Home > Active Defense > The Active Response Continuum & The Right To Cyber Self Defense…

The Active Response Continuum & The Right To Cyber Self Defense…

February 24th, 2015 Leave a comment Go to comments

IMG_6659-680x400At the 2015 Kaspersky Security Analyst Summit, I kicked off the event with a keynote titled: “Active Defense and the A.R.T. of W.A.R.”

The A.R.T. of W.A.R. stands for “Active Response Techniques of Weaponization and Resilience.”

You can read about some of what I discussed here.  I will post the presentation shortly and Kaspersky will release the video also.  The video of my talk is here (I am walking out, hoodie up, like I’m in a fight per the show thematic):

While thematically I used the evolution of threat actors, defensive security practices, operations and technology against the backdrop of the evolution of modern mixed martial arts (the theme of the conference,) the main point was really the following:

If we now face threat actors who have access to the TTPs of nation states, but themselves are not, and they are attacking enterprises who do not/cannot utilize these TTPs, and our only current “best practices” references against said actors are framed within the context of “cyberwar,” and only able to be acted upon by representatives of a nation state, it will be impossible for anyone outside of that circle to actively defend our interests, intellectual property and business with an appropriate and contextualized framing of the use of force.

It is extremely easy to take what I just mentioned above and start picking it apart without the very context to which I referenced.

The notion of “Active Defense” is shrouded in interpretive nuance — and usually immediately escalates to the most extreme use case of “hacking back” or “counter-hacking.”  As I laid out in the talk — leaning heavily on the work of Dave Dittrich in this area — there are levels of intrusion as well as levels of response, and the Rubik’s Cube of choices allows for ways or responding that includes more than filing a breach report and re-imaging endpoints.

While the notion of “active” and “passive” are loaded terms without context, I think it’s important that we — as the technical community — be allowed to specifically map those combinations of intrusion and response and propose methodologies against which air cover of legal frameworks and sovereignty can be laid.  Not having this conversation is unacceptable.

Likewise unacceptable is the disingenuous representation that organizations (in the private sector) who specialize in one of the most important areas of discussion here — attribution — magically find all their information by accident on Pastebin.  Intelligence — threat, signals, human, etc. — is a very specialized and delicate practice, but as it stands today, there 4-5 companies who operate in this space with ties to the public sector/DoD/IC and are locked in their own “arms race” to be the first to attribute a name, logo and theme song around every attack.

It’s fair to suggest they operate in spaces along to continuum that others do not.  But these are things we really don’t talk about because it exists in the grey fringe.

Much of that information and sources are proprietary and while we see executive orders and governmental offices being spun up to exchange “threat intelligence,” the reality is that even if we nail attribution, there’s nothing most of us can do about it…and I mean that technologically and operationally.

We have documents such as the Tallin Manual and the Army Cyber Command Field Manual for Electromagnetic Warfare that govern these discussion in their realms — yet in the Enterprise space, we have only things like the CFAA.

This conversation needs to move forward.  It’s difficult, it’s hairy and it’s going to take a concerted effort…but it needs a light shone upon it.


Categories: Active Defense Tags:
  1. Andre Gironda
    February 24th, 2015 at 14:21 | #1

    Hoff, you pleasantly present amazing and high-quality information, but I am going to have to disagree with you as per usual. There is no discussion about “the right to self-defend” because of attribution. If your messed-up cousin beats the crap out of your brother on the street in front of your house — on your property — and then points a gun at you while you already have a bigger one pointed at him, the conclusion is obvious. If some unidentifiable Chinese paramilitary org repurposes BlackEnergy (read: an actual real cyber criminal tool repurposed by nation-state cyber espionage programs to make them appear as criminals) to target a subsidiary of a financial institution using IP ranges coming from LACNIC then the CIO probably shouldn’t get his or her whole SOC to launch a LOIC offensive when the only evidence/indicators the SOC falsely assumes is a bunch of IP addresses in Brazil. It’s a law enforcement issue, not an “Enterprise space” issue. The professionals work the CI-HUMINT angles first, which usually takes 4-6 months. Now if you instead said that you are going to hire Kroll to do that CI HUMINT for you, then I might bite.

