The internet no longer is the territory of only the technologically savvy. The intertwining of cyberspace with everyday activities demands that most everyone have at least a basic understanding of cyber concepts. Active cyber defense is one of those concepts.
Active defense is relatively easily defined in the land, air, sea, and space domains, but it has not attained the same congruity in the cyber domain. There is not yet universal agreement on what constitutes active cyber defense—although most definitions share the theme of taking action—and many defensive measures differ from offensive measures only in intent. The military doctrine for patrol base operations offers one model for understanding active cyber defense.
A Patrol Base Operations Analogy
First, active defenses do not replace passive defenses. Patrol base sites are chosen with concealment and protection in mind and are occupied as stealthily as possible. Strong perimeter defenses, with camouflaged fighting positions covering the surrounding area with interlocking fields of fire, are necessary. Patrol base defenses equate to many passive cyber defenses, such as access controls, cyber hygiene practices, and firewalls.1
Active cyber defenses, on the other hand, more closely relate to patrols.
There are two main types of patrols, reconnaissance and combat. Reconnaissance patrols are deliberate actions targeting areas of interest. The cyber equivalent is a key component of active cyber defense and may be one of the primary means of preventing or discovering attacks, but it also brings up legal and authority concerns.2 The principle difference between cyber reconnaissance and cyber espionage is intent, and intent is hard to prove.
Combat patrols generally are divided into four types: security, ambush, contact, and raid. Security patrols search the area around the patrol base, engaging any enemy found, and are comparable to intrusion-detection/prevention systems that search defended systems for evidence of compromise. Security patrols are planned and initiated by the headquarters element, but during execution they conduct their tasks independently. Intrusion-detection/prevention systems can be used in a similar way: After being enabled by system administrators, they can locate and automatically block any suspicious activities in the system. Intrusion-detection/prevention systems also can identify any contacts to system administrators (like the security patrol reporting back to headquarters), with the human in the chain determining if more action is necessary.
Ambush patrols, comparable to “honeypots,” are established in areas of likely enemy activity, sometimes with tantalizing bait, and engage the enemy if they show up.3 Cyber ambushes are set up to appear to be inside the defended system, using information desirable to attackers as bait, and once set, can react automatically. There is some danger of innocent persons being lured in, but the probability of this is low. The design of the honeypot can be such that a random searcher likely would not end up there, only those intent on malicious activity.
Moving farther from the patrol base (or the defended system) are contact patrols. Contact patrols may be used to gain or maintain contact with the enemy; the cyber equivalent is maintaining contact with an attacker by “returning fire” with so-called white worms or other measures.4 There are many methods, such as IP spoofing and cutouts, to mask the true location of an attacker, so depending on the type of counterattack, automated countermeasures have the potential to affect compromised but innocent systems.
Cyber defenses that automatically trace the attack back to its source are appropriate for everyone, including private citizens, but higher “lethality” counterattacks, such as those that return data from or cause permanent damage to the attacking system, should be requested and approved by a government body established for this purpose, with the level of response dependent on the potential impact of the losses. For example, the video-streaming company Netflix may be approved only to trace-back and conduct limited searches on attacking systems for attribution purposes, whereas a utility may be preapproved for the full extent of automated counterattack because of the severity of a potential blackout. This is comparable to the different types of fire-support authorities granted to contact patrols, as different levels of enemy contact, combined with different levels of potential collateral damage, are planned for.
The final type of patrol is the raid. The equivalent in cyberspace generally is considered offensive action unless the origin of the cyber attack can be identified and there is a chance data taken in the attack can be retrieved or destroyed or an attack prevented/preempted. Raids are well-planned, highly coordinated, limited-objective patrols with a specific mission and a planned withdrawal. The level of information needed is very high, and it is unlikely civilian companies could obtain this type of information without conducting detailed reconnaissance, which should require government approval. Likewise, any intrusion of and permanent change to a foreign system—by either civilian or government organizations—should require approval by the proposed government body, since this is, in effect, an attack.
Shedding Light
As cyber capabilities grow and the world becomes more and more interconnected, the questions surrounding cyber defense likely will increase faster than answers can be provided. The patrol base model compares practices built on years of experience to a relatively new and rapidly changing field and thus is imperfect, but it offers another way of looking at active cyber defense in the hope that comparing the well known to the lesser known can shed some light.
1. Robert S. Dewar, “The ‘Triptych of Cyber Security’: A Classification of Active Cyber Defence,” in 2014 6th International Conference on Cyber Conflict, ed. P. Brangetto, M. Maybaum, and J. Stinissen (Tallinn, Estonia: NATO CCD COE Publications, 2014); Irving Lachow, “Active Cyber Defense: A Framework for Policymakers,” Center for a New American Security, February 2013, www.cnas.org/files/documents/ publications/CNAS_ActiveCyberDefense_Lachow_0.pdf.
2. Center for Strategic and International Studies, “CSIS/DOJ Active Cyber Defense Experts Roundtable,” 10 March 2015, http://csis.org/publication/csisdoj-active-cyber-defense-experts-roundtable; Lachow, “Active Cyber Defense”; James A. Lewis, “Cyberwar Thresholds and Effects,” IEEE Security & Privacy (September/October 2011): 23−29; Pierluigi Paganini, “The Offensive Approach to Cyber Security in Government and Private Industry,” INFOSEC Institute, 18 July 2013.
3. “A honeypot is a trap set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.” Wikipedia, s.v. “honeypot.”
4. Wenlian Lu, Shouhuai Xu, and Xinlei Yi, “Optimizing Active Cyber Defense,” in Decision and Game Theory for Security: 4th International Conference, GameSec 2013, Fort Worth, TX, 11−12 November 2013, Proceedings, ed. Sajal K. Das, Cristina Nita-Rotaru, and Mura Kantarcioglu (Switzerland: Springer International Publishing, 2013), 206.