In terms of active defense, there are also techniques related to deception that could come into play that are akin to distributing disinformation in order to fool an attacker. He said this could go way beyond honeypots, which he says aren't usually effective because they are hard to make realistic. Though he declined to divulge some details, he said the best types of counterattack deceptions are those in which disinformation is very targeted toward an attacker and you try to limit the spread. Here, too, the issue of both public relations and legal fallout exist because active defense tactics that go awry could have negative consequences for companies and governments.
In the end, though, the idea of "naming and shaming" the cyberattackers has real value, though there's always seems to be another attacker out there to fill the spot.
Sean Bodmer, threat intelligence analyst at security firm Damballa, who has worked hard to combat Russian cybercriminals in organized crime running botnets for financial gain by providing some technical assistance to the FBI with some operations, acknowledged some frustration in it. Speaking at the Hacker Halted conference this week, he said the gravity of what he sees coming from Russian cybercrime and Chinese-related espionage is immense. Law enforcement is "too slow" and they tend to have the mindset that "they're looking for the next big case," he said. He added he's now more optimistic about tactics that involve taking actionable information related to criminal activities and showing it directly to companies such as hosting providers in data centers where they will cut off criminal proxies, for example.
The idea that there should be direct action against attackers taken even in the course of identifying their unwanted presence in a corporate network is growing, however uncertainly. Jonathan Cran, chief technology officer at security firm Pwnie Express, advocated "fighting fire with fire" during his presentation at Hacker Halted. State-sponsored attackers are a fact of life and they will be using phishing, remote-access Trojans, and other stealthy means to accomplish exfiltration of stolen data, he noted. These so-called "advanced persistent threats" in the corporate network suggest there should be more focus on APT "counter attack" to develop "offensive capabilities" that shorten the time from detection to constraint. He said the idea of the typical penetration test needs to evolve into a process that will grant ways to hook the bad guy.
How the security industry will grow to engage -- within the confines of the law -- in active defense tactics is unclear, but sources planning the RSA Conference 2013 say they expect this to become a central theme in session tracks at the conference early next year.