There’s a new term that taken hold in the cyber security community as strongly as the cloud has in the broader IT industry — it is called active defense.
Active defense is an interesting term — it conjures up visions of large government data operations centers tracking incoming attacks and preparing to launch counter strikes against foreign agents sending over malicious packets in a spiteful response. But what really is an active defense?
At the recent RSA Conference, there was a lot of talk about the concept. It has been around for more than a decade, but has achieved new traction due to technologies that do a much better job of tracking, tracing and reassembling packets. Additionally, a growing cadre of security researchers and the explosive growth of security operations centers has enabled professionals to better coordinate to identify, isolate and locate malfeasant actors.
Recently, a U.S.-based security company, Mandiant, even publically identified China as the source for many attacks. The Chinese, understandably, responded with facts of their own showing targeted cyber attacks within their geographical boundaries originating in the United States. See www.securityinfowatch.com/10881127 for the full story.
There are calls from some in our community to interpret active defense as a “hack-back,” or returning attacks to organizations where they originate. Not only is this interpretation fraught with the technical problems of proxies and “false flag” incidents, it is also likely illegal under U.S. law. Of course, jurisdictional issues have always been a concern in cyberspace — as much depends on where the illegal activities take place and the laws in force there at the time. In an amorphous and interconnected digital world, our legal system can still only be invoked within geographical boundaries and international treaties.
How do you best interpret and implement active defense within your organization? To the savvy security practitioner, active defense is leveraging new technology to actively monitor and track aberrant behavior within organizational data management systems. This requires more effort than traditional preventative capabilities — it requires the use of new technologies that actually allow you to capture, analyze and identify attacks against your systems and data.
It is no secret that recent attacks have been far more sophisticated than previous hacking activities. Attackers are seeking out specific data resources and using our own ease-of-use capabilities to exploit vulnerabilities within our systems.
Active defense is something you should be doing now. It is not about getting back at attackers — it is simply a return to the ages-old first rule of security: protect thyself first.
John McCumber is author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. E-mail him at Cool_as_McCumber@cygnusb2b.com.