I popped in for a couple of stretches at Mandiant’s MIRcon incident response conference today and yesterday and was struck by a panel discussion on Tuesday about defenders going on offense. The gist was half a) it’s of dubious legality and wisdom and half b) you’ve got be an expert to do it properly. Now politics and economics being what they are, a) will ultimately be irrelevant without a prohibition and b) will govern the dynamics.
I recalled Mandiant’s model: they have a bunch of people constantly working on highly technical stuff in a field that changes rapidly—this level of expertise requires economies of scale. The same is true for black hat hackers: economy of scale drives the less skilled to leverage off-the-shelf capabilities, and it drives the more highly skilled to collaborate on the most demanding projects.
Because defense costs more than offense, “offensors” could benefit from the same economies of scale. I can imagine a future in which people not only pay for but subscribe to offense as a service, where a group of (nominally) white hatters have their own organizations that do nothing but attack designated black hatters, thereby raising the costs of doing malicious business. The economics might work for the white hatters in much the same way it does for insurance companies, and the product would not be entirely dissimilar. If this sort of activity were tolerated by authorities it might often be preferred by many hackers over black hatting, even if the latter gave bigger paychecks. This could further affect the economics in a good way.
If it will make sense for corporations to go on network counteroffensives themselves, it will make more sense for them to outsource that role if they possibly can. And they might end up being able to.
I learned (privately) at MIRCon that these outsourced providers already exist.
This is actually something I have been developing strategy wise for a while. I specialize in highly distruptive cyberwar strategy that can be leveraged against aggressors, nation states and advanced cybercrime cabals. For example. How much would it be worth to Fortune 100 to get a name, number, picture, and address where you could literally reach out and TOUCH an operator who is directly responsible for stealing your companies highly prized intellectual capital. I have proposed an Attribution Market as one means of Bringing those who thrive in darkness into the light. It would serve as a highly disruptive catalyst to enemy operations and Nation state sensitivies (Goverments do not like bad attention, Crime Bosses dont like getting to HOT, esp when you put a name to a face. Dont believe for a Second we dont know who is behind the drain in US innovation these past 10 years. If Hillary cant make a determined adversary change their ways, maybe a more direct approach is needed. Obviously Bush/Obama have not made an impact. Has your APT pressure abated. I think not. Never forget they are not nameless/faceless theories/whispers in the dark. They are real Flesh Blood humans who are tasked by official organizations to conduct highly hostile and own your networks, pillage the best you have, and leave your organization open for destruction or redirection in an attack or as a proxy for future efforts. If you want more on my theories check my blog out.
http://diocyde.wordpress.com
-”How much would you pay to look into your adversaries eyes and touch a pressure point?”
Something to think about.
It’s gone a level further if definitions can be bent a bit. The RIAA hires AiPlex to DDoS torrent sites; Anonymous then DDoSes the RIAA and AiPlex.