Defenders Disrupting Adversaries: Framework, Dataset, and Case Studies of Disruptive Counter-Cyber Operations
Jason Healey, Neil Jenkins, JD Work
Abstract
Over the past two decades, there have been numerous defensive operations to disrupt malicious cyber activity by hacktivists, criminals, and nation-state actors. Disruption operations seek to affect the adversary's decision-making processes and impose additional costs. Such operations include a wide range of actions, from releasing indicators of compromise and naming-and-shaming, to botnet and infrastructure takedowns, to indictments and sanctions, and may be conducted outside of the defender's own network with the intent to interrupt adversary cyber offense and espionage. The United States Department of Defense recently released a new strategy that calls for "persistent engagement" with malicious cyber actors, suggesting many more disruption operations to come.In this paper, we describe a framework for categorizing disruption operations and their effects - along with detailed descriptions for several of these case studies coded to the framework - so that researchers and practitioners can measure their impact using a common terminology. We also provide a unique dataset of over 100 cases of defensive operational disruption over the last 30 years, from 1987 through 2019.We believe that providing a more complete vocabulary for disruptive operations will give analysts and researchers a better opportunity to compare the different types and effects of various disruption operations. Ideally, this will then provide defenders with the information they need to conduct disruption operations at greatest scale, least cost, and with the lowest chance of escalation.