Home / Blogs

Into the Gray Zone: Considering Active Defense

Most engineers focus on purely technical mechanisms for defending against various kinds of cyber attacks, including “the old magic bullet,” the firewall. The game of cannons and walls is over, however, and the cannons have won; those who depend on walls are in for a shocking future. What is the proper response, then? What defenses are there The reality is that just like in physical warfare, the defenses will take some time to develop and articulate.

One very promising line of thinking is that of active defense. While the concept is often attributed to some recent action, active defense has been one form of warfare for many centuries; there are instances of what might be called active defense outlined in the Bible and in Greek histories. But it is only recently, in light of the many wars around Israel, that defense in depth has taken on its modern shape in active defense. What about active defense is so interesting from a network security perspective? It is primarily this: in active defense, the defender seeks to tire an attacker out by remaining mobile, misdirecting the attacker, and using every opportunity to learn about the attacker’s techniques, aims, and resources to reflect these back on the attacker.

This is not the same as hacking back, which tries to use the attackers’ tools against them; often hacking back is actually illegal and unethical, as it can easily harm innocent bystanders. Hacking back also opens up a new set of attack vectors; if someone can make you react to an attack by attacking a third party, the consequences would be far worse than having done nothing at all.

So what does active defense consists of in the world of network security? Georgetown University undertook a study of how to apply active defense to cyber security, and issued a report called Out of the Gray Zone detailing the results. They identified eleven steps, seven of which are considered low risk —

Source: Into the Gray Zone: Active Defense by the Private Sector against Cyber Threats

  • Information Sharing, which just means sharing information with others who might be under attack, so everyone gains a better understanding of the threats being exploited, the scope of the attack surface, and the nature and motivations of the threat actor. This is, in reality, one of the most difficult steps to achieve, as it is often hard to convince “management” and “legal” that it is in everyone’s best interest to share this kind of information.
  • Tar pits and Honey Pots, which serve many different purposes. First, they slow the threat actor down as they try to sort out whether the information they have encountered is real or not. Second, they expose the threat actor’s actions in what should be a heavily monitored network location, allowing defenders more information to work with in countering the attack.
  • Denial and Deception, which generally consists of adding bad information into good information that is being leaked, so the threat actor distrusts the information they are receiving.
  • Hunting, which just means evicting adversaries from the network and systems.
  • Notification Beacons, which alert defenders about exfiltrated information.
  • Information Beacons, software that acts from within exfiltrated data to report back on its location, environment, and method of transport.

The five higher risk steps, such as intelligence gathering and botnet takedowns, are reserved in the paper for use “in cooperation with government authorities.” Some of these mechanisms should be reserved for use after some local authority has been notified, and has given legal clearance to move forward. Some of them (such as sanctions and indictments) would require moving through legal processes either in the law enforcement or political realms.

This is just a short overview of the paper, of course—the entire report is well worth reading, as it should spur your thinking about what active defense might look like in your network.

By Russ White, Infrastructure Architect at Juniper Networks

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API