Active Defense: Good protection doesn’t need to be offensive

Just Google for the search term ‘“active defense” startup’ and it is clear that this is a hot growth area in Internet security. But what is it, exactly? The answer to that question is difficult and controversial, as this is a new name for a wide range of activities that have become increasingly popular as attacks on government and company systems have become both more complicated and more highly targeted.
Active Defense is controversial in part because it has often included the idea that people should “hack back” at intruders. But there are plenty of ways to more proactively defend companies’ resources that do not involve getting into grudge matches with criminals.
Active Defense comprises a range of activities, either within the targeted network or outside of it. These activities can be grouped into three broad areas:

• Attribution
• Prevention
• Retribution

Attribution: Who is attacking, and how?

Attribution pertains to gathering data about specific attack techniques, vectors and origins in order to improve reactive defense technologies. Improving existing defenses is generally done by adding distinctive attack indicators to filtering software, or by black-listing the origination or destination sites of malicious traffic. This information can then be shared with security researchers (such as your security product vendors) and law enforcement officials, to help protect the community at large.
It is important to note that attribution does not mean to positively identify a malicious individual, as attackers commonly use misdirection and proxies to complicate exact identification. Identification is best left to law enforcement, who can collate data from multiple sources and use judicial means to find the culpable parties.

Prevention: What can we do to stop attacks?

Prevention is the area where the broadest range of potential activities resides as it includes both disrupting and preventing the intruder from initiating an effective attack. By thwarting an intruder’s ability to get a complete and accurate picture of your environment, some attacks can be prevented before they have even begun. Active attacks can also be disrupted by directing attackers away from critical resources, or by putting up attack-specific defenses.
Before attackers begin an attack, their first task is to find good targets. Intruders will try to find out what they can about your network and your resources, to determine whether it is worth their effort. Ideally, they would like a target that is relatively unguarded and contains valuable data. Actively preventing attacks at this stage could take the form of denying access or providing misleading data in strategic places.
Be aware that in some cases providing attackers with false data (such as financial information) could get you in legal trouble, and it could inadvertently spill over into the “real world” and affect stock valuation or company reputation. But you can more safely provide fake email addresses that would be gathered by content scrapers or by attackers trying to target key employees.
Disruption tactics require a clear understanding of what is going on within a company’s network, so that normal traffic can be differentiated from anomalous traffic. With a solid “baseline” of what constitutes normal traffic, unknown or suspicious traffic can be sent to a walled garden or it can be used to lock down further access. Some malware authors take similar actions when their code detects it is running on research machines – they may present alternate behavior or cease execution altogether.
Two of the most popular types of tools used for prevention and disruption are Honeypots and Tar Pits. Both tools’ names give a sticky mental image, and indeed both are intended to hold an attack in place for a time, but through different means.
A Honeypot lures in an attacker, appearing to be a poorly defended user’s machine, where an attacker could try to gain access to a network or to install malware that could spread throughout the environment. Not only does this potentially fool some attackers, it also provides data and possible samples to potentially help protect against attacks at other points in the network.
A Tar Pit is intended to slow an attacker by intentionally delaying initial responses to incoming connections. The idea behind this technique is that legitimate traffic will not be troubled by a brief delay – but an attack that is generating large amounts of unwanted traffic will be less effective if it’s spread out over time, and this extra time could be crucial to allow defenders to detect and block an attack before it causes problems.

Retribution: Vengeance is a double-edged sword

Having covered Prevention techniques, we are now left with Active Defense by Retribution. This is legally questionable when the intruder is on your own network, and in almost every jurisdiction around the world it is illegal when the target machine is outside your own domain. Retribution is what is commonly called “Hacking Back”, and is the cyber-equivalent of poking a hornet’s nest.
This is so far outside the realm of a worthwhile use of resources that it is not worth serious consideration. Unless your defenses are already ironclad, this will bring you far more pain than protection. Attackers may have far more inclination and resources to continue escalating the attack if provoked. Add to that the fact that attribution is exceedingly difficult: You may very well end up attacking a third party that is an unwitting victim in the attack.

Effective Use of Active Defense

Now that we have established what Active Defense is, we can discuss how it can effectively be used to help defend your network. If you consider the potential types of Active Defense as a grid, we can narrow actions down to those that have the most potential return on investment – those that might be worth using in your environment.

	Internal	External
Attribution	Yes	Maybe
Prevention	Yes	Maybe
Retribution	No	No

Along the continuum of possible actions, the more you lean towards staying within your own network – to only collecting data or making modifications in your own environment – the cheaper, and simpler positive outcomes can be. And conversely, any time you enter onto or modify a remote machine, not only does defending your actions in a court of law become significantly trickier, but the return on your own investment of time and effort also quickly plummets.
Even if you could conclusively identify a machine as one belonging to an attacker, two legal wrongs do not make a right. It would also be very difficult to ensure that no other, innocent machines are collaterally damaged by your attack. Beyond that, you cannot truly exclude the possibility that the machine you have identified is one that has been compromised and used as a proxy to attack you. The likelihood is that vengeance would blaze a trail of destruction for everyone but the attacker him or herself.
Gathering data for its own sake, on activities within your network, is generally safe territory. Whether the data is about employees or intruders, law in most countries generally protects monitoring and logging. When it is used for attribution to be shared with law enforcement, it is not only helpful to your company; it can potentially be used to help protect the Internet at large. Gathering data from outside sources can be considered acceptable, if the data is publicly available or if the provider of those resources agrees to cooperate. Compelling those providers to provide data – particularly when the provider is located in another country – can be difficult at best. Hacking your way into remote networks to gather data would obviously be very difficult to defend, legally speaking.
One important component of gathering attribution data is to use it to identify anomalous behavior. This can be tricky for some organizations, as there is little understanding of what legitimate users are doing on the network. In order for this tactic to be useful, you will need to answer a number of questions about what constitutes normal traffic patterns within your network. For example:

• What times of day are people likely to be using the network?
• What cities will they be accessing it from?
• What destinations will (or should) users go to?
• What behaviors and traffic types are approved?
• Who should be accessing specific resources?

Once these questions are answered, and legitimate traffic is better codified, you can then use attribution data to better identify abnormal behavior in order to re-route or stop suspicious traffic.
Setting up Honeypots and Tar Pits on your network is a much simpler matter, and there are many freely available resources to help you do this. These tools are not meant to stop an intruder per se, but to lure them into places within your network so that you can study their tactics and better protect your more valuable resources.

Why You Might Use Active Defense

Now that we have defined Active Defense and how it is best employed, you might be wondering how this might be worth the effort for you. Many companies feel besieged by attackers, and they find that traditional defenses alone are not giving them the visibility they need to defend their environment. Employing more proactive strategies can certainly be a way to strengthen your security responsiveness and visibility, if you have the bodies and brains available to act on that data.
These techniques are not “set it and forget it” defenses, but a potentially invaluable source of information that can be used to tailor existing defenses to your own particular threat landscape. If that information is not put to use, all you’ll gain is a bird’s eye view of virtual burglars rifling through your files. It is up to you to determine according to your own particular risk-level and degree of risk-aversion whether this is worth the time and effort.