The Cybersecurity Canon: Offensive Countermeasures: The Art of Active Defense

Feb 08, 2016
5 minutes


We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Robert Clark: Offensive Countermeasures: The Art of Active Defense (2013) by John Strand and Paul Asadoorian

Executive Summary

John and Paul (PaulDotCom) state the intention of Offensive Countermeasures: The Art of Active Defense best, “It is our hope that this book is just the beginning of a wider conversation on the topic of hacking back.” According to numerous reviews found online, most feel it accomplishes that objective and I would agree that it is only a start. It is written for those already in the information security space who have an understanding of defending networks. However, with that said, many critiques found it light on substance and more of a cursory look at active defense. This and the subject matter make it a good read but not Canon-worthy. If the Canon requirement is “To identify a list of must-read books . . . where the content is timeless . . . if not read, will leave a hole in the cybersecurity professional’s education that will make the practitioner incomplete,” not reading this book will not leave a hole, only because there are now many other methods to obtain this information in an updated form. The book is an excellent introduction to many active defense methods. The introduction gives a cursory, but now dated, look at some legal cases, and then the text is divided into three core sections: Annoyance, Attribution and Attack.

About the People

strandJohn Strand is a senior instructor with the SANS Institute. He teaches SEC504: Hacker Techniques, Exploits, and Incident Handling; SEC560: Network Penetration Testing and Ethical Hacking; SEC580: Metasploit Kung Fu for Enterprise Pen Testing; and SEC464: Hacker Guard: Security Baseline Training for IT Administrators and Operations with Continuing Education. John is the course co-author of SANS 504: Hacker Techniques, Exploits, and Incident Handling.

When not teaching for SANS, John co-hosts Security Weekly, the world's largest computer security podcast. He is the owner of Black Hills Information Security, specializing in penetration testing and security architecture services. He has presented for the FBI, NASA, the NSA, and at DefCon.

PaulDotCom is, well, PaulDotCom.

The Story

As the book title states, Offensive Countermeasures breaks down the same into three categories: Annoyance, Attribution and Attack. Annoyance is basically wasting an attacker’s time introducing the readers to one of the military’s favorite acronyms OODA: observe, orient, decide and act. Attribution is just that, focusing on knowing not only who is attacking you but also their capabilities and tactics. Finally, Attack, helping one develop approaches to “planning and thought” and gaining access to an attacker’s systems. Bookending the three core sections are an introduction covering some dated legal decisions and a final chapter on Core Concepts.

For full disclosure, I am a cyberspace attorney with some decent technical understanding. So I defer to many of the supposed “techies” who have posted reviews online as to the technical content of the three main chapters. The majority state that this is a good overview, but short on substance, and even refer you to John and Paul’s podcasts. Moreover, John’s instruction on this topic can be found in numerous places, such as SANS, Blackhat, podcasts, etc. I would assume that information is more up-to-date than when this book was published in 2013.

Again I fall back on the authors’ intent, to get the discussion going. I think their introduction to the Attack section states it best, “This is the step of this book that you will need to work out with your legal department. You may also want to coordinate with law enforcement as required.” As one who tries to espouse Clark’s Law to rival Moore’s Law, Clark’s law is to get your lawyers involved early and often so they don’t slow down operations and can get you to yes. Explain the technology at a third-grade level to them (lawyers) so we can understand it and explain it to senior leaders (C-Suite) or others. So I appreciate John and Paul’s introduction of the book with the law and their caveats throughout the book.


I’ll leave it to an Amazon review of Offensive Countermeasures by a Mr. Anderson in September of 2013, “Overall this book provides a good review of high level concepts with some minor depth of what organizations can do to better protect their assets using both defensive and offensive strategies. I was just hoping for a more technical explanation, and more advanced techniques, but the book does cover what it states.”

And the final word goes to John’s SANS colleague, lawyer Benjamin Wright, who stated a couple of months before that, “This book helps the public debate about computer defense get beyond some old, worn-out taboos. Lawyers, politicians and government officials need to read this book and expand their understanding of effective, ethical digital security and privacy.”


Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.