Once an attacker enters your network, one of their first actions will be to try and hide their tracks by blending in, using methods of deception such as mimicking normal user activities. A cyber defender can also use methods of deception to detect and slow the advance of these adversaries. This is known as an active defense. This article will discuss some methods of using Active Defences, sometimes referred to as ’deceptions,’ as one part of a comprehensive cyber defense strategy.
Deception is a methodology used by cyber defenders that falls under the active defenses category. The simplest example of a deception method is creating a user account with no assigned roles or privileges. This user account cannot be used for authentication by a threat actor. However, the moment they try to authenticate, the action is logged, and the SOC can be notified that unauthorized activity is occurring. This method is much more powerful than a typical user authentication failure since no one has been authorized to use this account. So, 100% of the login activities are true positive threats.
(Microsoft’s Defender for Identity provides the capability to use ‘honeytoken user accounts’ to detect and alert on malicious activity).
Originally a military term, Active Defenses are methods used to confuse and slow an attacker, usually after they’ve accessed your network. A common technique for hackers is to move laterally once they’ve established a foothold. This lateral movement may involve scanning for new hosts to exploit. If some of these new hosts are part of an Active Defense deployment, the security team will detect the attacker.
Think of active defenses as anything placed on your network that can act as a 'land mine,' triggering an alert in your SIEM if it is accessed or changed.
Active Defenses can take many forms, such as honeypots, fake user accounts, or an Excel sheet containing fake credit card information. Let's discuss some of these methods.
Network services such as domain controllers, file shares, FTP services, etc. If a malicious actor attempts to connect to these devices, the honeypot will collect extensive amounts of data about the attacker's activities.
Image 1: Basic honeypot example. Courtesy: Wikipedia.
A couple of other examples of Active Defenses include:
Automatic Attacker Disruption
Some EDR/XDR services now provide attacker disruption features. This means if the EDR detects malicious activity it will automatically take actions to slow the attack on all associated high-risk assets.
Image 2: Example of attacker disruption with Microsoft’s Attacker Disruption feature.
User containment
Some EDR/XDR services can automatically detect high risk users or users associated with an EDR alert, and can automatically take action to disable or contain the user account.
All security operations should include active defenses as part of their defense architecture. Start with fake user accounts, consider deploying deception services, and look at your EDR’s attacker disruption capabilities. Active Defenses are a practical method of security defense that can be used to deceive even the cleverest of attackers.
References
About This Blog Series
Follow the full series here: Building Defenses with Modern Security Solutions
This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.
Labs
For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.
Compliance
All topics mentioned in this series have been mapped to several compliance controls here.
David Broggy, Trustwave’s Senior Solutions Architect, Implementation Services, was selected last year for Microsoft's Most Valuable Professional (MVP) Award.