What to consider when implementing Active Defense tools in your organization

Understanding the Business Impact of Active Defense Tools

08/28/2024

If your organization is grappling with whether or not to implement Active Defense tools to better protect your network, consider the business impacts of not implementing these tools. Actors are constantly upping their game—unlocking new capabilities and tactics all the time—and organizations are faced with the enormous challenge of trying to address these threats in a way that will be effective for a wide range of attack scenarios and objectives.

If you’re not using Active Defense tools, you are more vulnerable to cyberattacks. Here are the most important things to consider when it comes to the business impacts of continuing with the status quo of traditional security protocols.

The Business Impacts of Not Using Active Defense Tools

The problem with traditional security measures is today’s actors can easily evade them. For example, intruders can use custom obfuscation, encryption, and bypass techniques to defeat intrusion detection systems and other signature-based controls. Application deny-lists also come up short against encrypted binaries and legitimate programs and processes that have been hijacked. Even when organizations detect and eradicate malware, an intruder has most likely already gained access through legitimate measures such as VPN or other remote access solutions.

So, no matter the attack on your organization—whether it’s cyber fraud, cyberespionage, cyber sabotage, or cyberterrorism—you’re set up to lose out big time if you’re not doing more to protect your network. And the bigger your organization, the more you risk to lose in the way of financial costs and the impact to your business from things like:

  • Fines due to compliance implications
  • Loss of shareholder value
  • Legal exposure and lawsuits
  • Fraud
  • Extortion
  • Unavailability of services
  • Loss of intellectual property
  • Damage to business or brand’s reputation

Traditional security controls continuously fail to make the grade in deterring and responding to cyber threats. (See our previous blog post for more info on why traditional tools are failing to address the threat of intrusion.) Intruders can penetrate networks and execute their mission without having to spend more time and money, face greater risk, or up the sophistication of their attack. Once they gain a foothold on the network, they face fewer obstacles and can move within the compromised network evading detection and response. This only makes bad actors faster and more efficient at locating critical systems and data and accomplishing their objective.

Where does that leave organizations? The ones that can survive will eventually be outmatched, outgunned, and, at some point, out of money. The good news is implementing and operating Active Defense tools carries a very low risk of collateral damage to your organization’s network. Here’s what to know about the risks and how to minimize them.

The Risks of Using Active Defense Tools

Implementing Active Defense tools has a low risk of false positives—meaning, they are unlikely to affect your normal network traffic and users. Here’s why: Anyone interacting with these tools is almost certainly a malicious user, so you don’t have to worry about legitimate users falling into Active Defense traps. It’s also easy to implement, operate, and maintain these tools (which are also low-cost), and risk can be even further reduced by enforcing the use of standard operating procedures and continuous training on how to use these tools.

The biggest risk an organization faces when using Active Defense tools is potentially using offensive countermeasures that exceed the organization’s legal right to protect its own property. It’s possible that a court could hold the organization liable for those countermeasures, which would result in substantial financial loss through lawsuits, penalties, and other legal fees.

While that may sound worrisome, there are several ways to reduce the risk of legal action.

How to Mitigate the Risks of Active Defense Tools

One note to consider is whether your organization has the available staff, time, and budget to implement, operate, and maintain the Active Defense tools and techniques reviewed here. Although no additional staff should be needed to maintain these tools, your organization may require additional training for new hires or security consulting services following changes to their systems or network architectures.

That said, here are some ways to minimize your legal risks when using Active Defense tools:

Add a warning banner

One simple method is to add warning banners that define the organization’s network’s boundaries and actions that will be taken against intruders. Being upfront about this can significantly reduce an organization’s exposure to legal troubles after an intrusion.

Use appropriate countermeasures

It’s very important to always use controlled countermeasures when deploying Active Defense tools. Incident response team members must ensure that all actions in response to an intruder are justified and proportionate to the threat. Exercising restraint is key for managing legal risk.

Include your legal team every step of the way

Lean on your legal team. The organization’s legal team must be involved throughout the entire process of deploying and operating these tools to provide legal recommendations in the context of the organization’s acceptable levels of risk. This goal can be accomplished with policies and procedures designed to ensure proper planning. This means including authorization as part of the deployment and operation processes, as well as providing specialized training, guidelines, and standard operating procedures for all security personnel.

Make sure the tools are working correctly

Verify correct tool deployment and operation to mitigate both the risk of false positives and collateral damage to other network systems. Plus, implementing traffic control rules on the edge firewall and ensuring timely and effective responses to all tool detections reported to the security team will help cut the risk of downstream liability.

Hold security awareness training for everyone in your organization

Security awareness training for operation and maintenance teams will reduce the risk of authorized users and systems interacting with the Active Defense Harbinger Distribution (ADHD) server (which manages the Active Defense tools in your system) causing collateral damages to your organization’s network. Additionally, security awareness training for all users will reduce the risk of false positives caused by users intentionally or unintentionally connecting to the ADHD system.

Continue to use basic security measures

Just because you’re using Active Defense tools, doesn’t mean you stop using basic security measures in your systems. Basic security measures include things like network segmentation, role-based access control, and application allow-listing and auditing systems for suspicious files, which are all designed to prevent intruders from moving within a compromised network.

You should also be reviewing and maintaining up-to-date vulnerability management plans, patch management plans, and incident response plans. Remember, Active Defense tools and techniques are recommended in addition to industry best practices. Think of them as another (very effective) tool in your cyber defense tool belt.

What If You’re Not Satisfied with Active Defense Tools?

If you’re not happy with the performance of Active Defense tools, it’s easy to roll them back. The process consists of decommissioning the virtual machine or removing it from the network environment, which can be accomplished with no disruption to other services and systems on the network.

Contact us now for help with understanding how Active Defense tools can work for your organization, and how to get started with implementation.