Guest author Corey Nachreiner, CISSP, is director of security strategy for WatchGuard Technologies.

Between agenda-pushing hacktivists, money-grubbing cyber criminals, and — more recently — belligerent nation states, there is no shortage of attackers breaking into networks, stealing trade secrets and generally wreaking havoc throughout IT infrastructure.

Even the U.S. government has noticed, with the latest National Intelligence Estimate (NIE) warning that the country is the target of a major cyber espionage campaign from China. In fact, network penetrations have become so commonplace that President Obama recently signed a cyber-security executive order in hopes of fortifying our defenses, and encouraging the government and critical private sector organizations to share intelligence.

(See also World War III Is Already Here - And We're Losing.)

Considering this deluge of aggressive and costly security breaches, it’s no wonder that some people are getting frustrated enough to contemplate striking back directly against our attackers. While giving cyber criminals a taste of their own medicine certainly sounds appealing, most forms of so-called "Strikeback" have no place in private business.

What Is Strikeback?

The idea of launching a counter attacks against cyber criminals is not new. Security geeks at information security conferences have been discussing counter-hacking and proactive defense for years.

After all, many in the cyber security community are just as capable of breaching systems as the enemy (if not more so). In fact, the “black hats” often leverage tools and code created by “white hat” security professionals. Lately, though, this idea of striking back against attackers has shifted from lighthearted fantasy to potentially disturbing reality - some that security companies have even begun offering strikeback solutions.

There are different ways companies have started approaching strikeback initiatives. They have loosely evolved into three general categories:

Legal Strikeback: This is the least offensive form of strikeback. It’s where organizations, in cooperation with the authorities, gather as much intelligence as possible about attackers — typically by following the money trail — and then use any legal maneuvering possible to try and prosecute attackers.

Passive Strikeback: This is essentially cyber entrapment. An organization installs a sacrificial system, baited with booby trapped files or Trojan-laced information an attacker might desire.

Active Strikeback: In this approach, an organization identifies an IP address from which the attack appears to be coming, and launches a direct counterattack.

What’s Wrong With Strikeback?

Unfortunately, direct strikeback measures have huge inherent risks:.

Targeting: The biggest problem with strikeback is that the Internet provides anonymity, making it very hard to know who’s really behind an attack. It's all too likely that strikebacks could impact innocent victims. For example, attackers have started to purposely plant false flags into their code, suggesting it came from another organization in order to sabotage that company.

Geography: Another key issue is that Internet crimes tend to pass through many geographies and legal jurisdictions. Domestic strikebacks invite potential legal problems, but cross-border actions have even wider ramifications.

Legal: Additionally, most strikeback activity is illegal. It is against the law for the average person to track down and punish a burglar who ransacked a house, and the same principles hold true for cybercrimes. If an organization uses a booby trapped document to install a Trojan on the attacker’s network, it is technically breaking the same type of computer fraud and abuse laws that the attacker broke to steal information in the first place.

Revenge: When it comes down to it, strikeback is simply revenge. If a network has already been breached, striking back against the attacker typically doesn’t recover stolen data or repair damage that has already been done. It's almost always better to pursue legal investigations and prosecutions through the proper channels.

Strikeback simply doesn’t belong in private business. It offers no real advantages to most organizations, and it carries serious risks that far outweigh the short-lived satisfaction of revenge. Instead, companies should focus their security strategies on well-implemented, carefully monitored, multi-layer defenses designed to keep cyber criminals from breaching their networks in the first place.

Image courtesy of Shutterstock.

Guest author Corey Nachreiner, CISSP, is director of security at WatchGuard, which sells network- and content-security products.

The class of targeted attacks known at APTs (advanced persistent threats) is no longer reserved for Fortune 500 companies. As predicted by leading network security experts, APTs have started to infiltrate small- and medium-sized businesses (SMBs) at an alarming rate. And they are proving to be just as devastating, regardless of the size of the organization or the motive for the attack.

Historically, APT attacks have been created by sophisticated hackers using advanced attack techniques and blended-threat malware. But now, we’re starting to see smarter, every day malware criminals speed up the evolution of APTs and make small and mid-sized organizations even bigger targets. According to Jeremy Grant, senior executive advisor for the U.S. Department of Commerce’s National Strategy for Trusted Identities in Cyberspace program, hackers are going after small businesses because they typically have more money and information than individuals and are less protected than large corporations, according to Wired.

