Active Cyber Defence

by Ganna Pogrebna, Karen Renaud, and Boris Taratine

The term “Active Cyber Defence” (ACD), whilst decades old, has recently gained popularity: it is used by individual users, cybersecurity professionals, bloggers, policy makers, and even cyber defence systems at national and international levels. What does ACD actually mean?

At an individual level, ACD means “punking” or wasting scammers’ time. This often involves engaging with spammers to waste their time. Societies have sprung up to allow individuals describe their experiences of punking and scambaiting cybercriminals [a]. Recently, AI tools entered the fray with cybersecurity companies engaging chatbots to waste scammers’ time. While wasting time certainly seems eminently satisfactory, how do we measure its efficacy in preventing and alleviating cybercrime?

The most common interpretation of ACD is “hacking back”: actively engaging “retaliating” against cybercriminals. This view primarily arises from interpretations of the US Congress Active Cyber Defence Certainty Act [b], which aims to empower businesses to trace hackers, monitor their activities and even destroy stolen files. This interpretation is problematic as its legality hinges on a shared understanding of the word “retaliate”. Many retaliation measures are illegal under national and international law in the majority of countries.

An alternative to “hacking back” deploys IoT and AI to prevent cyberattacks by creating a complex and sophisticated network of “honeypots” (traps containing no valuable information or important data). These entice cybercriminals into a monitored zone, where forensic data can be gathered without risk to actual systems [4]. While this approach seems promising, the main issue is that cybercriminals can also use AI to detect and avoid honeypots.

Policy makers are trying to provide a more systemic view on ACD. For example, the UK National Cyber Security Strategy[c] has included ACD since 2016 and defines it as “tackling cyber attacks in a relatively automated way to improve national resilience”. According to the UK’s National Cyber Security Centre, ACD includes (1) removing malicious content and blocking suspicious hosts, (2) automated testing of public sector websites, and (3) blocking access to “bad” domains, among others. This is a more systemic view of ACD activities [2]. However, even these measures can, and are, being circumvented.

Next Generation ACD

It is clear that ACD has many “faces”, all of them primarily focusing on the technological aspects of cyber defence, neglecting the human in the socio-technical system [1]. Next Generation ACD must exercise a holistic approach, incorporating behavioural and technological mechanisms focusing on detection, response and recovery. This holistic approach has to deploy mechanisms from many fields, including behavioural science, HCI, marketing and computer science [3]. A cross-disciplinary approach might generate behavioural profiles of cybercriminals, combine these with a marketing taxonomy of cybercriminal business models, and thus be able to identify the most vulnerable targets in businesses and computer systems for cybercriminals of different behavioural-business types. This, in turn, would engender development of agile and resilient defence systems. Such defence would not be based on randomized processes (e.g., Markov) but would rather be intelligently targeted based on intelligence about adversaries themselves and the techniques they use to carry out attacks.

For more information, see:

Pogrebna, G., Renaud, K., & Taratine, B. (2019). The many faces of active cyber. Network Security, 2, p. 20 [Link]

If you want to know more, see:

[1] Cooper, P., 2016. Cognitive Active Cyber Defense: Finding Value through Hacking Human Nature. JL & Cyber Warfare, 5, p.57.

[2] Levy, I. (2018) Active Cyber Defence - One Year On, National Cyber Security Centre, accessed at

[3] Pogrebna, G. and Skilton, M (2019) Navigating New Cyber Risks: How Businesses Can Plan, Build, and Manage Safe Spaces in the Digital Age, Palgrave-Macmillan

[4] Sohal, A. S., Sandhu, R., Sood, S. K., & Chang, V. (2018). A cybersecurity framework to identify malicious edge device in fog computing and cloud-of-things environments. Computers & Security, 74, 340-354.