Active Defense 101
By: Carolyn Crandall, Chief Deception Officer/CMO
From Sun Tzu to George Washington, some of the greatest military strategists in history have lived by the philosophy that “the best defense is a good offense,” and the proverb also rings true when it comes to IT security. At Attivo, we see “good offense” as an active defense. In cybersecurity, active defense is a critical part of a solid security strategy – no matter the industry or size of the company. To better understand what exactly active defense is, how it works, and how organizations can benefit from it, check out our active defense playbook:
What is active defense?
The World Economic Forum defines “Active Defense” as a term that captures a spectrum of proactive cybersecurity measures that fall between traditional passive defense and offense. Attivo takes this a step further and believe that the most effective Active Defense incorporates offensive countermeasures that can be applied within cybersecurity to outmaneuver an adversary and increase their cost of attack.
What does active defense do?
Within cybersecurity, these actions are designed to slow down, derail, and build proactive defenses against the enemy so they cannot advance or fulfill their attack. The concept is based on increasing the probability of an attacker making a mistake and revealing their presence within the network. It also raises the risk of the cyber-adversary as they waste time in a misleading environment, falling prey to ambiguity or blocks that force them to start over or find an easier target altogether.
How does active defense work?
An Active Defense strategy changes the asymmetry of an attack, giving defenders the upper hand against attackers. This approach, driven by deception technology, is designed to detect a threat actor early in their activity by obfuscating the attack surface with realistic device decoys, attractive bait, and breadcrumbs for misdirecting the attack. The deception environment tricks the attacker or malware into engaging and leads them to believe they are escalating their attack, when in fact, they are wasting their time and actually providing threat, adversary, and in some cases, counterintelligence to the defender. The forensic information gathered can then be applied to prevention, isolation and threat hunting defenses to stop a live attack, find forensic artifacts, and prevent the attack from resurfacing. For a full Active Defense, the activities don’t stop at detection, but provide equal value in attack analysis, forensic reporting, and automationsto expedite incident response.
Who uses active defense?
The topic of “who uses active defense” was recently a focus at the World Economic Forum, where the Department of Homeland Security identified Active Defense as a top priority for security industrial infrastructure systems. That said, an Active Defense is not limited to only military applications or protecting energy or other critical industrial control systems. Deception for an Active Defense can be an instrumental resource within any organization’s security control stack for the benefit of early detection, changing the asymmetry of the attack, and improving overall incident response.
Why is active defense important?
It is essential to have both defensive and offensive strategies. An Active Defense adds the offense-driven actions so that organizations can proactively detect and derail attacks early and gather the threat intelligence required to understand the attack and prevent a similar recurrence. Sometimes Active Defense means striking back at an attacker, but this should be reserved for military and law enforcement that have the resources and authority to confirm attribution and take appropriate action.
Learn more about why solely implementing prevention-based security solutions are no longer a reliable line of defense against today’s sophisticated cyber attackers, and how the Attivo ThreatDefend™ Deception and Response Platform takes a comprehensive active defense approach here.