Thoughts on Active Defense, Intrusion Deception, and Counterstrikes
“active defense” is not the same as “strike back.” The first sentence is a bullshit premise.
Active defense, deception, and counterattacks are things I have been interested in for a long time. The principles aren’t new – just go read the Cuckoo’s Egg – but we are seeing a small revival as the nature of attackers cycles back to data theft from the decade-plus distraction of website defacements and low-end phishing & malware.
Mike and I talk a lot about reacting faster and better (see React Faster and Better: New Approaches for Advanced Incident Response). As is now being recognized more broadly, no security toolset can eliminate successful attacks, so we need to focus just as heavily on incident response.
We generally lack mechanisms to identify the attacks that our tools miss.
I wrote in Force Attacker Perfection that we can put in more barriers and monitors to increase our chances of detecting an attack. But my premise was a bit flawed – we still need some sort of trigger to identify real attacks, with far fewer false positives than we have come to accept from our tools. No one has time to look through every SIEM or IDS alert on a day to day basis, never mind logs.
One way around this is to implement active defenses, honeypots, and tripwires. To avoid Menn’s mistake, here are some possible definitions we can work with:
- Active defense: Altering your environment and system responses dynamically based on the activity of potential attackers, to both frustrate attacks and more definitively identify actual attacks. Try to tie up the attacker and gain more information on them without engaging in offensive attacks yourself. A rudimentary example is throwing up an extra verification page when someone tries to leave potential blog spam, all the way up to tools like Mykonos that deliberately screw with attackers to waste their time and reduce potential false positives.
- Intrusion deception: Pollute your environment with false information designed to frustrate attackers. You can also instrument these systems/datum to identify attacks. DataSoft Nova is an example of this. Active defense engages with attackers, while intrusion deception can also be more passive.
- Honeypots & tripwires: Purely passive (and static) tools with false information designed to entice and identify an attacker.
- Counterstrike: Attack the attacker by engaging in offensive activity that extends beyond your perimeter.
These aren’t exclusive – Mykonos also uses intrusion deception, while Nova can also use active defense. The core idea is to leave things for attackers to touch, and instrument them so you can identify the intruders. Except for counterattacks, which move outside your perimeter and are legally risky.
You don’t need to be highly advanced to implement some of these ideas, and you certainly don’t necessarily need products. We are starting to integrate some of these concepts into our environment, and doing so creatively with no real budget. But my biggest fear isn’t being attacked, or even breached – I worry about finding out on Pastebin or in the morning news. I know I can’t keep all attackers out, and I can’t review our forensic logs every day, and I know that no signature-based tool can detect everything, so my only choice is to drop some tripwires to hopefully figure out when someone makes it in.
I’m not saying my definitions are canonical – and they need work – but it’s important to distinguish between passive deception, active deception/defense, and offensive activity.
They are not equivalent.