations, being released recently.

At the same time, the security industry has not kept pace with cybercriminals, leading to a "unique intersection" of nation states with advanced cyber capabilities and the declining ability of corporations and public sector agencies not being able to defend themselves against online threats, he said.

This is why companies proactively making it difficult for cybercriminals to steal information or breach their corporate networks may just "break the kill chain of exploitation, the founder stated. After all, thieves will more likely enter a house without a bulldog compared a house with one, as they know they will be hunted down and deal with difficult situations breaking in and out, he added.

"The same concept applies in [the] cyberworld. Make it hard, expensive, and break the adversaries kill chain enough to slow them down and make them expend more time and money when trying to do damage to a company or government," Kurtz said.

"You may not stop them entirely, but you can limit damage and prove much more difficult to deal with versus being the empty house they can virtually walk in to and clean out with impunity."

Right resources a limitation
Anthony Lim, regional director of SecureAge, however, believes active defense strategies are not only a drain on companies' resources such as time and money, they will also find it difficult to recruit the right people who possesses the required skills.

He said in order to create convincing and authentic-looking "honeypots", which were described as "traps to counteract hacking attempts", hacking resources will need to be sophisticated. The people running these traps will also need to have the imagination, financial resources, and ability to deal with advanced persistent threats (APTs) and other malware, the executive said.

Most companies have IT security resources and skills ranked low on their budget lists too, Lim noted.

"The general attitude is usually 'the simpler the better' or just meet compliance. That's why security appliance vendors have a field days. It's like a silver bullet--customers just buy, install, and done! Security is often seen as a pain and expense, and not a necessity," he said.

So unless there is a real reason to finance and run such active defense operations, companies will not authorize such initiatives, the SecureAge executive said.