Risk Management

Companies Counterattack Cyber Villains

Observers say that corporate “vigilantism” aimed at hackers is becoming part of a new, less passive approach to risk management.
David KatzAugust 20, 2013
Companies Counterattack Cyber Villains

With worries about data breaches and privacy violations mounting by the day, corporations are becoming more aggressive about preventing physical and financial losses, experts say. In some cases, they add, that can involve counterattacks against hackers

Indeed, the trend amounts to a “paradigm shift” in cyber risk management, says Larry Ponemon, chairman and founder of the Ponemon Institute, a research and consulting firm focusing on privacy and data protection.

“There are organizations that are beginning to develop the capability of identifying the bad guy using intelligence. It’s sort of like a mini-CIA at the organizational level in order [organized] to understand where the attack is originating from,” says Ponemon, a prominent information-technology researcher with a Ph.D. who served in a U.S. Navy code-breaking group during the Vietnam War.

With that intelligence in hand, such companies “can basically bring the fight to the bad guy” by aiming malware or by launching a denial-of-service attack at the servers of the potential perpetrators, he said. If an attack comes from outside the United States, companies here can also work with telecommunications companies to deflect the attack, he added.

For the most part, the changeover to a more aggressive risk management posture is a very recent development at large companies, according to the researcher. “I’ve actually sat in meetings with organizations that are doing these kinds of tactics,” said Ponemon, who would not reveal the names of the companies.

“We know of organizations that are doing it and…other organizations that aren’t actually doing it, but … collaborating with government—the Secret Service, the FBI even state law enforcement – to help them model an attack,” he added, stressing that “it’s relatively new stuff.”

Bob Parisi, the network security and privacy practice leader at Marsh, the insurance broker, also said he’s seen companies take a preemptive approach to potential cyber-attacks. However, he says, such “vigilantism has its drawbacks.”

One problem is that potential hackers can be an extremely elusive target. “The trouble is that these attackers sometimes seem a bit like smoke,” he said, noting that most attacks don’t issue from the attacker’s own computer system.

Thus, for example, a major retailer that fears an attack and acts preemptively might find that it has hit a dry-cleaning company in another part of the country, according to Parisi. “You do have the potential for serious liability,” he said.

Ponemon also sees potential problems when a U.S.-based company preemptively strikes a potential cyber-criminal in another part of the world.  “Even if you know with perfect certainty that you’re going to get attacked by a bad guy, do you have the legal right to attack first?” he asks.

“If it’s government, you can use the rules of warfare, and the answer might be ‘yes, you can do it.’ But when it’s corporation- against-bad-guy, or corporation-against-nation-sponsored attack, it’s a little bit complex,” he said.

Nevertheless, “some organizations are actually doing it,” Ponemon added. “They’re biting the bullet and taking the risk even though a lot of legal jurisdictional [issues] haven’t been resolved.”

Pulling up the Drawbridge
In any event, the new aggressiveness seems to represent a major change in the corporate mindset about preventing hacker-generated losses. Parisi says that up until now, companies have been engaged in an essentially defensive “medieval thought process” in which the corporation, lowers its drawbridge only for friendly visitors — protecting its assets by means of firewalls and passwords.

But that mindset is changing quickly because attackers are becoming too nimble for rigid and passive defenses, according to Ponemon. Attackers may, for example, evade a firewall against malware by programming the malware to morph into a Trojan horse, he noted.

“It can change on the drop of a dime because it’s programmed to do so,” he added.

Using a war analogy, he said that a company that uses only firewalls and controls procedures aimed at minimizing the damage after it occurs is like “a big, old tanker; you’re not a battleship or a cruiser or anything cool like that, and you don’t have any weapons.”

That’s not to say that firewalls and other forms of intrusion detection and prevention aren’t still a fundamental part of data security. What’s most needed now, according to both Ponemon and Parisi, is a flexible form of defense.

Such a defense is one “that has agility, that is resilient, that can morph a little bit in the event that the attacks change,” said Ponemon.