Global research and advisory firm, Gartner, forecasts that information security spending will exceed $124 billion in 2019, yet cyber defenses continue to fail. Organizations large and small continue to experience breaches of all varieties resulting from zero-day exploits, failures in vulnerability patching, and phishing.
The market has responded with a variety of security governance and control frameworks including CIS 20, ISO 27001, PCI, and NIST CSF. All these approaches promote a defense-in-depth strategy, but most controls are passive.
As the proliferation of knowledge and tools to attack networks increases, management should begin to consider new methods of detecting, deterring and attributing criminal activity. This has led to the development of a new approach to cybersecurity called “Active Defense”.
What is Active Defense?
Active Defense refers to defensive measures meant to increase the cost and complexity of attacking networks. The basic premise of Active Defense involves implementing tools and techniques meant to actively detect, deter, and attribute threats. These tools and techniques are often above and beyond the baseline control set required by common information and cybersecurity frameworks which tend to be preventative and detective in nature.
Before an organization should consider Active Defense measures, it important that they reach an acceptable baseline of maturity. If an organization has not yet implemented the controls established in the CIS 20 or NIST CSF, it may not yet be mature enough to also manage Active Defense measures.
Categories of Active Defense
Active defense measures generally fall under one of three categories: detection, deterrence, or attribution. Note that ‘attack’ is not a category. The idea of “hacking the hacker” is against the law in many jurisdictions. Let’s explore each category of active defense measures.
Detection: Active Defense Detection controls include tripwires, honeypots/nets, and honey accounts. A simple example would be to implement a canary token (a.k.a. honeytoken) on a file within a seemingly sensitive file share. When accessed, an alert would be sent to a SIEM or email inbox.
Note that all these measures are more proactive than ongoing monitoring controls in that they try to trick a malicious actor into taking the bait. They should not be used as a substitution for effective ongoing monitoring and logging.
Before an organization can successfully implement Active Defense Detection measures it must have other baseline controls and processes established, including:
- Effective asset and network management: you must know what you have in order to protect it.
- Data classification: you must identify crown jewels and where they are located to protect them.
- Effective event logging and monitoring: you need a way to intercept and monitor triggers.
- Operating incident response process and procedures: you must be prepared to effectively respond to triggers efficiently and predictably.
- Forensic capabilities: you must be able to investigate and contain threats.
Deterrence: Active Defense Deterrence includes tools meant to frustrate and deter attackers. The most common deterrent tools are meant to prevent network and DNS enumeration, port and host discovery scanning and spidering tools from being able to function. These deterrents will severely frustrate or slow down attackers, allowing more time and opportunity for monitoring and detection tools to catch them.
As with Active Defense Detection controls, these measures should not be implemented instead of strong configuration management. Before implementing these types of controls, the organization should first establish the following baseline controls:
- DNS secure configuration: secure internally managed DNS servers against cache poisoning and zone transfers, establish name server monitoring for unauthorized changes, and secure the host and lock down how people access the server to manage it (e.g. PKI to govern issuing digital certificates used to authenticate to the server).
- Implement robust configuration management: know which ports and services should be made available for all hosts on the network and configure them to disallow everything else. Have a robust process in place to govern configuration changes.
Attribution: The goal of Attribution Active Defense tactics is to discover the intruder’s MAC address, IP address, and/or physical location. Many of these tools involve tricking an attacker into accidentally running a script, applet, or application similar to what they may be attempting against their victims. These tools are designed to then report back to the organization with the attribution information.
Attribution Active Defense tactics are arguably the least beneficial for an organization to implement, and depending on how the solution implemented functions, may also violate the US Computer Fraud and Abuse Act, which prohibits accessing a system without authorization.
There are also many other non-intrusive means of performing attribution through effective logging and the forensic techniques used during Compromise Assessments and Threat Hunting exercises.
Before implementing these techniques, the following minimum baseline of controls and processes should be in place:
- Effective event logging and monitoring: you need a way to intercept and monitor triggers.
