Threat intelligence can help companies move from a reactive to a proactive approach to security. With real-time context and insight into the threat landscape, you can get ahead of attackers and disrupt their agenda, thus limiting the impact and cost of attacks.
However, even with well-tuned security devices and actionable intelligence, there is still a risk that some hackers can breach your organization’s defenses.
Nothing can stop attackers from acquiring IDS/IPS and firewalls just like those used by organizations to find an unknown vulnerability and develop a new attack (also known as a “zero-day exploit”).
Active Defense (AD) is a way to turn the tables by actively engaging your adversaries. It provides an extra layer of security and improves the defense mechanisms against attempts to compromise the integrity of your organization’s information system.
By the way active defense is organized, it can be divided into three categories: active deception, preemptive attack, and counterattack. The last two are offensive in nature as they include hostile action against the supposed attacker for prevention purposes. Whereas the first category is a more interesting, non-offensive approach which allows you to learn what methods the attackers use, offering the opportunity to strengthen your defenses, which is what active defense is all about.
The primary goal of active defense is to thwart attacks and provide the defender with attribution capabilities, helping them identify their opponents, gather information about their tactics, techniques, and procedures to create threat intelligence based on this data.
The idea is to increase the complexity of an attack, making it more difficult for attackers to succeed and forcing them to make more attempts and moves which will most likely be easily detected.
One way to achieve this is to use decoys (such as honeypots or honeytokens) and monitor the attacker’s activities using SIEM (Security Information and Event Management). Each time the attacker interacts with a security component (IDS/IPS, firewall, routers, antivirus, etc.), you can track their movements and gather your own threat intelligence which can be correlated with external events.
A honeypot is a resource in an organization’s information system whose value lies in its unauthorized or illicit use. An important feature of this decoy is that normal users cannot access it.
It emulates an actual system running vulnerable services on the network, so that any attack on it can be monitored. There are many types of honeypots: general-purpose, web honeypots, databases, SSH, SCADA, VoIP, USB, etc.
Once an attacker spots this easy target, they will try to hack it, but a successful attack will yield no valid information. Due to the nature of honeypots, no damage can be done to other legitimate services within the same network.
Security staff know that most attacks on these resources can be truly malicious, and this way they can gain insight into their evolution to better protect their infrastructure. Moreover, honeypots can be used to gather forensic evidence.
The sole purpose of a honeypot is to appear to be a legitimate asset and draw attackers’ attention. Thus, from a hacker’s perspective, there should be no difference between them and genuine service devices.
Honeypot systems can be deployed in various locations within the network infrastructure, meaning that they can be placed both on the server and client side.
A server-side honeypot can utilize such services as SSH or NetBIOS, enticing attackers to abuse them so that their behavior can be monitored. On the client side, specific applications can be deployed, such as web browsers, which actively connect to remote services in order to analyze the server behavior or its delivered content, detecting malicious activities.
Honeypots can also be configured with different levels of interaction with emulated (virtual) or real resources: low, high, or hybrid.
A low-interaction honeypot emulates a resource providing limited functionality compared to the real device. To successfully deceive the opponent, the emulation has to be very accurate. Emulation is easy to implement and (in this context) reduces the risk of a device (such as a PC) being compromised. However, certain emulated resources may behave differently than real ones, so experienced hackers can identify them and quickly abort the attempted attack.
In high-interaction honeypots, real resources and systems are used instead of emulation. These are less likely to be identified, but they are complex and consume more resources, which can affect scalability and performance.
Finally, a hybrid honeypot combines the best features of both low-interaction and high-interaction honeypots.
The concept of honeypots, which consists in mimicking legitimate systems, has been extended to files. Similarly, a honeytoken is data or a digital file that looks like a tempting target for an (internal or external) attacker due to its content.
Every access to that file (token) is monitored and considered malicious. Common practice is to distribute honeytokens with attractive names, such as “port list” or “user accounts”, in a database or a register. Once an attacker accesses this information and attempts to use it, an alert is triggered.
To be effective, a honeytoken must:
- Appear genuine, valid, and desirable to an attacker
- Not interfere with normal system operations, meaning that it should never contaminate authentic data
- Be constantly monitored, meaning that any use of the information in it should always trigger an alert
- Be unique to minimize false positives
As for the location of these decoys, such places as a database, a file sharing service (FTP), a user’ email inbox, or a corporate cloud are preferable.
In addition, the location to deploy tokens in can be chosen based on external threat intelligence, placing decoys in locations known to attackers to improve the organization’s capability to analyze attacks and increase its detection and deception potential.
Improvement and Collaboration
Active defense offers a means to add an extra layer of security and allows organizations to better learn from attacks perpetrated on their network infrastructure.
Successful strategies include the use of decoys (honeypots and honeytokens) to monitor every move of the attackers, thus enhancing the analysis and response capabilities, as well as making protection of valuable information more effective.
Security teams can not only strengthen their own infrastructure to prevent further attacks, but also make the collected data public and share their internal threat intelligence with the cybersecurity community to help others defend themselves.