Debunking The Myths And Misconceptions Surrounding Active Defence

Introduction

At the national conference by the Australian Information Security Association (AISA), a panel to discuss Active Defence was hosted. Hacking-back the hackers was the key theme that was discussed. In short, Active Defence is a cybersecurity theory which argues that the private sector could, under certain circumstances, be allowed to engage the adversaries head-on to deter, dissuade and neutralise them. The term "Active Defence" stems from the distinction that traditional theories of information security solely rely on "Passive" defence tactics that do very little to affect the emotions, the psyche and the technological infrastructure of the hackers behind the keyboard.

For many, "Active Defence" has become synonymous with hacking back the adversaries, which, as the reader can immediately observe, is illegal in most countries, and immediately sounds like a bad idea. After all, how could it be a good idea to poke the bear?

In this short opinion piece, we will aim to set the record straight on what "Active Defence" is, how it is practiced, where the value is for the private sector, and why some organisations use "Active Defence" tactics and strategies when responding to incidents (because some do).

Let’s Forget the Name "Active Defence" and Use "Adversary Management" Instead

First and foremost, the term "Active Defence’ does very little to define what Active Defence really is, and people tend to almost immediately link it to hacking back. At Mossé Security, we prefer the terms "Adversary Management" and "Offensive Countermeasures".

Adversary Management and Offensive Countermeasures

Adversary Management is the process of engaging the adversaries to:

  • Confirm that the adversaries are who they say they are, and that they are not a copycat
  • Confirm if the adversaries have the capabilities to execute on their threat or if they are bluffing
  • Extend the deadlines of any threats to allow the organisation to improve its defences before further attack campaigns are started
  • Negotiate down the price of the extortion, ransom, or blackmail fees
  • Discover what made the adversaries target the organisation in the first place
  • Discover if the adversaries have other backdoors on the network that the incident response team may have missed
  • Dissuade the adversaries from coming back later for more money
  • Ensure that if a ransom or extortion fee is paid, the adversaries will not execute any other attacks or publish the stolen information
  • If possible, find out who the adversaries are and coordinate an international effort to get them arrested, or, at least, make it clear to them that cyberattacks will not be tolerated

In our experience, 95% of the time, Adversary Management solely relies on analytic, interrogation and negotiation skills. Albeit, other instruments of power exist, and Mossé Security has created a high-level industry framework that includes psychological instruments (scare them), economic instruments (make the attacks unprofitable), misinformation (deceive them), operational cost (render their tools unusable), and prosecution (get them arrested).

We refer to all these instruments of power as the "Offensive Countermeasures". For further learning on this, click on this link to read our whitepaper.

Debunking the Myths

Myth #1: CEOs and Board Members Want to Hack-Back the Hackers (Answer: Wrong)

We have never met an executive or board member that wished to hack back the adversaries. From our perspective, the debates on the private sector hacking-back is moot and unproductive.

In our experience, executives and the board want to understand:

  • Is the threat real or not?
  • What made someone target us in the first place?
  • What were the gaps in our IT security programme that allowed the adversary to get in, if any?
  • What would it take for the attack(s) to stop and our data not to be sold on the Internet?
  • How flexible are the adversaries on their extortion fees?
  • How flexible are the adversaries on their deadline?
  • How can we be sure that they stole the data they claim to have stolen?
  • How can we be sure the adversary won’t come back later?
  • Who are the people behind the keyboard?
  • What could dissuade the adversaries from executing their plan, or how can we sabotage them?

In our experience, Adversary Management was proven more helpful than any other cyber security approach at successfully answering the questions above. The reason is being that negotiating with the adversaries via emails or phone calls produces better intelligence than countless hours of crawling the Internet or buying expensive threat intelligence reports.

Myth #2: Adversary Management / Active Defence Could Start a War (Answer: Wrong)

If computer hacking could start a war, and given the amount of computer hacking activities against Australian organisations, how is it that we are not already at war against other nations because of computer hacking?

Most of Adversary Management engagements we have delivered consisted in contacting the adversaries, building a communication channel with them, negotiating with them, and producing actionable intelligence based on our interactions with them. We have needed other instruments when the adversaries were conducting industrial espionage. In the case of espionage, the only leverage point that could ensure that the adversaries would cease their attacks was to uncover their identities and use that information to permanently dissuade them from using the stolen intellectual property and coming back.

Myth #3: Adversary Management / Active Defence Can Get You Jailed (Answer: Highly Unlikely)

What’s the chance cyber criminals are going to sue their victims for hacking them back? If Australian organisations are finding it so hard to prosecute overseas, how are criminals going to sue Australian organisations for having hacked them back?

We’re not questioning the fact that hacking-back is illegal in Australia, however, we find it hard to believe that criminals could sue back Australian organisations for computer hacking.

Myth #4: Adversary Tradecraft Is Complex and Cannot Be Properly Analysed (Answer: False)

We know of eight groups that employ what we would consider "complex tradecraft". For the most part, adversaries reuse old techniques and vulnerabilities, and they recompile known tools. They don’t clean up their forensics traces, and once they’ve been discovered, they behave in ways that can be anticipated.

The reason why our industry knows about so many adversary groups is because most attackers have terrible operational security and over long periods of time they are guaranteed to make significant mistakes that enable us to track them down.

