Into the Gray Zone: Considering Active Defense


Most engineers focus on purely technical mechanisms for defending against various kinds of cyber attacks, including “the old magic bullet,” the firewall. The game of cannons and walls is over, however, and the cannons have won; those who depend on walls are in for a shocking future. What is the proper response, then? What defenses are there The reality is that just like in physical warfare, the defenses will take some time to develop and articulate.

One very promising line of thinking is that of active defense. While the concept is often attributed to some recent action, active defense has been one form of warfare for many centuries; there are instances of what might be called active defense outlined in the Bible and in Greek histories. But it is only recently, in light of the many wars around Israel, that defense in depth has taken on its modern shape in active defense. What about active defense is so interesting from a network security perspective? It is primarily this: in active defense, the defender seeks to tire an attacker out by remaining mobile, misdirecting the attacker, and using every opportunity to learn about the attacker’s techniques, aims, and resources to reflect these back on the attacker.

This is not the same as hacking back, which tries to use the attackers tools against them; often hacking back is actually illegal and unethical, as it can easily harm innocent bystanders. Hacking back also opens up a new set of attack vectors; if someone can make you react to an attack by attacking a third party, the consequences would be far worse than having done nothing at all.

So what does active defense consists of in the world of network security? Georgetown University undertook a study of how to apply active defense to cyber security, and issued a report called Out of the Gray Zone detailing the results. They identified eleven steps, seven of which are considered low risk—

  • Information Sharing, which just means sharing information with others who might be under attack, so everyone gains a better understanding of the threats being exploited, the scope of the attack surface, and the nature and motivations of the threat actor. This is, in reality, one of the most difficult steps to achieve, as it is often hard to convince “management” and “legal” that it is in everyone’s best interest to share this kind of information.
  • Tar pits and Honey Pots, which serve many different purposes. First they slow the threat actor down as they try to sort out whether the information they have encountered is real or not. Second, they expose the threat actor’s actions in what should be a heavily monitored network location, allowing defenders more information to work with in countering the attack.
  • Denial and Deception, which generally consists of adding bad information into good information that is being leaked, so the threat actor distrusts the information they are receiving.
  • Hunting, which just means evicting adversaries from the network and systems.
  • Notification Beacons, which alert defenders about exfiltrated information.
  • Information Beacons, software that acts from within exfiltrated data to report back on its location, environment, and method of transport.

The five higher risk steps, such as intelligence gathering< and botnet takedowns, are reserved in the paper for use “in cooperation with government authorities.” Some of these mechanisms should be reserved for use after some local authority has been notified, and has given legal clearance to move forward. Some of them (such as sanctions and indictments) would require moving through legal processes either in the law enforcement or political realms.

This is just a short overview of the paper, of course—the entire report is well worth reading, as it should spur your thinking about what active defense might look like in your network.

You can find the report here.