    However, all said, CND is now IGCND — and for some (those 4-5 with Federal programs, etc) it is also IGCNO. For the Enterprise space, they do have “something”: Cyber Exercises, D&D, and CD can take the place of strike-back and CI for those of us who aren’t attorneys or don’t work for the USG (in particular the IC), CYBERPOL, etc.

    Now the question becomes can the overinflated egos of red, hunt, and white teams coexist with the brusied egos of blue teams and ECGs? Can our leadership manage this divide? I think you do eloquently provide this answer, which is that defenders must learn offense. Let’s teach them the right kind of offense through Cyber Exercises — http://www.mitre.org/publications/technical-papers/cyber-exercise-playbook

    KEY== Latin America and Caribbean Network Information Centre, Security Operations Center, Low-Orbit Ion Cannon, Counterintel Human Intelligence, Intelligence-Guided Computer Network Defense, Computer Network Operations, Denial and Deception, Counter Deception, Counterintelligence, United States Government, Intelligence Community, Exercise Control Group

  2. Christofer Hoff
    February 24th, 2015 at 14:31 | #2

    Hi. Thanks for your comment, Andre.

    Three really important points:

    1) Your comment: “There is no discussion about “the right to self-defend” because of attribution” < …inaccurate. Also, and more importantly, that's not what I said. Attribution is simply one of the points that this conversation stumbles over — usually the first. Just like your response articulates.

    2) You haven't seen/heard the presentation. I'd suggest waiting for it. Or not.

    3) There are many assumptions that preclude one's ability discuss things like this. Seven of them are made in the paper I cite. See #2 above.


  3. Christofer Hoff
    February 24th, 2015 at 14:55 | #3

    Andre: sorry for the terse reply. I *really* do appreciate the candor and opportunity to disagree, I just think that you took the one point about attribution as the hook upon which to hang this entire discussion — many do, by the way…which is why I brought it up.

    This is a multi-dimensional problem, which is why the talk revolved around this (active response continuum, but ALSO the need for security to evolve.)

    Give it a chance when you get to see the whole presentation…I think I balanced it well with the call to action being that this is a sticky discussion that needs to be had without simply throwing the wet blanket on top.

    Thanks again.


  4. Kevin Newmeyer
    February 25th, 2015 at 10:19 | #4

    Good start. Our current model for international relations and for that matter civil relations leaves the monopoly on the coercive use of force with the government. Self defense doctrines limit the amount of force to that which is sufficient to stop the threat (i.e. if being attacked you can fight back but only as long as the bad guy pursues the attack, you have to stop when he runs away).

    I think the real challenge in this problem is not on the technical side but on the political side. You have to convince the 14th century French literature majors and lawyer wannabes on legislative staffs that the problems and threats of intellectual property theft, corporate espionage, and outright theft are serious enough to convince our ADD political representatives that they have to act in the national interest.
    PS Hope the leg heals quickly.

  5. Andre Gironda
    February 26th, 2015 at 02:32 | #5

    @Christofer Hoff Agree that this is all part of an evolution, but I would like to see the terminology “active defense” laid to rest. I’m not sure I understand framing it under the self-defense construct, but I do intend to hear and see more of your work in this and other areas.

    Take “information sharing” as an example. You hear it everywhere, but we don’t see it explicitly in the workplace. You have Microsoft Interflow, Soltra Edge, and MITRE CRITs — all competing platforms and none which have interoperable TAXII implementations. You have “information sharing” beating the drum in the media and from a governance perspective — but you don’t have a common collaborative analytic environment.

    Try implementing the concept of Shared Thinking in any modern information security management team (or should I say `teams’? Many orgs split this function across the org into many competing teams). It simply does not work — and not just because of the performance merit system. What ever happened to DevOpsSec? Did it not catch on, does it even work, what’s the end game here?

  6. beaker
    February 28th, 2015 at 15:09 | #6

    Andre: You may not have noticed the deliberate title of this blog or it’s content; specifically: The “Active Response Continuum.”

    The video link is now posted (and I’ll post the actual presentation shortly) so perhaps you can spend the 30 minutes to understand my point.


    Kevin: For sure, there are two sides to this discussion, but we never really get to have one of those conversations fully because the other immediately shuts it down.

    Check out the talk…I’d love to know what you think.


  1. No trackbacks yet.