IT security vendors have such a warped sense of priority, that if they attempted to solve a gun crime, they would focus more on finding the bullet than catching the guy who pulled the trigger, according to CrowdStrike co-founder Dmitri Alperovitch.
Alperovitch, a former McAfee Threat Research vice president, drew on his involvement leading global investigations that uncovered the Operation Aurora, Night Dragon and Shady RAT cyber espionage intrusions in a talk at the AusCERT2013 conference this week.
Security has advanced by light years over the past 30 years, developing robust products that detect and block simple attacks, but the outlook for securing systems remains grim, he said.
Patching malware exploits after the fact are "the digital bullets in the gun”, to further the analogy, he said.
"If someone in the real world was shooting at you, would you stop to check what gun they use, or check if the bullets were .22 or .45?"
They should focus their efforts on finding the perpetrator, he said.
The passive system of identifying vulnerabilities after they've been exploited may have worked against opportunistic hackers in the past, but it can't protect against more determined actors -- ones who won't stop until they've found their target.
These hackers aren't your regular cybercrime gang or hacktivist, he said. They are more likely to be fully resourced nation states who - whether by themselves or by sponsoring a third-party - are determined to steal corporate and national secrets.
"They're going after R&D worth billions of dollars. If they can spend a few months and even a few hundred million dollars developing the right techniques and tools, it's no big deal compared to the windfall you'll receive."
He proposes four security measures to combat the threat of nation-state sponsored attacks.
1. Trade craft-focused protection.
2. Attribution of offenders so criminal charges can be filed.
3. Flexible response options such as deception and misinformation.
4. Intelligence dissemination for the purpose of taking collective action.
With corporate IP a prime target of hackers, Alperovitch says the private sector also has a role to play in espionage.
It was this shifting landscape that prompted Alperovitch to establish security vendor CrowdStrike 18 months ago.
"I realised very early as a cryptography analyst that it didn't matter it the algorithms and protocols were secure, when the bad guy could social engineer the passwords and keys out of a company. They don't even touch the algorithm.
"This is not an issue you can solve. You're not going to invent the perfect system - a computer or network that is impenetrable. Users will be the weak link in your chain.
"Fundamentally there's nothing you can ever do to stop them. I realised that instead of trying to create this perfect system, the focus needs to be on bad guy."