George Kurtz is CEO of CrowdStrike, which stakes out networks to catch infiltrators,… (Katie Falkenberg, For The…)
WASHINGTON — As head of the FBI's cyber crimes division, Shawn Henry often had to deal with exasperated company executives after his agents informed them that their networks had been hacked and their secrets pilfered.
"By whom?" the company officials would ask. "What have they taken? Where did it go?"
"Sorry," Henry's agents had to reply, "that's classified."
Even though the FBI in many cases had evidence the attacker had been backed by a foreign intelligence agency, agents couldn't disclose it because the U.S. government believed doing so could compromise top-secret sources and methods.
Henry, 50, decided this year that such a dichotomy shouldn't put companies at such a disadvantage. So after 24 years of service, he left the FBI to become president of CrowdStrike, an Internet security start-up in Irvine.
His new mission: to make life difficult for hackers trying to attack American institutions.
CrowdStrike is at the forefront of a new business model for cyber security, one that identifies sophisticated foreign attackers trying to steal U.S. intellectual property and uses the attackers' own techniques and vulnerabilities to thwart them.
The firm is marketing itself as a private cyber intelligence agency, staking out networks to catch infiltrators, assembling dossiers on hackers and fooling intruders into stealing bogus data.
In the process, the firm has waded into a debate about how far companies should go in defending themselves from cyber attack.
"The traditional way of trying to defend your network is just not going to cut it. You have to do something different," said Irving Lachow, who directs the Program on Technology and National Security at the Center for a New American Security.
"One way is to engage the adversary. CrowdStrike represents a new breed of company that is focused on doing exactly that," he said.
When somebody is shooting at you, "you don't ask, 'Is that a 9-millimeter or a .45,'" said CrowdStrike Chief Executive George Kurtz. "You ask: 'Who is shooting at me and why are they shooting at me?'"
The attackers often breach company networks using a tactic known as spear phishing, a practice that gets an employee to download a malware file by disguising it, for example, in an email purporting to be from someone the worker knows. Firewalls and anti-virus software are almost useless against such techniques.
So CrowdStrike uses decoys to lure hackers into a controlled environment so investigators can watch and trace the attack. Sometimes the company feeds hackers false information, as in a case recently when a client was entering negotiations in China and expected to be hacked.
CrowdStrike, which employs Chinese linguists and former U.S. government cyber warriors, also has identified Chinese hackers using clues in their malware. It then profiles them — complete with real names and photos — using information gathered from a variety of sources.
That has helped the company, for example, identify a Chinese hacker who targets financial institutions and tends to seek merger and acquisition information. The company assigned the hacker a code name, Capital Panda, in the profile.
Profiles enable a more targeted defense by helping CrowdStrike know when an attacker is likely to strike, how he communicates, what malware he uses and how he tries to take the stolen data.
Kurtz, a former chief technology officer at security firm McAfee Inc., started CrowdStrike in February with fellow McAfee alum Dmitri Alperovitch and $26 million in financing from private equity firm Warburg Pincus.
Alperovitch rose to prominence last year when he wrote a white paper on what he called Operation Shady Rat, a series of state-sponsored cyber penetrations of more than 70 government agencies, companies and institutions. He didn't say publicly the intrusions came from China, but that was obvious to other experts.
China denies engaging in cyber espionage. U.S. intelligence officials said hackers sponsored by China and, to a lesser extent, Russia, are responsible for what Gen. Keith B. Alexander, director of the National Security Agency, has called "the greatest transfer of wealth in history" by siphoning bid documents, formulas, business plans and other intellectual property from Western companies.
The U.S. government's response has been confined to raising the issue politely in diplomatic discussions. CrowdStrike's confrontational approach is more satisfying to those damaged by cyber economic espionage.
The company is not without critics, who worry how far companies might go down the road of cyber vigilantism.
This year, Michael Hayden, former director of both the CIA and the NSA, raised the specter of a "digital Blackwater," a paid mercenary battling cyber attackers on behalf of corporations. CrowdStrike rejects any comparison to the notorious private security company that got into trouble when its employees killed 17 civilians in Iraq in 2007.
But some find the comparison apt — and troubling.