I recently had the pleasure to spend time in Krakow, Poland for the CONfidence event, where in addition to enjoying the conference I was fortunate to catch up with old friends. During several discussions with a colleague, we kept returning to NATO’s cyber posture vis a vis potential adversaries and the current US doctrine of “defend forward”. Central to both – either notionally (in the case of NATO) or actually (given USCYBERCOM’s new strategic thrust) – is the idea of active engagement with “hostiles” operating in or attempting to penetrate networks, but doing so just below the threshold of what parties would consider outright hostilities.
As defined and soon to be implemented by the US military:
“Defending forward as close as possible to the origin of adversary activity extends our reach to expose adversaries’ weaknesses, learn their intentions and capabilities, and counter attacks close to their origins. Continuous engagement imposes tactical friction and strategic costs on our adversaries, compelling them to shift resources to defense and reduce attacks. We will pursue attackers across networks and systems to render most malicious cyber and cyber-enabled activity inconsequential while achieving greater freedom of maneuver to counter and contest dangerous adversary activity before it impairs our national power.”
Taken to its logical conclusion, the above statement which the US military has embraced (and that NATO might follow in turn) implicitly allows for and endorses offensive actions (or offense-like activity) against identified enemies within the scope of cyber. But also importantly, this activity would be reactive in nature, responding to perceived* intrusions to impose post-intrusion costs on adversaries that were not previously present.
In this sense, the above strategy almost embraces the worst possible aspect of two continuums defining cyber operations: applying an escalatory strategy in operations (thus increasing the likelihood of truly disruptive events) while only doing so in response to adversary actions (thus ceding initiative and choice of battleground to hostile actors). While I understand the motivating force behind USCYBERCOM’s new strategy after spending years “on their heels” simply responding to attacks and seldom (if ever) being able to truly curtail the attackers responsible, the current strategy seems both hazardous and wrong.
First, the “defend forward” concept takes a concept of defensive cyber operations (DCO) – responding to intrusions – and applies the inverse to it in terms of action. Instead of responding through internally-focused measures to reduce the scope of the attack and evict the intruder, “defend forward” would have entities respond by pressing ahead in to perceived adversary networks to deny, degrade, or disrupt activity. While not explicitly making this case, a very real risk exists that such efforts – in saying “the best defense is a good offense” – will result in an atrophy of defensive responsibilities beyond detection (response, recovery, and remediation especially), while incentivizing adversaries to act in a more hostile, disruptive fashion to counter perceived aggression or to maximize value to intrusions before such access is lost or degraded. To simplify, the new strategy builds defense around merely identifying potential adversary actions on “friendly” territory and using this as a pretext to then pursue such adversaries within their own networks – while potentially driving adversaries to take a less-cautious approach of their own in response.
While there’s an undeniable sexiness to this idea of “taking the fight to the enemy”, this obscures multiple concerning aspects surrounding such a strategy. First, there is the perennial problem of attribution to ensure you engage the correct adversary in response – while significant, I think this is honestly a less important characteristic for entities with recourse to signals intelligence and other information sources. Essentially, while I do not expect this to be perfect, I am less concerned with the US government being able to get attribution “right” than I am with most private sector security firms. Nonetheless, getting this fundamental aspect wrong, of which there is a non-zero chance, risks escalating operations dramatically potentially without even responding to a real incident.
Second and more fundamentally problematic, while adopting the perception of an “active” stance, this strategy remains reactive in the sense that adversaries still determine the time, place, and manner through which defenders respond, even if that response ends up being offensive or outward in nature. In this sense, adversaries – aware of and anticipating the strategy – can establish their operations in accordance with known defender doctrine: extensively using proxies and compromised infrastructure to obscure command and control; improving internal OPSEC and awareness to minimize own-intrusion; and potentially even implementing “honey pots” or other capture and deception mechanisms to frustrate the “attacking defenders” – or even capture and then repurpose their own tools and techniques in subsequent activities. Considering that such actions are telegraphed in advance via the strategic proclamation, prospective attackers have strong incentive to modify their own operations in response while being granted an advantage typically afforded to defenders in that they can influence and to some extent decide how, when, and where to respond to the reactive “defend forward” intrusion.
In opposition to the attractive-sounding but operationally-deficient “defend forward” strategy, I would propose instead embracing some of the limitations (and corresponding advantages stemming from them, depending on perspective) of DCO. For one, no one (should) know a network better than a defender, and defenders should (in a well-managed, well-orchestrated environment) have the advantage of initiative over attackers. Examples include proper segmentation, isolating key network nodes, identifying strategic nodes of communication required for adversary traversal, and knowledge of what “normal activity” looks like within the defended network. While the possibility exists that attackers could attempt to overwhelm defenders by attempting many potential intrusion scenarios simultaneously, an examination of actual events shows such operations simply do not happen – and may indicate that offense is just as resource-constrained as defense. Furthermore and related to this concept, while attackers may possess a “first mover” advantage for initial attacks, defenders hold the advantage of controlling the terrain with the possibility of directing, shaping, or otherwise influencing attacker operations to follow a defender-advantaging pathway – no different than using physical obstacles to funnel an attacking force into a defensive “kill zone” for elimination.
