In the face of increasing threats and a lack of protection from law enforcement, businesses may have to think about using 'active self-defence' strategies used by military and intelligence agencies.
Experts speaking at RSA Conference Europe warned businesses that criminals were getting past standard security defences, and due to lack of skill and numbers, law enforcement might not offer the required protection.
Instead, businesses were advised to think about adopting legal and technological solutions to find ways of actively fighting back against hackers. This could involve for example, hacking and inserting code on a criminal botnet to find out the source of the attack.
Davi Ottenheimer, president of security assessment company flyingpenguin, said: “We have more connectivity. Ten years ago I wouldn't have advocated active defence - the danger of hitting the wrong person is too high.
“Today we're so hyper connected. The very reason people can attack us due to having all of our data is the same reason we can attack them. Finding the attacker becomes easier and easier. I think that's a subtle point people overlook. Because we are so vulnerable, so are they.”
David Willson, attorney at law at the Titan Info Security Group, warned that before businesses could think about active defence, they needed to have their own basic security in order. They also needed to consult their legal teams, so that active defence wouldn't become an illegal attack.
“You have to think about the right to defend yourself, and you have to think about the circumstances and situations it would be justified. If somebody came up and punched me and I chased him, that's retribution. If he was beating on me, I would have the right to defend myself,” he said.
Ottenheimer used the example of Microsoft, which is fighting back against criminals by actively taking action to take down botnets, expanding its technical and legal toolkit to fight back.