The essence of active defense is "breaking the vicious cycle of Whack-a-Mole," the game in which security has to respond to one threat after another from the same enemy without being able to attack the command-and-control networks that direct the continuous stream of malware moles, to freely paraphrase and warp the metaphors of Adam Myers, director of intelligence at CrowdStrike.
Doing that requires first, knowing who the enemy is, a question CrowdStrike addresses by identifying the tools, techniques and procedures (TTPs) used by attackers.
Once private intelligence services have been able to identify and track the attackers, the victimized company can decide whether to handle the attack simply as a problem for law enforcement agencies, or whether to set traps, plant misinformation and run other scams designed to turn the tables on the attackers.
Myers called this the "adversary based approach."
While being able to strike back at tormenters might be emotionally satisfying, there is no business case that justifies a counterattack and "no possible positive outcome," according to John Pescatore, formerly of the NSA and Secret Service and current head of Gartner's Internet security practice, speaking to Reuters.
Rather than spending a lot of time and effort trying to find and torture hackers, it would be much cheaper and more effective for companies to just identify the data that really is worth keeping absolutely secret and take the steps necessary to make sure that happens, Pescatore said.
Keeping 100 copies of the same blueprint, only one of which is accurate would obscure real data with fake, for example.
Never loading critical documents on Internet-accessible machines, or encrypting them every time they hit a hard drive or travel across a network would also be good starts.
Considering how poor much of the firewall-based security at most companies is – passwords too complicated to be guessed by the average 5-year-old are still pretty rare in Corporate America – it might be a good idea to upgrade corporate data security to "adequate" as a first step toward an effective defense.
If it were your house rather than your company, you'd think anyone suggesting you launch a "Burn Notice" counter-intelligence operation against intruders was crazy if all you really had to do was make sure the doors were actually locked at the end of the day and no one left the cat flap open.
Columbia Pictures/Marvel Comics via Reuters