In this article, the concepts of “Active Defense” and “Counter Attack/Hacking”, which are often confused, will be discussed.
We can distinguish the subject of defense as active and passive. All systems/structures such as firewalls and IPS/IDS used in institutions are called “passive security”. Active security, on the other hand, covers the studies carried out to provide security more effectively after passive security.
Concepts such as SIEM, anomaly detection, intelligence, incident response can be handled under active security. The purpose of active security is to ensure that the passive security in institutions is not sufficient, to provide security more dynamically, and to increase the success of this protection together with the protection strategies against attackers.
All of the various works such as “Incident Detection and Response Teams”, services, honeypots, log collection tools, cyber intelligence solutions, security tests conducted at regular intervals, and red team operations are play a major role in ensuring the security of the institutions.
Works such as applying the feedbacks of these studies, monitoring and following these processes are also included in the important steps in active defense. When we think that we should consider security as a process in general, skipping one or more of these steps may increase the risks that may arise in terms of the institution. We can treat and liken active safety to corporate safety health, just like human health. In addition to passive safety, active safety should be strictly advanced and its continuity should be ensured, just as the things we do to protect our health require continuity.
Although most of the institutions closely follow and use the concept of “Active Defense” at the end of the day, it is sometimes confused with “Counter Attack/Hacking” as a concept.
Once the attackers have managed to compromise the system and are discovered, organizations want a response and sometimes they have no idea what to respond to the hackers.
The hacked institution sometimes wants to do something and tries to fight fire with fire. Here we can talk about “Counter Attack/Hacking”. This action can be compared to neutralizing a launched missile with another missile. It should be noted that what is done here should actually be in accordance with a rule of engagement and that it is often a crime. In general, purposes such as collecting counterintelligence, detecting the perpetrators of this infiltration, detecting how much data has been stolen, detecting the tools used or new methods can be pursued.
An example would be a pest embedded in downloaded files to find data hijacking that took place in a country in the past. The attacker, who opened and examined the malicious file together with the others, and whose camera image was taken, was caught in this way.
Sanctions and legal issues regarding “Active Defense” and “Counter Hacking/Attack” vary according to the regulations, countries, and policies of the countries. At this point, the work to be done must be done according to the relevant country or regulation rules.
It is important to understand and adopt these and similar concepts in order to ensure and maintain the security of institutions. In addition, in order not to create a problem for the institution on the legal side, it is necessary to act carefully and follow the rules.
Thanks for your time and interest.
Berk KIRAS | Cyber Security Consultant
Further Reading:
- Fortigate – https://www.fortinet.com/resources/cyberglossary/active-defense
- SANS https://www.mitre.org/publications/technical-papers/active-defense-strategy-for-cyber
- ACSC – https://www.cyber.gov.au/acsc/view-all-content/glossary/active-defence
- Aktif Siber Savunma ve Performans Analizi – https://acikerisim.aku.edu.tr/xmlui/bitstream/handle/11630/6234/10066729.pdf