What does ‘Active Defense’ mean?

Dec 22, 2016

Share with Your Network

Mike is the CEO/Founder of CryptoMove, a new active defense data protection startup in Silicon Valley. By active defense, we mean asymmetric defense.

Security requires collaboration. But to collaborate, we first must share a common understanding of what we’re talking about. How should security professionals communicate threats? Strategies? Which words best describe a dynamic security environment? No easy task.

These days, a lot of people talk about active defense. This is an attempt to figure out what that means.

Buzzword bingo

Every industry plays buzzword bingo to an extent. Yet it seems the security industry overflows with new phrases describing old concepts. Perhaps this is inevitable — the only way for incumbents to differentiate legacy or overlapping products. Maybe it has something to do with hundreds of new startups sprouting up yearly. Or perhaps a lack of fundamental technology innovation. Whatever the reason, an epidemic of buzz runs rampant.

Prevention vs Detection

For instance, the debate over prevention versus detection. Much ink has been spilled over whether it is better to marshall resources towards preventing attacks or detecting them. Cylance leads the prevention charge. And in a crowded marketplace, Cylance’s marketing shines. Whether neon-green sneakers at Black Hat or clever “Silence” airport banners, Cylance knows how to leave an impression. But perhaps most impressive is the way that Cylance positions their product as prevention, while painting other endpoint anti-malware technologies as mere detection.

An Inc. profile notes that Cylance is “Busting Cybersecurity’s Greatest Myth”:

The key difference between Cylance and its competitors is that it moves to prevent hacks, rather than to simply detect them.

Per the narrative, Cylance prevents malware with machine learning (and ‘math’) that stops malware before it executes. Competitors merely detectmalware. Is the difference substantive, though, or rhetorical? In all cases, software finds (detects) malware and stops (prevents) that malware from accomplishing its goal. Presumably some software does so better than others. Some stop malware pre-execution. Others stop malware post-execution. Some spot signatures. Others use behavioral analysis. Or machine learning.

Prevention = detection? Bingo.

Deception (aka honeypots)

Deception is another challenging term. Honeypots and traps are decades-old software security concepts. At the same time, they are hot right now — among the most flooded-with-VC-area of security over the last 24 months.

New technology, or clever branding? The argument goes that old-school honeypots were difficult and required manual set up. New companies like Illusive Networks, Cymmetria, TrapX, Acalvio, Attivo go beyond honeypots to create comprehensive deception networks of virtual machines, honeytokens, decoys, and lures to trap attackers. So, maybe, deception ≠ honeypots.

But rhetorical ambiguity doesn’t end there. What is the point of deception? According to Gartner’s Anton Chuvakin, security teams view deceptiontechnology as a means to improving detectioncapabilities. Indeed, it is debatable whether such advanced forensics and detection is an efficient use of time and resources, or whether it distracts a security team from other (easier) forms of detection. Bingo. Perhaps this explains why Gartner predicts only 10% of enterprises will use deception technologies by 2018.

So what about ‘Active Defense’?

Active defense is among the most buzzed about terms in security — meaning different things to different people in different contexts.

The Department of Defense defines active defense as follows:

The employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.

The above definition clouds discussions, however, because it seems like such an obviously bad idea for corporations to hack back against cyber-adversaries. Among other things, such a strategy likely runs afoul of the Computer Fraud and Abuse Act. Even were offensive counter-attacks kosher, most Fortune 500 companies lack resources to pull them off and likely are better served investing time and resources towards other pursuits.

What about deception? Is it active defense? Next-gen honeypot vendors might argue yes. However, the market apparently judges deception technology by whether it increases detection capabilities (whether by shortening time-to-detection or spotting otherwise undetected attacks). In this sense, deception is just another forensics arrow in the quiver, with a goal little different from anti-virus. Not to mention requiring intensive work on the part of the defender. Perhaps active is not the right term.

How about incident response and threat intelligence? According to at least one SANS Analyst White Paper, yes:

[Active defense is] [t]he process of analysts monitoring for, responding to, and learning from adversaries.

