Active Cyber Defense is a relatively new concept but comes from an older military strategy. What is Active Cyber Defense? The definition I like to refer to is direct defensive action taken to destroy, nullify, or reduce the effectiveness of cyber threats against friendly forces and assets (Denning & Strawser, 2017). Active Cyber Defense does not mean hack back. Hacking back at your adversaries is highly discouraged. This can lead to huge legal ramifications, especially if you target the incorrect group or individual. This is best left to government authorities.
Active Cyber Defense originated from military strategies as outlined in United States Joint Publication 3-01, Countering Air and Missile Threats. The publication defines active air missile defense as a “direct defensive action taken to destroy, nullify, or reduce the effectiveness of air and missile threats against friendly forces and assets” (Denning & Strawser, 2017). For example, the Patriot surface-to-air-missile system uses an advanced aerial-interceptor missile and high-performance radar system to detect and shoot down hostile aircraft and tactical ballistic missiles (Denning & Strawser, 2017).
Why is Active Cyber Defense important? Active Defense is important partly due to the psychological meaning. Active Cyber Defense allows organizations to engage and deflect attackers in real time by combining the core components of threat intelligence and analytics resources within the IT function (Brown, Ellis, Kaplan, & Rosenthal, 2017). Active Cyber Defense methods allow for organizations to become more mobile and anticipate threats. The uses of threat intelligence, deception techniques like honeypots, continuous authentication, and segmented networking are all techniques that enforce an Active Cyber Defense. Leveraging Active Cyber Defense allows you to dictate what the adversary does to include being able to outmaneuver them, eventually thwarting their attack.
An example of effective Active Cyber Defense was the Coreflood Takedown. Back in April 2011, The FBI, Department of Justice, and Internet Systems Consortium (ISC) deployed active defense measures to take down the Coreflood botnet. The botnet contained over 2 million infected computers. The malware it deployed was used to harvest usernames, passwords and financial information. The Active Cyber Defense steps taken were a temporary restraining order obtained for the ISC to switch the Coreflood’s C2 servers to its own servers. This caused the infected machines to point to the new ISC placed servers and enabled the ISC to gain control of the botnet operation. The new C2 servers halted the botnet from continuing their malicious activity.
Think of Active Cyber Defense as the capability for an organization to make it much tougher for an adversary to penetrate your network. Just as the military utilizes active air missile defense systems to rout enemy attacks, the use of automation and certain cyber defense techniques will allow organizations to outmaneuver the enemy.
Subscribe to the Weekly Threat Briefing to learn more about recent cyber threats and mitigation tactics.
Brian Roy has served over 21 years in the United States Army in both active duty and reserve roles. He has deployed multiple times in support of various wars. Brian has 15 plus years of cyber security experience beginning as a system administrator while stationed in Germany. He is passionate about security, travel, concerts, and sports.