Google launches threat disruption unit, stops short of calling it ‘offensive’
Company officials notably deemed the unit a defensive operation, however because it focuses on cutting off the paths hackers rely on to breach systems, rather than using technical capabilities to hack into other governments’ or foreign firms’ computer networks.
The unit was made public in a keynote address delivered at RSAC Conference by Sandra Joyce, the vice president of Google’s Threat Intelligence Group. “We’re now in a position where we can and we must actively shape the outcome of adversary behaviors,” she said on stage.
Google, like other major tech firms with cybersecurity services, can impede cyber adversaries by leveraging visibility into and control over widely used platforms and infrastructure that attackers routinely depend on to stage, deliver or manage their hacking operations. In recent months, Google has highlighted a series of intricate takedown efforts, and the announcement, executives say, is meant to encourage other firms in the cybersecurity and tech community to adopt a culture of proactive disruption.
“The private sector operates the very infrastructure that adversaries abuse,” Joyce said. “This gives us a unique vantage point of the technical capabilities that government agencies sometimes don’t have, and disrupting threat actors must become the status quo in our industry.”
The announcement dovetails with the release of the Trump administration’s national cyber strategy, which has focused, in part, on crafting a more offensive culture among U.S. cyber warriors and their private sector counterparts.
But Sean Cairncross, the White House cyber czar, made it clear earlier this month that he doesn’t want private sector firms hacking on behalf of the government. Joyce, in a similar fashion, said the unit is not a “hacking back” initiative, but makes “legal and ethical use of intelligence to protect our own platforms.”
Those legal actions include the practice of getting court orders to take down certain web infrastructure being used by hackers. Other aspects of the unit’s modus operandi include publicly exposing hacking groups, taking down their infrastructure and driving product improvements to prevent hackers from attempting further intrusions.
“I think people have had it,” John Hultquist, the company’s chief threat analyst, told reporters of the choice to launch the unit now after years of related efforts involving law enforcement takedowns of hacker infrastructure. “What we’re talking about is — can we deny the adversary the resources it needs to get between the water and the castle?”
“It’s not just about disabling things within the Google ecosystem,” added Charles Carmakal, the chief technology officer at Google subsidiary Mandiant. “We’re doing this in a way where we want to get more and more collaboration with other partners, so that the disruption is much broader and more impactful to the adversary.”
]]>