It seems a long time since organizations could comfortably be treated as corporate entities with their own IT environments and a loose coupling to their supply chains. Now organizations are complex, interconnected ecosystems of partners, third-parties, cloud providers and affiliates.
As defending the organization and its ecosystem in cyberspace becomes more challenging, how can businesses tackle those challenges and what role can ‘active defense’ play?
Although a debatable term, many take ‘active defense’ to be a set of pro-active measures taken by an organization to undermine and ultimately defeat cyber attackers before they launch their attacks.
Active defense requires thinking beyond passive defenses such as firewalls, anti-virus and encryption tools, relied on by organizations, to thinking more broadly than just the organization and its traditional perimeter.
Fixing vulnerabilities is not possible if their existence is unknown, so finding them before the attacker does matters, but can that be done for the ecosystem as a whole?
Capable organizations can help less able organizations by identifying and informing them of any vulnerabilities or any evidence of those vulnerabilities being actively exploited. This can help address what the World Economic Forum’s Center for Cyber Security calls “the Cyber poverty line” and could be particularly helpful for many organizations suffering from restricted budgets since the start of the COVID-19 pandemic.
Many government agencies try to apply this strategy to entire industries or economies. For example, the UK’s National Cyber Security Centre (NCSC) has implemented its Active Cyber Defense (ACD) program to “reduce the harm from commodity cyber-attacks against the UK”1. Its main weapon is vulnerability scanning — participating organizations provide information about its network, and ACD will try to find vulnerabilities and exposures.
While this arms-length approach suffers from not being able to interrogate an organization’s overall security state (i.e. it won’t identify how well defended an organization is against phishing, how strong user security awareness is, or how well defined its Identity and Access controls are), it is a useful approach in identifying technical vulnerabilities that can subsequently be fixed.
Moving beyond this approach requires “engagement with the enemy,” which includes a spectrum of actions from passive observation to active disruption, all of which bring their own legal challenges.
One element of active defense taken for granted is threat intelligence. The Internet is under heavy surveillance, by government and commerce. With internet activity being captured and monitored, and with meta-data often being made available for commercial access — this information can be used in active defense too, and organizations can gain much intelligence from it.
For example, suppose an internet system is identified as a command system for malware — organizations can determine the systems connected to it that will also have been compromised by that malware. It can help identify attack victims and notify them, perhaps before that malware has had time to steal or encrypt sensitive data.
Similarly, specialist threat intelligence firms often secure access to closed cyber-crime forums buried in the dark web, allowing them to tip-off their customer when discussed in the forum. Hints that their data is for sale or that criminal groups may have access to their systems can help frustrate criminal intentions.
Increasingly governments are using their sophisticated cyber espionage capabilities to offer the same service to their critical infrastructure providers. There is a recognition that the security of the firms in ecosystems such as Defense and Energy equates to their nation’s security.
Counterstrike, hack-backs are offensive operations using hacking techniques against a hacker’s infrastructure. In most countries, this is an illegal approach for private organizations to adopt and can cause complications even for governments. That said, security firms under the control of law enforcement often co-operate to execute takedowns. For example, Microsoft co-operated with US Cyber Command to feed false data and disrupt the Trickbot botnet.2
However, most private enterprises can only try to identify and quickly “burn” attacker tools and infrastructure. For example, a malicious web domain is spotted, and details rapidly shared with the security community who add it to blocklists. Increasingly, organizations can be encouraged to use domain name servers (DNS), which implement these blocklists and protect organizations from accessing known bad systems. The Global Cyber Alliance has been instrumental in developing the Quad9 DNS service, which does precisely this.
Regardless of how much engagement organizations decide to have with Active Defence — this isn't a solo play. Instead, it is the power of a community that defeats adversaries.
Joining an intelligence-sharing club such as FS-ISAC, UK NCSC CISP or KPMGs i4 (a club of CISOs from prominent organizations) will build crucial networks to lean on for support.
As it stands, active defense in the context of broader ecosystems is mostly being undertaken by governments and industry champions, and only in some nations across the globe. As cyber crime evolves, organizations should be prepared to think differently about how to combat those criminal groups. Doing this across the ecosystem will require new collaboration models between government and industry, operational structures that can detect and disrupt criminal activity at pace, and legal structures that recognize the imperative to do so but embed the necessary checks and balances.
Active defense is here to stay, it has the potential to be a key part of securing our ecosystem, and it will demand creativity and leadership.