The rise of active defense in cybersecurity strategies
The greatest military strategists in history have lived by the philosophy of an “active defense” or the notion that “the best defense is a good offense.” This sentiment rings true now more than ever as enterprises across the globe remain at risk of a major security breach as cyber-attacks continue to grow more sophisticated and threat actors get more cunning and creative.
Organizations of all sizes, from mid-market to the Fortune 100, are applying this reasoning to their cybersecurity strategies. Increasingly, we are seeing a mind shift occur among security experts in charge of their company’s security operations center as they move from a reactive, perimeter-based security posture to one that is proactively focused on threat detection and incident response.
Active defense measures are increasingly being considered as a more streamlined, efficient, and critical part of a comprehensive security strategy. To better understand what exactly active defense is, how it works, and what benefit it can provide organizations that embrace it, here is an overview and playbook for deployment:
What is Active Defense?
Active defense incorporates offensive actions that can be applied within cybersecurity for outmaneuvering an adversary and increasing the cost of their attack. These actions are designed to detect, slow down, derail and build proactive defenses against the enemy so they cannot advance or fulfill their attack.
The concept is based on using deception technology to increase the probability of an attacker making a mistake and revealing their presence within the network. It also raises the risk profile for the cyber-adversary as they waste their time in a misleading environment, falling prey to ambiguity or blocks that increase their costs, force them to start over or find an easier target altogether.
How does Active Defense work?
An active defense strategy turns the tables on attackers, giving defenders the upper-hand against the adversary. This approach, driven by deception technology, is designed to detect a threat actor early by obfuscating the attack surface with realistic device decoys, attractive bait and breadcrumbs for misdirecting the attack.
When properly implemented, an active defense significantly reduces “dwell time” or the amount of time that threat actors remain undetected in a network until they have been removed, while also improving a security team’s mean-time-to-respond.
While average dwell time is down significantly from levels seen 10 years ago, it has plateaued recently with global median dwell time from compromise to discovery having increased from 99 days in 2016 to 101 days in 2017 (FireEye/Mandiant's 2018 M-Trends report).
Authentic deception technology closes the detection gap and decreases dwell time by tricking the attacker into engaging and leads them to believe they are escalating their attack. In reality, they are wasting their time in the deception environment and providing threat, adversary, and in some cases, counterintelligence to the defenders. The forensic information gathered can then be applied to prevention, isolation, and threat hunting to stop a live attack and prevent the attack from resurfacing.
For a full active defense, the activities don’t stop at detection, but provide equal value in attack analysis, forensic reporting, and automations to expedite incident response.
Who uses Active Defense?
This topic was recently a focus at the World Economic Forum, where the Department of Homeland Security identified active defense as a top priority for the security of industrial infrastructure systems.
That said, an active defense is not limited to military applications or protecting critical industrial control system (ICS) environments exclusively. Deception for an active defense can be an instrumental resource within any organization’s security control stack for the benefit of early detection, changing the asymmetry of the attack, and for improving overall incident response.
Why is Active Defense important?
As in any game against an adversary, you need both defensive and offensive strategies. An active defense adds the offense-driven actions so that organizations can proactively detect and derail would-be attackers before they have time to get comfortable within the network, stopping attacks early and gathering the threat intelligence required to understand the attack and prevent a similar recurrence.
Sometimes active defense includes striking back at an attacker, but this is reserved for military and law enforcement that have the resources and authority to confirm attribution and take appropriate action.
An active defense strategy changes the playbook for cybersecurity professionals by combining early detection, substantiated alerts and information sharing to improve incident response and fortify defenses. It is no longer “a nice to have,” but instead is becoming more widely accepted as a “must have” as prevention-only tactics are no longer enough.
With well-orchestrated breaches continuously making headlines, an active defense strategy is becoming a priority. Investment in sound, next generation security technology should be carefully considered to outmaneuver, deceive, and detect attackers and put the power back into an organization’s hands.