Shostack + Friends Blog Archive


Active Defense: Show me the Money!

Over the last few days, there’s been a lot of folks in my twitter feed talking about “active defense.” Since I can’t compress this into 140 characters, I wanted to comment quickly: show me the money. And if you can’t show me the money, show me the data.

First, I’m unsure what’s actually meant by active defense. Do the folks arguing have a rough consensus on what’s in and what’s out? If not, (or more) would be useful. Just so others can follow the argument.

So anyway, my questions:

  1. Do organizations that engage in Active Defense suffer fewer incidents than those who don’t?
  2. Do organizations that engage in Active Defense see smaller cost-per-incident when using it than when not? (or in comparison to other orgs?)
  3. How much does an Active Defense program cost?
  4. Is that the low cost way to achieve the better outcomes than other ways to get the outcomes from 1 & 2?

I’m sure some of the folks advocating active defense in this age of SEC-mandated incident disclosure can point to incidents, impacts and outcomes.

I look forward to learning more about this important subject.

2 comments on "Active Defense: Show me the Money!"

  • Alun Jones says:

    And then there’s the question of “do you have the right?” – maybe you’re being attacked by a bot that got accidentally executed on critical infrastructure – the bot isn’t taking them down, but your “Active Defence” just did. Under law, who’s responsible?
    And that’s assuming that your Active Defence can’t be spoofed into ‘responding’ in a direction that attacks aren’t actually coming from.

  • dunsany says:

    I’ve watched the active defense thing pop up every 3 years or so, for pretty much the past dozen years or so. Someone feels all impotent and then decides to throw down some polemics. A lotta noise and then they run into the attribution and legal problem… then pretty much goes dormant for a few more years.

    My conjecture is that if you’re going to “actively defend” you’re best to do it with deceptive defenses, which takes you off the hook for attribution and legality. Of course, you shouldn’t be bothered with such until you’ve taken care of the basics (aka the known working defenses).

Comments are closed.