This falls into a similar pitfall as deception. Namely, it requires work. Threat intelligence and cooperating with law enforcement can undermine attackers’ efforts. But it requires work on the part of defenders. Arguably, by even engaging in such activities, especially if attackers use misdirection, defenders risk inefficient resource expenditure in an environment where defenders are plagued with a 1 million+ person job shortage. Threat intel and IR may be good, but should we call it active defense, or should we just call it threat intel and IR?

Moving target? Bingo. Originally, when the concept of active defense gained ground in the 1960s, it focused on maneuverability. To the extent that it contemplated counter-attack, active defense focused on countering the attackers’ capability — not the attacker themselves.

A strategy of moving target defense is also explicitly not about detection. Indeed, it is the opposite. Moving target defense aims to frustrate the undetected attacker, who hides in a system, studies its vulnerabilities, and plans and executes attacks at their leisure. Because a moving, mutating, or polymorphic target is too hard to hit, detection is unnecessary. Unlike deception, threat intelligence, and counter-attack, moving target is an asymmetric defense strategy. Defenders work less. Attackers work more.

Proposed definition: Active defense means asymmetric defense.

Asymmetric is the key word. That is, an active defense must frustrate attackers’ efforts while reducing the amount of work for defenders. Bad guy costs go up, good guys’ go down. It’s helpful to think about this definition by what it is not. Active defense is not passive defense. It is not static defense. It is automated. Dynamic. Asymmetric.

A key benefit of asymmetric as a concept is measurability, despite whatever marketing buzz gets used. Under this definition, defenses that increase attacker costs while proportionally increasing defenders’ work are not active. Deception (aka forensics, aka detection) — not active. Threat intel — not active. Taking down a bot-net? Probably not. Incident response — maybe, if automated. Moving target? Yes, if automated. Security orchestration? Yes.

The goal is a useful definition of active defense. We need a shared understanding to communicate and collaborate. Of course, ‘asymmetric’ is not without reproach. Given enough marketing massage, asymmetry can surely turn into its own bingo.

What do the experts think?

We polled a few of CryptoMove’s advisors for their take on active defense:

Fengmin Gong (Co-Founder of Palo Alto Networks and Cyphort, and now VP of Information Security Strategy at Didi), looks at active defense this way:

It is all about leveling the playing field with the attackers. Instead of stand still while the attackers hitting us from many angles, we can move around, assets or network configurations; instead of being exposed in bright light for attackers to target, we can obfuscate and camouflage our systems. In a way we can increase the cost to the attackers, thus enhancing the defense.

Michael Roytman (head of Data Science at Kenna Security), who digests Fortune 500 risk profiles for breakfast, has this to say:

All of our industry’s data about successful exploitation tells us that attackers learn about our environments, and consistently automate the attacks that work repeatedly. Pair that with the inherent asymmetry of “defense” — it takes one successful attack to win, while we must defend against every attack to prevent a breach, and the solution becomes fairly obvious. Introduce asymmetry in an automated fashion, make it harder for the attackers to learn about you, and you stand a chance.

Nick Bilogorskiy (founding team member at Cyphort and former head of malware at Facebook), looks at active defense like this:

To me active defense is a cybersecurity technique that countervails the breach in real time. This could be in the form of retaliating against attacking infrastructure, automating incident response actions, scrambling or moving the data the attacker wants as soon as cyberattack begins.

January 2017 update: Ken Baylor (Founder of the Vendor Security Alliance, former CISO/CSO at Symantec, Pivotal, Nuance, and VP Security at Wells Fargo) weighs in:

To me, active defense is about flipping the asymmetry between defenders and attackers via cooperation among defenders. Today we defend our infrastructure in silos, even though vulnerabilities extend across peer companies and vendors. Meanwhile cyber-adversaries plan and execute sophisticated federated attacks across multiple targets at once. We can defend actively if we work together to defend and leverage each other’s resources.

One thing is for sure: new strategies are a must given an environment where defenses are a nightmare to monitor and guard at scale. Attackers today leverage asymmetric advantages that shred traditional defenses. Active defense — properly defined — presents the best conceptual foundation to formulate next-generation security innovations.