Leveraging Active Defense Tools to Protect Against Cyber Threats
08/16/2024
When your network is compromised, your first priority is shutting down the intruder. While that might seem like the best course of action, there’s a better way to defend against bad actors and prevent future attacks. Enter: Active Defense tools. In this four-part series we will discuss the elements of Active Defense tools, why traditional tools fail to address the threat of intrusion, the business impact of using these tools, and how to get started using them.
Active Defense tools are a type of deception technology that helps you more effectively defend against cyber attacks. This strategy uses deception techniques—while leveraging automation—to engage with your adversary to learn more about how they got into your system and what they did, so you can employ better countermeasures, improve incident response, protect critical data and assets, and deter intruders from future attacks.
These tools are a way to increase the attacker’s workload and uncertainty as well as the sophistication required for a successful attack. In addition to exhausting an intruder’s resources, they also work to provide valuable information on the attacker for subsequent legal and law enforcement investigations. These low-cost solutions reduce long timeframes for detection and response, improve attribution capabilities, and better protect critical data and systems from intruders.
“Active” is the key word here. Remember, you are facing intelligent, adaptive intruders who are always learning and trying new ways to attack—and you need to do the same with defense. Vulnerability management and cyber hygiene are necessary, but basic security precautions are unlikely to stop a determined adversary. Active Defense tools are one of the best ways for organizations to legally and inexpensively detect intruders and defend their most valuable assets once their network has been compromised.
Read on for the basics of Active Defense tools and how you can get started using them.
The three elements of Active Defense tools
There are three general elements of Active Defense tools. Let’s take a closer look at how each works:
Detecting intrusions with annoyance tools
Annoyance tools create an environment where the intruder is encouraged to sacrifice anonymity to continue with a compromise. Not only do these tools alert when an intruder begins interacting with them, they can also be used to acquire real-time tactical intelligence including an intruder’s geographic location, capabilities, condition, motives, and objectives. This provides key observations and the context needed for quick and effective incident response and triage efforts. Secondly, these tools frustrate intruders by causing them to spend significant time and effort on a target having no value. A frustrated intruder may upload files from other compromised servers, even their own server which can produce additional threat intelligence. Finally, the tools delay intruders from reaching their objective which buys time for incident response teams to plan and implement the appropriate countermeasures.
One example of this element is the use of honeytokens. A honeytoken is a decoy tactic that makes useless data appear attractive to cyber attackers. Once they access the honeytoken an alert is immediately sent out to you. Then, while the intruder is busy stealing the fake data, you’ve detected the attacker and can prevent them from going after your real data.
Obtaining attribution
Attribution tools are a critical source for profiling intruders, gathering operational details, conducting counterintelligence activities, and facilitating counterattacks. Obtaining information about an intruder such as their identity, overall skill set, motivations, capabilities, and tactics is extremely valuable to both the organization and law enforcement agencies.
It is crucial that an organization determine who is attacking and why. Responding against a nation state requires a different strategy and budget than responding against script kiddies. For example, in the event of successful data exfiltration, an organization must determine who has the data and where it is being stored. Anonymity-defeating tools and geolocation techniques can be utilized to obtain this information.
Attribution in computer compromises is a very complex task. While an attacker may appear to come from an IP address belonging to a certain country, this does not prove the intruder is there or that the country sponsored the attacks. Attackers often use obfuscation techniques to mask their true IP address.
Attackers may use multiple compromised systems in various locations to route attack traffic to avoid attempts at identification. By using this method, intruders ensure that system and device logs on the compromised network only show connections from the IP address of the last bounce-point rather than the intruder’s actual IP address. Several Active Defense tools are currently available that can be used to defeat these deception tactics including decloaking tools and callback documents.
Executing a counterstrike
Counterstrikes are used to mitigate damage from current and immediate threats in a manner strictly limited to the amount of force necessary to protect the victim from further damage. Self-defense doctrines typically limit the amount of force allowed to that which is sufficient to stop the threat. All offensive countermeasures we recommend are restricted to obtaining only the information necessary for reporting to law enforcement to facilitate civil and criminal penalties.
When reporting intruders to law enforcement, organizations are typically required to provide a source IP address, a source port, and a timestamp associated with the traffic. When creating countermeasures to obtain this information, care should be taken to ensure that all countermeasures are designed to achieve your goals and get out as quickly as possible.
For a counterstrike to be a valid response, an organization must accurately attribute an attack to an actor and must identify the actor as hostile. Attribution is important because a counterstrike intended for the intruder could unintentionally be directed at systems being used by an intruder to route traffic, a state sponsored organization capable and willing to retaliate, or even an innocent third party intentionally spoofed by the intruder, such as a hospital or government agency.
Additionally, the organization must identify the intruder as an ongoing hostile threat, the harm from which can be mitigated by a counterstrike that interrupts the operations of the intruder. Meeting these requirements is necessary to keep organizations operating within acceptable legal and ethical boundaries while also preventing uncontrolled escalations, unintentional spillover, and collateral damage to innocent third parties.
How to implement Active Defense tools right now
One way to implement Active Defense tools easily and seamlessly into your system is using the open-source security distribution known as the Active Defense Harbinger Distribution (ADHD). This is a well-documented, well-supported, and user-friendly collection of Active Defense tools and concepts. Using this collection of tools provides organizations with a base knowledge of Active Defense tool types and uses, while also eliminating potential configuration and interoperability problems that frequently arise when selecting many individually supported tools for operation on the same system. (For more information on why traditional tools and strategies fail to address the threat of intrusion, see part two of this blog series.)
Need more help? Read the second post in this series coming next week that’s focused on why traditional tools and strategies are failing to address the threat of intrusion. We also provide guidance for organizations who wish to improve their detection and response times and effectiveness using low risk, low-cost Active Defense tools and techniques. Contact us today.