Active Cyber Defense
NIST defines Active Cyber Defense as – Synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities. In a nutshell, that means using strategies to actively predict, prevent, detect and combat cyber intrusion.
Across business domains, leaders take active approaches to strategies to prepare for any threats or opportunities that might arise. We do it in our personal lives. We take vitamins, not because we are sick but because we want to stay healthy. I eat broccoli, not because it is my favorite, but because I know my body needs the nutrients it provides. We take courses and training, not because of the position we are in, but because of the positions that might be available in the future. It is past time we do the same active engagement in Cyber Security.
Often we think of cyber criminals as lone wolfs working in a basement, and that might have been the case 40 years ago. Today, cyber criminals work as a team, often supported by well funded criminal organizations or even nations with huge budgets. The landscape has changed in the last 40 years, but somehow our thinking has not adapted with it. The defenders are still playing catch-up. We have to remember – we have home field advantage and it is time we used it.
In order to proactively combat offensive cyber criminals, we must first attempt to think with an offensive perspective. Offensive cyber criminals are broadly broken into three motivational categories: 1) financial 2) hacktivist 3) thrill seeking. To properly defend, think offensively. How would each of these attack differently. The answer to that is as diverse as each organization. Think about your organization – what financial gain could be had; what social or political message could be sent; what areas of opportunity are present for a digital daredevil.
Defensive cyber professionals have developed a robust communication network to announce the latest cyber attack methodologies. To actively defend, cyber defenders must monitor and actively participate in the discussions surrounding cyber activities. In short, stay informed. Shared information, makes each of us better at defending our networks.
Cyber defenders must stay vigilant in seeking current threats. When is the last time your organization performed a thorough threat hunt? Cyber defenders must work at the edge of their networks, but must also work internally to actively seek intruders that have a foothold within the network. Purposeful and deliberate activities to find and locate any intrusions are essential to staying secure. A simple but effective measure is a honeypot server. Deploy a single server and give no one access to it. Then monitor attempts to access that server. That is very likely to give you a great deal of information about what is happening in your network.
Detecting cyber criminals requires a robust IDS and IPS but active defense does not stop there. (How many of you lock your doors at night, but leave the windows open?) Use the IDS and IPS, but also actively seek to mitigate the threats by training every person in the organization to recognize anomalous activities and report them. Oldsmar, Florida water system was attacked. An alert operator saw anomalous activity and took action. All of our organizations should have trained personnel that notice cyber criminal efforts and respond. Often it is a simple spam email, or a malicious website. Train staff to actively report anything unusual. It may be nothing or it might be the leading wave of a cyber tsunami attack.
Seek and eliminate vulnerabilities in your systems. Conducting regular penetration testing and vulnerability assessments will allow your organization to proactively reduce the cyber threats. A detailed 360-degree assessment will seek to exploit your systems with the same tactics and competencies as the cyber adversaries you defend against. Knowing the techniques and strategies that are used will allow you to actively defend your network and systems.
Lastly, performing a surface level vulnerability scan will show if the doors are locked, but a window is open. Far to often a routine scan of a network or system reveals a significant vulnerability that has gone unnoticed by the internal staff. Constraints on time and resources often leave room for errors. Familiarity also allows for vulnerabilities to be overlooked. A third party review can reveal exploitation opportunities that can be quickly addressed and remediated.
There is no room for complacency — take your vitamins and eat your vegetables. The cyber bad guys are working around the clock to reap the rewards of breaking your system, invoking an active cyber defensive strategy give you the home field advantage.