An active defense is the use of offensive actions to outmaneuver an adversary and make an attack more difficult and to carry out. Slowing down or derailing the attacker so they cannot advance or complete their attack increases the probability that the attacker will make a mistake and expose their presence or reveal their attack vector.
While the term active defense is often associated with military applications and protecting critical infrastructure and key resources (CIKR), it also applies to information technology (IT) security. In cybersecurity, an active defense raises the financial cost of an attack in terms of wasted processing power and time. Applying offense-driven strategies is critical to being able to detect and stop not only external threat actors, but also insiders and attackers with varying motivations including ransomware, extortion, and cryptojacking.
An active defense complements offense-driven actions so that organizations can proactively detect and derail attacks early and gather the threat intelligence required to understand the attack and prevent a similar recurrence. Sometimes active defense includes striking back at an attacker, but this is normally reserved for military and law enforcement that have the resources and authority to confirm attribution and take appropriate action.
Deception technology that is designed to detect an attacker early in the attack cycle by obfuscating the attack surface with realistic device decoys, attractive bait, and breadcrumbs for misdirecting the attack often plays an important role in active defense. The deception environment tricks the attacker or malware into engaging and leads them to believe they are escalating their attack, when in fact, they are wasting their time and processing power and may actually be providing the defender with counterintelligence.
The forensic information gathered through an active defense can then be applied to prevention, isolation and threat hunting defenses to stop a live attack, find forensic artifacts and prevent the attack from resurfacing. For a full active defense, the activities don’t stop at detection, but provide equal value in attack analysis, forensic reporting and the use of automation to expedite incident response.