Have you implemented active defense strategies in your environment? Do you know what active defense is vs. normal security monitoring? Let's talk about some technologies/generic strategies.

Shout out to @strandjs @BHinfoSecurity @ActiveCmeasures @corelight_inc
#30DaysofThreads

Active defense is a strategy used that doesn’t just wait for an adversary to attack and then solely block or react. Active defense can instead be seen as an engaged defense that is actively lying in wait. Think of tripwires implemented to attract and alert on malicious actions.

I'm going to discuss two flavors of AD: annoyance and attribution. In the above diagram I have laid out a very generic architecture and labeled a variety of different infrastructure components and the tools/strategies that could be implemented on them.

The underlying principal in a successful active defense implementation is that annoyance time + detection time < time it takes for a successful compromise.

Tool 1: Sysmon

Purpose: Provides additional context and correlation that native Windows logging doesn’t provide natively.
Implementation: Implement on all Windows servers and workstations(if feasible). Logs can be fed to SIEM and alerts tailored

Tool 2: AppLocker
Purpose: Allows whitelisting and blacklisting of applications within the Windows environment. Can be in alert or blocking mode. Alerts can be set up whenever a block or non-approved software is ran.
Implementation: Implement on all Windows devices.

Configurations are pushed out via GPO.
Challenges: Tuning to ensure that only the proper applications are allowed. Ensuring that the approved list is updated and that the certificate store that holds the certs to check for signing applications is monitored and protected.

Tool 3: Honey Accounts
Purpose: Accounts that are setup within the environment to look like critical accounts that should have a lot of permissions an attacker would want. Attackers will see and possibly attempt to use when pulling domain account lists due to intriguing username

Implementation: Account is put in admin group, and set to not expire. These characteristics will attract adversary. Account however, will be set up to be disabled and/or allowed logon time is 0. Any attempt to access with this account will be flagged by the SIEM.

Tool 4: Honeypot
Purpose: Server that provides level of deception that tricks attackers into thinking a server is vulnerable and has attractive open services. Further annoyance techniques can be set up to waste attackers time and resources.

Implementation: Implement with connections on both management and data plane. Allow specific ports to be opened internally (not allowing additional external access). Set up alerts for when accessed. Ensure ignored by vulnerability/antivirus scanning and other tools.

Tool 5: Honey Ports
Couple with honeypot. Listens on certain fake ports( provides fake information about what services are open), but only when a TCP connection is established, options are configured to alert and/or block the offending IP address via IP tables if desired.

Tool 6: Honey Table
Purpose: Create database table entries that are enticing on a honeypot or other database server and alert when someone access it.
Challenges: Ensuring that any tables added into active databases are configured to not allow additional access

Tool 7: Rita/AI Hunter
Purpose: RITA is an open source framework for network traffic analysis. This open source project, born from Black Hills Information Security, is now developed, funded and supported by Active Countermeasures.

Currently supports the following major features:
Beaconing Detection: Search for signs of beaconing behavior in and out of your network
DNS Tunneling Detection: Search for signs of DNS based covert channels
Blacklist Checking: Query blacklists to search for suspicious domains

Implementation: Implement a BRO/Zeek sensor and RITA server. BRO sensor should pick up all traffic that traverses outbound link to firewall via SPAN ports that connect back to BRO sensor

Tool 8: Canary Tokens
Purpose: To create a document based honeypot. Fake documents are left in various areas around the environment with names/data that would entice an attacker. Document beacons back once opened giving IP of person who opened it(attribution).

Implementation: There are a few options in regards to opensource or paid software. Can maintain management server or use external 3rd party. This method has been used in many govt. and commercial environments.
Should review with security/legal before implementation.

Tool 9: Continuous File Redirect
Purpose: To annoy an attacker/waste their resources/time by creating a file/folder structure that continues to build on itself indefinitely. Alerting can be set up. Make sure it's not being scanned by AV, vulnerability scanner, and backups.

As mentioned above, shout out to @strandjs who is the master of Active Defense and teaches great classes on AD strategy and implementation. Definitely check out his blogs on these topics and others @BHinfoSecurity and specifically on using RITA @ActiveCmeasures

I'd love to hear folks thoughts on these and maybe some other cool techniques!

If you liked this info, give me a follow and check out my blog where I cover various IT/Cyber/Architecture stuff🔥

jbcsec.com/insights/

And sign up for my blog notifications and monthly newsletter 👍

mailchi.mp/e7b56addb7fc/c…