From these observations, we can see that “defend forward” is doubly deficient in that it continues to adopt a reactive stance (the “forward movement” is in response to observed attacks and subsequent attribution) while not taking advantage of built-in defender advantages when operating in one’s own network. While psychologically pleasing as a way to “get back” at attackers, fundamentally the concept is flawed and will likely only lead to good capabilities and related items being identified or lost to adversaries during the course of response operations.
So the question at this stage becomes : if not “defend forward”, then what, since traditional military network defense practices over the past 15-20 years have proven woefully insufficient to adequately dealt with the threat environment.
My recommendation is a midpoint between an aggressive, outward-directed response and a passive, react-only defense to build a hybrid of active internal defense. In this conception – most commonly referred to as “threat hunting” in much marketing copy – defenders do not simply sit and passively monitor for breach, but instead actively patrol, monitor, and seek out intrusion activity within the defended network. While increasingly adopted in the private sector, the problems of scale, personnel, talent, and network diversity have made this hard to impossible on all but a select few military networks. But by embracing this concept, defenders can retain the advantages of defense – knowing the terrain and possibly constraining the attacker – while avoiding the pitfalls of offensive-oriented activity.
This approach improves on the identified strategy in that it establishes an active, aggressive defense to hunt out and identify malicious activity, rather than waiting for an alert or other notification of attacker behavior. As such it can reduce the time to detection and therefore accelerate the mitigation, remediation, and recovery process. As such adversary dwell time can be reduced, minimizing either loss of information or the ability of adversaries to establish long-running access into victim networks that could be used as staging for future attack scenarios. If the goal is to increase attacker cost and minimize attacker effectiveness (the goal of the new USCYBERCOM policy) while presumably maintaining robust and effective own-network defense (one of the presumed purposes for USCYBERCOM’s existence) then a policy of active, aggressive internal defense would seem to satisfy these goals while minimizing potential escalation and retaliatory activity inherent to offensive-focused counter-operations.
Yet I think there is a problem in this approach which USCYBERCOM’s offensive-oriented planning attempts to address: resources. Active, hunt-based defense is expensive in that you need to possess adequate numbers and sufficiently trained personnel to continuously execute network pursuit activity. As such, personnel so employed are constantly engaged, and coverage of large networks requires a significant outlay of resources to ensure adequate examination. There may be strategies to prioritize resources (focusing on key network nodes or “crown jewels”-based analysis) but defenders are still left with the issue of having only so many resources to cover an ever-expanding number of endpoints. From this perspective, both the “response only” defense approach and an offensive-oriented “strike back” approach represent an economization of force. In the case of the latter, rather than attempting to hunt down and kick out attackers across a multitude of potential endpoints, resources are instead applied directly to the perceived aggressor’s network which requires relatively fewer (if potentially more highly skilled) personnel to execute.
However, I think this is a poor attempt at a solution to a very real problem, in the sense that while organizations (including US and NATO militaries) should work to make the best use of available resources in the immediate term, strategic planning and vision should be more attuned to where these organizations should strive to be in the future. Attempting to apply an economization strategy for future development would seem to lock these organizations into less-than-ideal strategies while not truly dealing with the network defense problem.
Ultimately planning for and achieving robust network defense in an increasingly dynamic, hostile environment is neither simple nor easy. The classic, historical passive defense model of waiting for alerts and responding to attacker events is as inefficient as it is inadequate in addressing the cyber security problem. Thus, to some extent, USCYBERCOM and related entities should be applauded for attempting to shift strategies toward potentially more useful methodologies rather than simply throwing more resources at inadequate techniques. Yet in doing so, such organizations must be careful to not fall for the seductions of the “cult of offense” when attempting to build up more robust and responsive defensive measures. While I do not deny the attractiveness of “taking the fight to the enemy” to increase their cost of operation, such actions carry very real risks – not the least of which is escalating operations continually to produce ever-more-hostile circumstances. Instead, entities such as the aforementioned militaries can adopt a more robust and active defensive approach to significantly improve DCO activities while avoiding the pitfalls that come with the adoption of implicitly offense-based strategies to defensive problems.
*I use “perceived” here as the response actions would come following a detected and successfully attributed intrusion activity. Thus, there would be a difference between the set of all intrusions (detected or undetected) and the subset of detected, identified, and attributed intrusions which can then be countered via the defending forward posture. As such, short of perfect visibility and perfect knowledge, and taking into account the possibility of error in detection or attribution, this strategy is limited to those perceived intrusion events rather than all possible items.