Can Defensive Hacking be Sexy?

Iftach Ian Amit, speaking at the Black Hat Conference, wants us to think defensive hacking is sexy. He didn’t say smart. But that’s what he means. The hacker community needs to be convinced that smart is the same as sexy if there’s ever going to be headway in changing the response to hackers.

The idea is that current anti-virus/hacking schemes generally are behind the eight-ball. A bug is detected, then the software providers issue a fix. And the hacker moves on to the next vulnerability until someone identifies that bug.

Rinse. Repeat. Rinse. Repeat...

The cycle never ends. John Flynn, intrusion detection security manager at Facebook, also offered some ideas on how to change the community and the system.

Intrusion detection systems need to be more aware of how hackers work. In particular, hackers looking for specific information on a company’s database or files leave indicators that they are there. Creating code to look for the behavior, and closely monitoring multiple types of information, will give an early warning that someone has breached the system. For example, network traffic reports combined with attempts to download or update files could raise flags if the pattern isn’t typical of a company user.

Creating such a system would require custom code and advanced algorithms. Those skills usually aren’t present in most companies information security departments. They’re too busy checking policies, training and monitoring systems with off-the shelf security products.

Both Amit and Flynn tried to make the case that companies ought to invest in these skills if they are going to develop a reliable strategy to fight hackers. But they also wanted to encourage the community towards putting less emphasis on the demonstration of hacking skill, and more on demonstrating the ability to detect hackers.

Did their arguments gain them any support from the community? Time will tell. A thought for next year’s presenters though: Don’t try to convince anyone that being defensive is sexy. Instead, make the comparison to sports and competition. The security team that blocks intrusions before they happen wins the battle. If you make the defensive approach just as much of a win as a successful hack, that might turn some of the now hackers into defenders.