Active defense

Last updated

Active defense can refer to a defensive strategy in the military or cybersecurity arena.

Contents

In the cybersecurity arena, active defense may mean "asymmetric defenses," namely defenses that increase costs to cyber-adversaries by reducing costs to cyber-defenders. [1] For example, an active defense data protection strategy leverages dynamic data movement, distribution, and re-encryption to make data harder to attack, steal, or destroy. [2] Prior data protection approaches relied on encryption of data at rest, which leaves data vulnerable to attacks including stealing of ciphertext, cryptographic attack, attacks on encryption keys, destruction of encrypted data, ransomware attacks, insider attacks, and others. Three ACM computing conferences have explored Moving Target Defense as a strategy for network and application-level security as well, for instance by rotating IP addresses or dynamically changing network topologies. [3] Production implementations of MTD are provided by companies for applications including legacy systems, communications, and election security. [4] Additionally, "active defense measures" are often another term used to define and refer to offensive cyber operations (OCOs) or computer network attacks (CNAs).

Some have defined active defenses as including of deception or honeypots, which seek to confuse attackers with traps and advanced forensics. [5] Examples of such honeypot technologies include Illusive Networks, [6] TrapX, [7] Cymmetria, [8] Attivo, [9] and others. Other types of active defenses might include automated incident response, which attempts to tie together different response strategies in order to increase work for attackers and decrease work for defenders. [10]

National Contexts

USA

The Department of Defense defines active defense as: "The employment of limited offensive action and counterattacks to deny a contested area or position to the enemy." [11] This definition does not specify whether it refers to physical actions, or cyber-related actions. Recently, the Department of Homeland Security and financial institutions have identified Active Defense as a top priority for security industrial infrastructure systems. [12] As part of a broader push for greater resiliency, the National Institute of Standards and Technology 800-160 Volume 2 framework has gone further, providing guidance on standardization for active defense. [13] [14]

China

China describes its military posture as active defense, defined in a 2015 state white paper as "We will not attack unless we are attacked, but we will surely counterattack if attacked." [15]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Encryption</span> Process of converting plaintext to ciphertext

In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.

<span class="mw-page-title-main">SANS Institute</span> American security company

The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing. The information security courses are developed through a consensus process involving administrators, security managers, and information security professionals. The courses cover security fundamentals and technical aspects of information security. The institute has been recognized for its training programs and certification programs. Per 2021, SANS is the world’s largest cybersecurity research and training organization. SANS is an acronym for SysAdmin, Audit, Network, and Security.

Security through obscurity is the reliance on secrecy as the main method of providing security to a system or component, specifically in security engineering, whether on design or implementation.

<span class="mw-page-title-main">Honeypot (computing)</span> Computer security mechanism

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data that appears to be a legitimate part of the site which contains information or resources of value to attackers. It is actually isolated, monitored, and capable of blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as "baiting" a suspect.

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

Ransomware is a type of cryptovirological malware that permanently block access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.

<span class="mw-page-title-main">Federal Office for Information Security</span> German federal agency

The Federal Office for Information Security is the German upper-level federal agency in charge of managing computer and communication security for the German government. Its areas of expertise and responsibility include the security of computer applications, critical infrastructure protection, Internet security, cryptography, counter eavesdropping, certification of security products and the accreditation of security test laboratories. It is located in Bonn and as of 2024 has about 1,700 employees. Its current president, since 1 July 2023, is former business executive Claudia Plattner, who took over the presidency from Arne Schönbohm.

The Honeynet Project is an international cybersecurity research organization that investigates the latest cyber attacks and develops open source tools to improve Internet security by tracking hackers' behavioral patterns.

A resilient control system is one that maintains state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature".

Cyber threat intelligence (CTI) is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

<span class="mw-page-title-main">Illusive Networks</span>

Illusive Networks is a cybersecurity firm headquartered in Tel Aviv, Israel and New York. The company produces technology that stops cyber attackers from moving laterally inside networks by finding and eliminating errant credentials and connections, planting deceptive information about given network's resources, emulating devices, and deploying high interactivity decoys. Network administrators are alerted when cyber attackers use security deceptions in an attempt to exploit the network. Illusive Networks is the first company launched by the Tel Aviv-based incubator, Team8. In June 2015, Illusive Networks received $5 million in Series A funding from Team8. To date, it has raised over $54M.

Deception technology is a category of cyber security defense mechanisms that provide early warning of potential cyber security attacks and alert organizations of unauthorized activity. Deception technology products can detect, analyze, and defend against zero-day and advanced attacks, often in real time. They are automated, accurate, and provide insight into malicious activity within internal networks which may be unseen by other types of cyber defense. Deception technology enables a more proactive security posture by seeking to deceive an attacker, detect them and then defeat them.

A medical device hijack is a type of cyber attack. The weakness they target are the medical devices of a hospital. This was covered extensively in the press in 2015 and in 2016.

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker. Cowrie also functions as an SSH and telnet proxy to observe attacker behavior to another system. Cowrie was developed from Kippo.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

References

  1. Burshteyn, Mike (2016-12-22). "What does 'Active Defense' mean?". CryptoMove. Retrieved 2016-12-24.[ permanent dead link ]
  2. CryptoMove Archived 2021-02-06 at the Wayback Machine invented such technology that protects data by constantly moving, distributing, mutating, and re-encrypting it.
  3. "Second ACM Workshop on Moving Target Defense (MTD 2015)". mtd.mobicloud.asu.edu. Retrieved 2016-12-25.
  4. "Dispel Launches Election Security Platform". securityweek.com. 15 February 2018. Retrieved 2018-06-15.
  5. "Implementing Active Defense Systems". SANS White Paper.
  6. "illusive networks: The Leader In Deception Technology". www.illusivenetworks.com. Retrieved 2016-12-24.
  7. "TrapX Security". trapx.com. Retrieved 2016-12-24.
  8. "Home - Cymmetria". Cymmetria | Cyber deception. Retrieved 2016-12-24.
  9. "Deception-Based Threat Detection - Attivo Networks". Attivo Networks. Retrieved 2016-12-24.
  10. SANS WhitePaper on Incident Response and Active Defense, https://www.sans.org/reading-room/whitepapers/detection/implementing-active-defense-systems-private-networks-34312
  11. "U.S. DoD Terminology: active defense" . Retrieved 2016-12-24.
  12. "Financial Services Cyber Security Active Defense (FSCSAD) - Federal Business Opportunities: Opportunities". www.fbo.gov. Retrieved 2016-12-25.
  13. "Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems" (PDF). www.nist.gov. Retrieved 2018-06-15.
  14. Woods, Dan. "5 Ways to Fight Back Against Cybersecurity Attacks: The Power of Active Defense". Forbes.
  15. Garlick, Jeremy (2024). Advantage China: Agent of Change in an Era of Global Disruption. Bloomsbury Academic. p. 41. ISBN   978-1-350-25231-8.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.