The art – and science – of ‘active defense’ security

Hensley says organizations need insight into a threat actor’s decision cycle
Hensley says organizations need insight into a threat actor’s decision cycle

The retired US Army colonel, and now executive director of the Dell SecureWorks Counter Threat Unit Research Group, aimed to lift the ‘fog or war’ – or the uncertainty the lies around an enemies’ capabilities. “We will try, hopefully, to peel back that fog of war to help better secure your networks”, he noted.

Hensley shared a defense strategy employed by a former US Air Force Col. John Boyd during the Korean War. The method, meant to evaluate an adversaries’ intent and capabilities, is known as the OODA Loop – defined as observe, orient, decide, and act. Through intelligence sharing the OODA Loop strategy, Hensley shared, Dell SecureWorks has helped prevent subsequent network attacks on its customers after having first observed attacker methods on a preliminary target.

“The bottom line is you want to be able to get inside the threat actor’s decision cycle and be able to act – in this case defend – against the enemies’ techniques and procedures before they are used on you”, he said.

Hensley said he detests the frequently used moniker of “cyberattack” as a description of network intrusions and data theft. “Most of what we see today is really cyberespoinage”, he asserted, making reference to the fact that surveillance now primarily occurs in the cyber realm.

Intelligence gathering by organizations that find themselves targeted, however, often allows them to know not only what they are up against, but which of their trusted partners may also be targeted by attackers looking for specific information on particular products, projects, intellectual property, and the like.

What goes on in today’s threat environment in cyberspace, says the retired military officer, draws a strong parallel with old-fashioned battle field preparation. “Nation-states are doing operational prep for the environment, which means they are gaining access to as much as they can”, he asserted. This reconnaissance includes gaining access to as many network assets as possible and testing the limits of network penetration.

“In many cases they are placing various access methods so that at a time and place of their choosing, they can come back and use those”, he continued. “Many of the things that [nation-states] are putting in place you may never see, or they may never use, but that does not mean it is not being done.”

To help security ‘defenders’ engage in what he called “active defense”, Hensley subsequently walked the audience through many real-world attack scenarios, including distributed denial of service (DDoS), fake anti-virus infections, and SEO poisoning, in addition more sophisticated attacks. Another active defense strategy he extolled was intelligence gathering on hackers themselves by monitoring hacker chat forums to gain insight into what they may be targeting and via which methods.

So why is it important to gather threat intelligence and dissect these attack scenarios? Hensley said it’s because intelligence gathered on one security incident – and the lessons learned – can often be applied by other organizations as part of their active defense strategy. Understanding your adversaries’ attack lifecycle, Hensley reiterated, is critical to this approach.

What Hensley hopes security practitioners will arrive at a “new normal” in the near future. “For us to be successful, you can’t keep reacting to an event...we have to get ahead of the adversary.” He said this will require defenders to have more threat intelligence at their disposal and to better understand attacker’s command-and-control information and exploit methods.

“If you can see how you your adversary is manipulating various systems out there today”, he concluded, “then we can stop them”.

What’s Hot on Infosecurity Magazine?