In an October 2012 survey released by the National Cyber Security Alliance, states that U.S. small- and medium-sized business owners and operators clearly have a false sense of cyber security. Seventy-seven percent of the 1,015 survey respondents say their company is safe from threats such as hackers, viruses, malware and breaches, yet 83% have no formal cybersecurity plan. These findings suggest smaller firms are highly vulnerable to this growing threat and can no longer afford to neglect Internet- and network-security policies and practices if they want to avoid being the next victim of these sophisticated attacks.

What is APT? Let me spell it out.

Advanced

APTs use the most advanced malware and attack techniques. They often leverage techniques such as encrypted communication channels, kernel-level rootkits and sophisticated evasion capabilities to get past a network’s defenses. More important, they often leverage zero-day vulnerabilities – flaws which software vendors haven’t yet discovered or fixed – to gain access to the systems. In short, APTs are “Q-level,” James Bondesque malware.

Persistent

This malware is designed to stick around. It carefully hides its communications, using techniques like stenography. It “lives” in a victim’s network for as long as possible, often cleaning up after itself (deleting logs, using strong encryption and only reporting back to its controller in small, obfuscated bursts of communication).

Extremely Blended Danger

APTs are extremely blended threats, much like botnets, and very targeted. Attackers are groups of highly skilled, motivated, and financially-backed attackers with very specific targets and goals. In addition to Fortune 500 companies, typically the attackers (often sponsored by nation-states) have also targeted government-related infrastructure or the industrial sector.

No network security provider can block every APT attack, no matter what they claim. According to Gartner, an estimated $60 billion is invested by corporations and governments in network security, yet hackers still sneak past them. By definition, APTs often employ new techniques for which counter-measures and defenses may not exist. While these kinds of attacks occur, a smaller business with no security plan is vulnerable to even the most basic kinds of attack.

There are defensive strategies that can provide high-value protection and significantly mitigate the chance of an advanced and persistent infection for a relatively small investment. IT administrators should strongly consider using more than one of the many reporting and monitoring functions available throughout the industry that provide smart and strategic defense against these blended threats.

If you already have a security infrastructure set up, many of these tools are likely already at your disposal. Ask your network-security provider about the following best practices, which will undoubtedly equip your firm with the tools to mitigate risk, monitor activity and detect and/or stop the next APT.

Build Multiple Layers Of Security Control

A multi-layered approach to network security is the best protection. When combined, firewalls, intrusion-prevention services, proactive anti-virus apps, anti-spam and anti-phishing protection and cloud-based reputation defenses will maximize your chances of being hit with an APT attack.

Signature-less Malware Protection

Similar to zero-day attacks, APTs often use malware that has not already been found by anti-virus protection and, therefore, no signature exists. The only way to catch this kind of APT is to use active, non-signature techniques.

Select a network-service provider that partners with best-in-class anti-malware and anti-virus-service providers that can detect malware without signatures. This type of service provider often specializes in code emulation, behavior analysis, and “sandboxing” to determine what a file does and if it may be malware. These techniques can often catch malicious files without actually having reactive signatures for them.

An Evolving Defense Framework

APTs are just further proof that hackers and attacks on the Internet are constantly evolving, so naturally, the only way to really protect against evolving threats is to have a defensive platform that can change along with them.

Security hardware platforms with adaptable and flexible defense frameworks make it possible for network-security providers to quickly incorporate new defense capabilities, such as cloud reputation and the use of heuristics to detect malware, as new technologies are released.

Better Manageability Through Visibility

Often, security practitioners focus on prevention and forget about discovery and response. Deploying tools that help to quickly identify anomalies or problems in a network often find malware through unique monitors, network traffic reports and administrator access to approved or denied external sites.

Additional reporting tools and appliances are available through network-security providers and increase visibility and ensure the system is providing optimal internal network protection.

Enforce Standards

Hold to RFC (request for comment) standards for services such as Web traffic (HTTP), e-mail traffic (SMTP), domain-name traffic (DNS) and file transfers (FTP). Enforcement of these standards will spotlight when crucial rules are broken.

For example, if the SMTP RFC states that the maximum line length for an email is 1,000 bytes; deploying enforcement standards will protect a network from attacks (like buffer overflows) that try to use overly-long email lines. That’s just one example; this kind of signature-less protections that can even block zero-day attacks that break protocol standards.

Because APTs are continually evolving and getting more elusive by the day, no network-security strategy will anticipate or block every attack. Always assume that a network is already breached and then build a security vault using the tools and best practices discussed here. Using strong prevention and visibility tools will help recognize threats and ensure that IT administrators are taking all necessary action to help mitigate them.

Image courtesy of Shutterstock.