The cyber infrastructure is vulnerable to threats from many different sources

The criticality of cyber infrastructure makes it a very attractive target, which we try to protect by building perimeter defences. This paper argues that a reactive-oriented network defence policy based solely on perimeter defences is not sufficient to properly safeguard IT infrastructure. An argument is made for an approach based on the idea that defence begins with an understanding of those adversaries that pose significant risk to the cyber infrastructure, their motivations and their capabilities. Therefore, the first response to an attack should not always be to immediately block the attack. Instead the paper examines response with a defensive counterinformation operation (IO counter-measure) with the objective to discover: who is attacking, what they are capable of, what their current mission objective is, and what is the larger strategic goal or context for the current attack. A set of Operational Objectives for such a response is defined. This response concept is also oriented in a set of Principles of Operation for Network-based IO counter-measures. To enable this new kind of operation, new tools and techniques are required. Key research areas have been identified and a honeypot-based IO countermeasures tool is presented as specific topic area for fruitful research.