As an IT security manager, do you find yourself spending most of your time pacing the ramparts, inspecting your organization's defenses, knowing all along that the zombie cyber hordes can quickly overwhelm them? Those are the gut-wrenching, nightmarish thoughts that cyber security mangers have daily - that awful, gnawing feeling that annihilation is just one adversary campaign away.

Any Black Hat hacker or Advanced Persistent Threat (APT) knows that a full frontal assault is not the first stage of a cyber attack campaign. They first send spies to probe, to infiltrate, and to establish a foothold from within, where they can watch, learn, and then act. They are patient and disciplined and time is their ally, not ours - they remain undetected for lengthy periods of time, lurking, and waiting to strike at the opportune moment.

Is it possible to turn the tables on the enemy, and shape the battlefield to our advantage, hitting them first? Unfortunately, international and domestic cyber security laws do not favor the offensive-minded and our adversaries know it.

It is for good reason, that hacking back is discouraged, not to mention illegal - oftentimes it is as futile as swinging a sword in the dark. The major issue is how to ascribe blame, also known as attribution - how do we really know who is attacking us? Is it a state sponsored Chinese hacker masquerading as a Russian APT? Is it a hacktivist who is on the payroll of some nation state? Is it just a pimple-faced 13 year-old script kiddie whose youth and naivete blind them to the illegality of their actions?

I don't know about you, but when my anxiety level goes up, I don't reach for a Xanax, I reach for knowledge - researching the options I have that are within my control, even if constrained by law. As I started to look for guidance, I came across the concept of cyber Active Defense.

The Department of Defense definition of active defense is:

"The employment of limited offensive action and counterattacks to deny a contested area or position to the enemy."  

Examining this definition a little closer, we should pay attention to the scope of action - "the contested area or position". That means my network, my systems, my information - the areas that I defend and which are in my control.

To use Active Defense measures means to think outside the ramparts and to assume that no matter how strong your current defenses are - you must assume breach! Assume that the enemy has already infiltrated, that their spies are already entrenched, that they are on your doorstep. In other words, don't spend all your time walking the castle walls, looking off in the distance for the dust of a marching army. Spend your time more wisely rooting out the threats that are already here and actively manage those threats.

During WW2, when the United Kingdom was infiltrated by German spies, the UK security apparatus employed high fidelity detection to unmask the invaders. But once a spy was discovered, they didn't march them before an execution squad; instead they co-opted them and used them as deception conduits - feeding disinformation back to Germany. Not only was Germany denied the insider intelligence they were looking for, their spies were actively being manipulated to Germany's strategic disadvantage.

That same double-agent playbook can be used for cyber Active Defense - detecting and neutralizing a cyber threat through covert management - just one example of the varied Active Defense measures that you can take with the right cyber tools and processes.

Further research led me to NIST 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems  publication that outlines other Active Defense methods, although NIST doesn't use the term Active Defense. Instead, they use the umbrella term Cyber Resiliency.

Weeding through NIST 800-160 can be tedious as its approaches are often conceptual in nature and don't exactly map to tools and products. That gave me the idea for this blog - a central site for discussing and reviewing Active Defense oriented solutions, policies, laws, and anything else that is treading the bleeding edge of offensive cyber security. I hope you enjoy the content and find it useful.

Please email me at jcarrion@cyberbellum.net and let me know if there are any Active Defense concepts and products you would like me to review.