Active cyber defense: an introduction to a new approach to cybersecurity.

In search of a definition

A current way of interpreting the dynamics of cybersecurity is as a series of conflicts between a defending party and an attacking party, in which the former must be right all the time to maintain the expected stability, while the latter need only get it right once to succeed. Attackers are therefore said to have an asymmetric advantage. Active cyber defense (hereafter CDA) allows to overcome such asymmetry, by using techniques similar to those of the attackers, and a change in approach.

Traditional protection in cybersecurity requires not only technical measures, but also risk management that allows to relate probabilities with potential impacts, through qualitative and quantitative calculations, allowing to prioritize protections according to the value of the assets. Active defense is based on human-directed activities, with an automated aspect, that attempt to thwart attacks by increasing the diversity, complexity or variability of systems and networks, limiting the attacker's ability to gather information or reducing its usefulness. This defensive approach focuses on gathering information about attackers, either by luring them into instrumented traps or by patrolling and monitoring systems and networks to go on their trail.

The cybersecurity market so far still lacks widely available commercial CDA solutions, and while general-purpose products exist, organizations must either adapt to what is available or develop their own customized scheme of in-house services. CDA as such, as it implies actions, has its reactive and proactive aspect, although in this study we refer to the proactive one, in which one does not wait for an attack to occur, and acts in advance in both the cyber and cognitive domains.

When the concept began to spread, in the early 2000s, its interpretation was different from today's, and was rather related to the so-called "hack back" (also "retaliatory hacking" or "offensive countermeasures"). This connotation technically implies the violation of the law, and its application is only discussed in contexts where national security is at risk, or in the critical infrastructure systems of a country, which in turn depends on the security posture of each nation. An example is the United States, which admits the possibility of preemptive counterattack, while at the other extreme are cases such as Japan, which does not use this approach, but rather a strategy of denying attacks by defensive methods, in line with the nature of the Japanese legal system[1].

It is generally accepted that CDA should be employed only when ethical and legal, and under the principles of authority, third party immunity, necessity, proportionality, human involvement and civil liberties. A risk of non-compliance with the above would be for an adversary to pretend that an attack is coming from legitimate (non-malicious) actors so that countermeasures are mistakenly applied against them.

In this and subsequent posts, we consider cyber defense as the set of defensive measures and strategies related to any organization, and not in its military meaning originally related to national defense. In order to provide context, we will begin by analyzing the instances of defense, and then focus on CDA, and its theoretical and practical approaches, in future installments.

The 5 instances of defense

Cyber defense can be analyzed as a series of activities and design decisions to be made at different stages of the life cycle of an organizational system. These activities can be discretized along the following axes: architecture, passive defense, active defense, intelligence, and offensive defense[2]. Strategically, it makes the most sense to begin cybersecurity investment by starting with the first category before allocating significant resources to the others. This approach was systematized by Robert M. Lee in 2015, and while it did not formally receive academic validation, it is a very suitable approach for understanding the instances in which defensive activities can be designed in the industry context.

Architecture

Architecture is the first instance of defense, and refers to the planning, establishment and maintenance of systems, taking security into account from the design stage. While there are several traditional defense architectures that have long proven their effectiveness, such as the defense-in-depth model, modern technologies have enabled the development of more advanced approaches, such as the zero trust model, which is currently the most sophisticated[3].

Passive defense

The second instance of defense is the systems implemented in the defined architecture to provide protection against threats and a view of them without continuous human interaction. While the static measures approach was successful for decades, its mechanisms lost effectiveness against persistent and resource-intensive adversaries. In the same vein, it was also proven that only highly trained personnel can neutralize highly trained adversaries.

Active defense

According to the U.S. Department of Defense, active defense refers to the use of limited offensive actions and counterattacks to deny the adversary a contested position[4], and includes the real-time and synchronized capability to discover, detect, analyze, and mitigate threats and vulnerabilities. In addition, it involves proactive, anticipatory, and reactionary actions against the adversary. One of its keys is the ability to consume intelligence, which enables not having to wait for an attack to occur, but to act in advance, and includes intercepting, disrupting or deterring an attack or preparing for it, which can be done preemptively or in self-defense to limit or eliminate the adversary's operational capacity. Often referred to as moving target defense (MTD) is used analogously to the proactive approach, and involves controlling change across multiple dimensions of a system in order to increase uncertainty and apparent complexity for attackers, reduce the window of opportunity, and increase the cost of their efforts. BAT is often considered a subset of CDA focusing on attack surface diversity or mutation.

Intelligence

In this context, intelligence refers to the continuous cycle of data collection, processing and exploitation, analysis, and production of information from sources to produce knowledge. The tools that produce intelligence derive in the so-called actionable intelligence, and creating it depends on the ability of analysts, rather than the tools. Intelligence consumption requires understanding the environment, the business and the technology that may be affected[5]. Generating intelligence is an action of the intelligence team while consuming it is the task of Active Defense.

Offensive defense

The last instance of defense refers to legal countermeasures and ounterattack actions towards an adversary outside one's own or friendly systems, or the purpose of self-defense. These operations imply the previous execution of all he previous instances. Civilian organizations cannot participate in this type of ctions, since motives based on revenge or retaliation are illegal under international aw and cannot involve acts of self-defense.

Conclusions

Active cyber defense is part of a defensive approach to cybersecurity, which invites a change of approach in the way of thinking about it, without being exclusive with respect to the traditional ways of approaching it. Thus, each instance of defense continues to have its own place, and can be complemented by increasingly modern approaches. Paradoxically, it raises the possibility of improving cybersecurity by increasing complexity, which a priori does not seem to make conceptual sense. In future posts we will analyze some of the theoretical and practical approaches to active cyber defense, which in the future will combine to enable the creation of working models, leading to products and services for the industry.