Act or react? Fostering a tactical mindset within the private sector

The law of self-defense is an almost universally accepted concept. From the biblical eye-for-an-eye to the modern Castle Doctrine, private individuals have been accorded the right to actively defend themselves against personal attack. Perhaps the time has come to overlay this concept onto the cyber battleground.

George Washington University’s (GWU) Center for Cyber & Homeland Security in 2016 released a spectacularly insightful and comprehensive analysis of the potential for the private sector to actively defend against cyber intrusion, exploitation, and attack.

Per the GWU report: “Active Defense is a term that captures a spectrum of proactive cybersecurity measures that fall between traditional passive defense and offense. These activities fall into two general categories, the first covering technical interactions between a defender and an attacker. The second category of Active Defense includes those operations that enable defenders to collect intelligence on threat actors and indicators on the Internet, as well as other policy tools (e.g. sanctions, indictments, trade remedies) that can modify the behavior of malicious actors. The term Active Defense is not synonymous with “hacking back” and the two should not be used interchangeably.

The scope of an active defense

So, if Active Defense and hacking back are not synonymous, what exactly is the scope of Active Defense? How can these measures be applied, legally and properly, in the real world? What level of attribution is required for targeting an Active Defense campaign, and what measures may be appropriate according to actor and circumstance? Is there a role for the federal government in enabling active defenders and eliminating or restricting liability for these actions?

The Department of Defense Dictionary of Military and Associated Terms defines Active Defense as “the employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.” Within the constraints of the military definition, the exercise of Active Defense seeks not to counter the adversary, it counters the capability or geospatial location (device). Within the reasonable constraints of the Private Sector, this definition serves as a practical model for returning fire. The adversary (nation-state, organization, server) are not targeted, but the specific attack or technology used to facilitate the attack are fair game. On a very localized level, Active Defense can involve self-evaluation with tools such as Shodan – to discover which of your devices are connected to the internet, where they are located and who is using them – and Metasploit – to target these discovered device and conduct a scripted vulnerability search.

The need for U.S. government support

With the growing number of technical attack vectors that include, in part, ransomware, Mirai botnets, remote access Trojans, and the like, Active Defense can entail increasingly severe or potentially damaging responses. The Department of Justice (DOJ), in conjunction with the Department of Homeland Security DHS), should issue public guidance to the private sector with respect to Active Defense measures that it deems appropriate.

Protections put in place by the 2015 Cybersecurity Information Sharing Act (CISA) established a precedence for shielding private sector infrastructure providers against liability or regulatory/compliance actions for information sharing done in good faith for the benefit of all. In a perfect Active-Defense enabled environment, DOJ would decline to pursue criminal or civil action for Active Defense initiated in response to an event and designed to protect an entity’s information or critical infrastructure assets.

Outhink and outmaneuver

United States Air Force Col. John Boyd (1927-1997) in his 1961 The Essence of Winning and Losing, describes his basis for success in aerial combat maneuvers as the theory of Observe, Orient, Decide, and Act (OODA) loop cycle. Boyd says every action is based on this continual loop and how fast a person (or in our case, a machine or its Human Machine Interface (HMI) operator) can process through it.

If you are able to reset the other person’s OODA loop, you will be able to obtain valuable time you can use to perform your action prior to the other person performing theirs. A specific cyber example is the practice of tarpitting, which allows a tarpitted port to accept any incoming TCP connection. When data transfer begins to occur, the TCP window size is set to zero, so no data can be transferred within the session. The connection is then held open, and any requests by the remote side to close the session are ignored.

This means that the attacker must wait for the connection to timeout in order to disconnect. This delay protects the network, interrupts the adversary OODA loop, and allows an opportunity for measured human or automated response.

Automated response to attack

The OODA loop of a network occurs at speeds beyond human duplication. As such, prior planning, and equally important, prior permission, is vital to allow defending systems to delay or circumvent their adversary’s OODA. One of the first commercial off-the-shelf tools to engage at network speed was created in 2004, when a company released a commercially available security platform that could “execute appropriate countermeasures” against a cyber threat.

The system offered user graduated response levels and offered a range of options for the user that exceeded the “passive” defenses of other security products. The company also created a white paper on potential rules of engagement that discussed the application of the military principles of necessity, proportionality, and countermeasures.  This linked the capabilities of the new system directly back to Joint Publication (JP) 1-02 Dictionary of Military and Associated Terms, (2012) which described the concept of Active Defense.

Automated countermeasures arrived more than a decade ago

The graduated response allowed the operator, or the autonomous system, to implement challenging procedures, honeypots, quarantines, reflection, and blacklisting upstream providers in an escalating series of options. What it did not include within its toolkit was the vast resources of United States government. Among the Active Defense tools reserved for public sector are sanctions, embargoes, restrictions, and diplomatic démarches.

Putting the attribution issue to bed

As mentioned earlier, the shadow of responsibility and potential liability that falls upon the defender exercising Active Defenses has typically been one of attribution, followed immediately by necessity, proportionality, and countermeasures. A clever adversary will not conduct a direct attack, but create a botnet of vulnerable devices and systems (Mirai botnet utilizing the Internet of Things) or redirect traffic through an unprotected server, device, or network. 

Attribution may be a traditional but unnecessary restraint when targeting, via Active Defense, the specific attack or technology used to facilitate the attack. With necessity, proportionality, and countermeasures in mind it is hard to continue making the argument that the difficulties in attributing cyber events would make Active Defense an inflammatory response. 

There are no innocent systems

So, what to do with the “innocent” systems exploited for use in cyber intrusions? I propose that there are no innocent systems and the time has come to lean forward and clean up the cyber neighborhood. Imagine the house next to yours as abandoned, with unkempt landscaping and broken windows. Most municipalities have laws against such nuisance structures and rightly so. These laws were put in place because such structures draw adversaries (criminals), lower property values (network degradation), and create liabilities for those forced to interact (DDoS) or reside near (the internet) the nuisance estate. Cyberspace is no different. 

An unprotected server, an unchanged factory password, and a lack of security development in parallel with software development creates the same adverse conditions in the cyber neighborhood. There is an arguable need for such nuisance or neglected systems to be isolated, blacklisted, or otherwise neutralized in order to protect the other residents. Just as in the physical realm, once an offending system is identified, the government should have the capability and fortitude to step forward and correct the situation. In the absence of or interim until government response corrects such a situation, those negatively affected by the situation (the cyber neighborhood association) should be empowered to take reasonable action to correct the problem and thus neutralize the adversary.

Summary

The right of self-defense is almost universal. The private sector, in defense of organizational assets and National Critical Infrastructure, should be granted that right as would be any corporal entity until such time as public sector (government) forces can be brought to bear on the offender’s enabling party (nation-state). Active Defense does not equal “hacking back.” Properly applied and in keeping with the military principles of necessity, proportionality, and countermeasures, an Active Defense can target the attacking technology or device of the adversary without broader nation-state impact.

Automated systems exist that allow graduated, network speed Active Defenses.  Techniques such as tarpitting delay an attacker and may allow a defender to defeat the adversary’s OODA cycle loop, creating a tactical advantage and improving chances of victory.

Support of the US government via the Departments of Justice and Homeland Security, in the form of CISA-like liability protections, are essential to enabling Active Defense in the private sector.