Myth #5: Attribution Is Almost Impossible in Cyberspace (Answer: False)

Adversaries face the same IT security challenges as regular organisations: they don’t patch their workstations and servers, their hacking software have bugs, they forget to clean up their forensics traces, and they make dumb mistakes like uploading pictures of them on Facebook or forgetting to turn-on TOR. Because of those failures in operational security, with every day that goes by, adversaries create opportunities for defenders and intelligence officers to discover their tradecraft, their motivations, their skill levels and, ultimately, their identities.

The FBI has publicly announced that they know the identities and locations of the top 100 cyber criminals. Firms that respond to many cyber incidents eventually discover who the hackers behind the keyboard are.

Debunking the Misconceptions

Misconception #1: Defenders Should Focus Their Efforts on Security Hygiene And Not Some Nonsense Attribution, Active Defence Stuff (False Dilemma)

Whilst we don’t debate the importance of good security hygiene, we don’t believe that hygiene and adversary management are incompatible activities, or that they are activities that compete with each other. For us, Adversary Management is an extension of the incident response lifecycle and it should be considered an integral component for any modern information security programme.

Misconception #2: If The Organisation Had Done [FILL IN THE BLANK] Then The Breach Would Not Have Been Possible (Hindsight Bias)
"Hindsight bias is the inclination, after an event has occurred, to see the event as having been predictable, despite having been little or no objective basis for predicting it" – Wikipedia’s definition of Hindsight Bias.

Adversaries are incredibly creative, persistent and opportunistic. They exploit flaws in our software systems and ‘human vulnerabilities’ for which they are no simple solutions. If anticipating and preventing intrusions at scale was easy, most organisations would already have done it. Thus, the purpose of Adversary Management is to provide organisation another instrument to survive breaches and minimise their consequences on the business and its customers.

Misconception #3: If Organisations Had Done [FILL IN THE BLANK] Then the Breach Would Not Have Happened in The First Place (Fallacy Of A Single Cause)
"Fallacy of the single cause (causal oversimplification) – it is assumed that there is one, simple cause of an outcome when in reality it may have been caused by a number of only jointly sufficient causes" – Wikipedia’s definition of the Fallacy of a Single Cause.

After having responded 100+ incidents and delivering 350+ attack simulations, our professional opinion is that cyber security success should not be reduced to a checklist of essential security controls or assumptions. Enforcing "cyber security hygiene" in large computer networks, distributed over multiple states or countries, for long periods of time is a task no one that we know seems to have achieved. We thus recommend that security professional equip themselves with additional strategies and tactics like the Adversary Management and Offensive Countermeasures rather than reduce the complexities of delivering good IT security in the enterprise to a few sound-bites that will do little to dissuade real adversaries in the long term.

What About Law Enforcement?

Isn’t law enforcement’s role to find and prosecute cyber criminals? Isn’t it the federal intelligence agencies’ role to deal with nation-state adversaries?

In theory, yes, and all the people from those organisations we that have met were extremely dedicated to those missions. But they also all acknowledged the difficulty of those tasks and the absence of resources required to help more victims of cyberattacks. The end result is that many organisations are still left to fend for themselves without real law enforcement support.

Lessons for Information Security Professionals

Lesson #1: Hackers Have Mums

Adversaries are normal people. They can be emotionally, psychologically, economically, and politically influenced like any other person. Therein lies the power of Adversary Management and the Offensive Countermeasures.

Lesson #2: Hackers Are Individuals with Whom You Can Negotiate

Given that adversaries are normal people, you can negotiate with them. It is possible to negotiate the prices of ransoms or extortion fees down, and it is possible to teach adversaries what are acceptable or unacceptable demands and behaviours.

Lesson #3: Defenders Need Techniques to See Through Attacks That Leverage Deception as a Primary Way to Achieving Success Over A Target

Deception is one of the most powerful instrument of power adversaries have, if not the most powerful because it impedes the defenders’ decision-making process and thus, in times of crisis, leads us into making decisions that may worsen our situation.

A good information security professional should be equipped with structured analytics and crisis management techniques that quickly clarify the extent of a security intrusions, the business consequences, the skill-level of the hackers behind the backdoors, and their ability to hurt the organisation. Adversary Management is a field that ultimately attempts to provide those techniques.

Lesson #4: Hackers Can Be Found

Over long periods of time, defenders have the advantage of the attackers. We can find their identities and get them arrested. In the case of nation-state sponsored attacks, governments also have numerous instruments of power to force adversaries into slowing down or completely stopping their attacks. Albeit, we do acknowledge that the theory is easier said than done, and that smaller countries are often placed in a lose-lose situation whereby they cannot enforce good cyber security behaviour on larger countries, neither can they defend themselves against those countries. We believe that achieving cyber peace between nations is an area that still requires abundant research.

More information?

If the topics of Adversary Management and Offensive Countermeasures interest you, we recommend that you read our whitepaper entitled "An Introduction to the Offensive Countermeasures". In this whitepaper we propose a high-level framework that we have developed to assist people in our industry engage in more intelligent and informed conversations on these topics.

Join our Conversation!

We invite you, the reader, to reach out to us via email if you are inclined to respond to our blog post or discuss the topic with us in person or via telephone. Let’s hear from you!