Cool as McCumber: The Age of Active Defense

March 11, 2013
Security pros are turning hacks back to where they came from

There’s a new term that taken hold in the cyber security community as strongly as the cloud has in the broader IT industry — it is called active defense. Active defense is an interesting term — it conjures up visions of large government data operations centers tracking incoming attacks and preparing to launch counter strikes against foreign agents sending over malicious packets in a spiteful response. But what really is an active defense?

At the recent RSA Conference, there was a lot of talk about the concept. It has been around our business for well more than a decade, but has recently achieved traction due to new technologies that do a much better job of tracking, tracing and reassembling packets. Additionally, a growing cadre of security researchers and the explosive growth of security operations centers has enabled professionals to better coordinate to identify, isolate and locate malfeasant actors.

Recently, a U.S.-based security company, Mandiant, even publically identified China as the source for many attacks. The Chinese, understandably, responded with facts of their own showing targeted cyber attacks within their geographical boundaries originating in the United States. See for more.

There are calls from some in our community to interpret active defense as a “hack-back,” or returning attacks to organizations where they originate. Not only is this interpretation fraught with the technical problems of proxies and “false flag” incidents, it is also likely illegal under U.S. law. Of course, jurisdictional issues have always been a concern in cyberspace, as much depends on where the illegal activities take place and the laws in force there at the time. In an amorphous and interconnected digital world, our legal system can still only be invoked within geographical boundaries and larger international treaties.

So how does one best interpret and implement active defense within their organization? To the savvy security practitioner, active defense is leveraging new technology to actively monitor and track aberrant behavior within their organizational data management systems. This requires much more effort than traditional preventative capabilities — it requires the use of new technologies that actually allow your security team to capture, analyze and identify attacks against your systems and data resources. It is no secret that recent attacks have been far more sophisticated than previous hacking activities. Attackers are seeking out specific data resources and using our own ease-of-use capabilities to exploit vulnerabilities within our systems.

Active defense is something you should be doing now. Remember, it is not about getting back at attackers — it is simply a return to the ages-old first rule of security: protect thyself first.

About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].