- Operating incident response processes and procedures: you must be prepared to respond to triggers effectively, efficiently and predictably.
- Forensic capabilities: you must be able to investigate threats and analyze forensic data.
- Legal advisory: you should have appropriate legal advisory and a process in place to provide oversight of any tools that might be considered invasive and in violation of applicable laws.
Getting Started with Active Defense
Security teams can easily lab test Active Defense controls by using the Active Defense Harbinger Distribution (ADHD3). ADHD3 is a Linux distribution maintained by Black Hills Information Security and sponsored by The Defense Advanced Research Projects Agency (DARPA).
Two appropriate tools to consider when evaluating Active Defense measures are Artillery and LaBrea.
Artillery – Honeypot, Monitoring, and Alerting System
Artillery is an open-source tool that provides honeypot, monitoring and alerting functionality meant to be utilized by Blue teams. The tool is included in the ADHD3 Linux build and also available on Github at https://github.com/BinaryDefense/artillery.
The utility features monitoring and alerting on port scans for specific ports and auto blacklisting of IPs suspected of unauthorized port scanning. The tool will also monitor folders for unauthorized modifications and SSH logs for brute force attempts.
In risk3sixty’s demo, Artillery set up common open ports on its host and was configured to send an e-mail alert if any of its ports were scanned or interacted with. Any interaction with the tool would yield nonsensical results.
An Nmap scan of the Artillery host provided several services that would be of interest to any attacker:
When attempting to interact with the VNC server, the server returns endless login failures.
When attempting to interact with the server via a web browser, Artillery returns useless data as shown below.
If an attacker attempts to enumerate users on the Artillery server, it returns the ‘root’ and ‘mysql’ users as legitimate users which would likely result in excessive time taken to investigate, and ultimately result in a dead-end.
LaBrea – Deterrence
LaBrea is a classic network scanning deterrence tool that still serves as a great example of how active defense measures can be used to slow down the spreading of wormable malware and frustrate attackers.
LaBrea works by watching the network for ARP requests and, for every unanswered ARP request, crafting a new packet and inserting a fake MAC address, essentially filling in the unused address space within a switch.
Next, LaBrea will wait for port scans on address space it has filled, and when it is pinged, it will respond to every request on every port, with a TCP window size of 0 (which severely slows down the port scan).
In risk3sixty’s demo, LaBrea was set up in a test network with limited infrastructure and limited nodes all assigned IP addresses via static assignment. Please note that proper planning would need to be completed before setting LaBrea up in an environment using DHCP.
We first scanned the network with NMAP using nmap -sV -n -v -Pn -p- -T4 192.168.1.0/24. The result was as expected. The scan moved at an unreasonably slow pace. Nmap immediately had difficulty handling the responses and based on the processing speed, it may have taken over a week to scan a /24 network.
This type of port scanning is like the behavior you might expect from wormable malware looking for hosts with specific vulnerable ports open to attack.
Next, we performed a scan of the same network with Nessus Professional. Nessus was able to defeat LaBrea, which discovered the live clients within our test network in a reasonable amount of time.
These results are not necessarily bad, as automated port scanning completed by malware is likely to resemble scans completed by Nmap, and a skilled attacker would likely avoid a noisy vulnerability scanner like Nessus. Further, this demonstrates that legitimate vulnerability scanning could be completed with LaBrea in place.
Future of Active Defense
Active Defense measures are still relatively niche tools in most organizations’ security infrastructure, and we have yet to see them included in popular security frameworks like NIST 800-53 and CIS 20. Today, most tools available are open-source. Very few commercial products exist on the market.
In the future, we may begin to see expanded use of these techniques, especially in Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) environments which virtually always require legacy system support and rely on a strong perimeter defense to secure the assets within.
Active defense is not a silver bullet or a replacement for best practices, but it can provide the organization with additional proactive measures and creative solutions.