Active Defense

Active defense is the use of offensive tactics to outsmart or slow down a hacker and make cyberattacks more difficult to carry out. An active cyber defense approach helps organizations prevent attackers from advancing through their business networks. It also increases the likelihood that hackers will make a mistake and expose their presence or attack vector.

Active defense involves deception technology that detects attackers as early as possible in the attack cycle. Active cyber techniques include digital baiting and device decoys that obfuscate the attack surface and trick attackers. This misdirection wastes attackers’ time and processing power while providing vital active cyber intelligence data.

Active defense supports offensive actions and can sometimes involve striking back against an attacker. However, it is typically reserved for law enforcement agencies that have the authority and resources to take the appropriate action.

Active defense helps organizations detect potential security threats as quickly as possible. With active defense, organizations can identify potential intrusions before attackers steal data, intellectual property, or other essential resources.

It provides crucial techniques that slow down attackers and makes it more difficult for hackers to infiltrate or undermine applications, networks, and systems. It also offers vital threat intelligence data that allows organizations to understand attacks and prevent similar future events. They can apply this information to defense strategies and strengthen their incident response to avoid the threat resurfacing.

Active defense can be highly effective in detecting and responding to threats. Organizations can use honeytokens, a tactic that helps companies quickly attract attackers, to prevent attacks against their systems. 

A good example of this is Project Spacecrab, which discovered an 83% chance of honeytoken credentials on GitHub being used by attackers. It also found the average time a hacker takes to exploit this form of token when it gets posted is 30 minutes. Additionally, a security experiment supported by the U.K.’s British Broadcasting Corporation (BBC) in September 2017 seeded email marketing lists with fake email addresses. The investigation found it took 21 hours for phishing emails containing malicious attachments and links to be sent to the fake addresses. 

Organizations can gather intelligence on attackers using honeytokens, sometimes also known as honey traps or honeypots. Honeytokens are bogus or dummy resources that can be placed in a network or system to attract the attention of attackers. They can be an application, a dataset, or a complete system, which are placed in a network to distract cyber criminals. 

Furthermore, honeytokens contain digital information that enables organizations to monitor for data theft and tampering.

Types of honeytokens that organizations can use include the following:

1. Creating fake email addresses: Email is a popular attack vector for cyber criminals, who use the medium to launch phishing attacks containing malicious attachments and links to spoofed websites. Businesses can take advantage of this by creating fake email addresses, which use made-up names, that sit within plain sight of their mail server or public web server. Fake email addresses should not be used but can be deployed to attract phishing or spam messages from attackers. Any message that reaches a fake email address can only have originated via unauthorized access to the organization’s email address list, mail server, or web server. These messages give organizations vital insight into how attackers targeted them and the phishing attack methods they use.
2. Dropping fake database data: Another popular technique is to insert fake data, such as fake records or content, into existing databases. The aim is to lure attackers into stealing the fake data or encourage malicious insiders to give it away. The technique provides organizations with useful information on how attackers gained access to corporate systems and exploited their networks’ weaknesses.
3. Deploying fake executable files: Fake .exe files are presented as applications or software programs that activate a "phone home" switch when the attacker runs them. The organization receives information about the attacker, such as their Internet Protocol (IP) address and system details, commonly known as a "hack back." The approach can also cause damage to an attacker’s system and violate cybersecurity and privacy regulations. 
4. Embedding web beacons: Web beacons contain an internet link to an object embedded in a file small enough not to be spotted. When an attacker opens a document that includes a beacon, the organization that created the beacon receives details of the computer system and its internet location. Like the fake executable files approach, this method relies on attackers not deploying a firewall against outgoing traffic or external ports. 
5. Using browser cookies: Organizations can set up browser cookies that act as honeytokens to avoid the issue of attackers blocking their ports with a firewall. This approach is particularly successful when relying on human error and if attackers do not clear their browser cache to hide their location and online activity.
6. Setting up canary traps: Canary traps focus on whistleblowers that give up or sell data that they should not. This honeytoken method uses some form of tracer or marker tied to the piece of data that the whistleblower shares. For example, the Screen Actors Guild used this technique to expose members who leak movies submitted for Oscar consideration. 
7. Placing AWS keys: The Amazon Web Services (AWS) cloud platform uses digital keys to unlock its access management infrastructure. Organizations can place these keys in various locations, such as desktops, GitHub repositories, and text files. They are highly valuable to cyber criminals, who could use the keys to control an organization’s infrastructure or gain access to corporate networks. However, to discover how far into an organization’s infrastructure an AWS key will take them, an attacker has to test it. These keys have logging mechanisms built into them, which means organizations can use them as honeytokens to analyze, monitor, and record attacker actions.

Active defense is a crucial tool for enhancing organizations’ security measures. The tactics above enable security teams to gather intelligence on the techniques that cyber criminals use, how they go about exploiting vulnerabilities, and the types of information they look for. This information is crucial to better understand attackers’ motives and ensure organizations’ security measures are protected against the latest cyber threats.