Moving to Active Defense: What It Means, How It Works and What You Can Do Now

By Ofer Israeli, CEO and founder, Illusive Networks

Despite the myriad cybersecurity solutions out there, breaches, attacks and exploitations continue. The old approach isn’t working; cybersecurity teams need to move from a passive approach to one that’s more active. And MITRE’s introduction of Shield addresses this directly. MITRE, the federally funded not-for-profit, has made it clear that active defense, rather than the standard whack-a-mole responsive defense, is paramount in the fight against cybercrime.

With the release of their Shield framework, MITRE has shifted the cybersecurity focus to active defense techniques. Government IT teams that know the latest strategies and recommendations put their agencies in a strong position to remain secure.

MITRE Shield introduces active defense

The MITRE Corporation’s goal is to “solve problems for a safer world.” Shield is an active defense knowledge base constructed from over a decade of enemy engagement. With it, MITRE is trying to gather and organize what it has been learning with respect to active defense and adversary engagement. This information ranges from “high-level, CISO-ready considerations of opportunities and objectives to practitioner-friendly discussions of the TTPs available to defenders.” MITRE hopes that Shield will encourage discussion about active defense and how defenders can use this information to get the upper hand.

But what exactly does active defense mean? And what do organizations need to know?

Understanding active defense

Active defense entails the use of limited offensive action and counterattacks to prevent an adversary from taking digital territory or assets. Active defense covers a swathe of activities, including engaging the adversary, basic cyber defensive capabilities, and cyber deception. Taken together, these activities enable IT, teams, to stop current attacks as well as get more insight into the attacker. Then they can prepare more thoroughly for future attacks.

MITRE makes it clear in its discussion of Shield that deception capabilities are a necessity in the modern security stack to truly deter and manage adversaries. In Shield’s new tactic and technique mapping, deception is prominent across eight active defense tactics—channel, collect, contain, detect, disrupt, facilitate, legitimize and test—along with 33 defensive techniques.

What agencies need to know

Government organizations are continuous targets for bad actors, whether it’s nation-state attackers seeing proprietary information or more run-of-the-mill criminals looking to cause chaos and obtain some PII they can exploit.

There is a huge amount of intellectual property within government agencies. A lot of the intellectual property that’s created in the U.S. that is of interest to adversaries is in the DoD supply chain or is being submitted to the U.S. Patent and Trademark office. Government agencies are holding some of the most valuable and sensitive data sets, including lawsuits being handled by the Department of Justice and counterterrorism tracking in the Department of Homeland Security.

Bad actors attempt to sneak into these environments and then gain access to even more impactful information – like stealing the security clearance forms for 20 million people from the Office of Personnel Management. Analysts estimate that critical breaches of government networks have increased by a factor of three to six, depending on the targets.

Agencies also need to know and avoid misconceptions about deception. A prevailing misconception is that deception is synonymous with honeypots, which have been around for a long time and are no longer effective. And to make them as realistic as possible requires a lot of management so that if attackers engage with a honeypot, they won’t be able to detect that it is not a real system and therefore know they’re in the middle of getting caught.

A second misconception is that deception is overly complicated and complex, with comparatively little ROI. Security organizations could enjoy the benefit of using deception technology – which is lightweight and has a low cost of maintenance – but are not engaging because they think it’s an overwhelming, complex approach that they won’t get enough value from.

The reality is that deception technology is not the same as honeypots. That’s how deception began, but it has evolved significantly since then. Today’s deception takes the breadcrumb/deceptive artifact approach that leads attackers on a false trail, which triggers alerts so that defenders can find and stop the attackers in real time. Only unauthorized users know the deceptions exist, as they don’t have any effect on everyday systems, so false positives are dramatically reduced. These aspects of deception technology add tremendous security and financial value to the IT security organization.

Raise your Shield

The attack surface that security teams must secure continues to expand rapidly as attacker tactics evolve – whether through nation-states attack teams, insider threats, for-hire groups or others. The forced digital transformation during the pandemic, and the long-term ramifications that have resulted from it, point to the need for a more robust approach to protecting critical assets. And this is where active defense is key. It is likely that the MITRE Shield will become a standard to measure security proficiency by. Government agencies need to expand that proficiency by including the best practice of deception in their security mix.

About the Author

Having pioneered deception-based cybersecurity, founder and CEO of Illusive Networks Ofer Israeli lead the company at the forefront of the next evolution of cyber defense. Prior to establishing Illusive Networks, Ofer managed development teams based around the globe at Israel’s seminal cybersecurity company Check Point Software Technologies and was a research assistant in the Atom Chip Lab focusing on theoretical Quantum Mechanics. Ofer holds B.Sc. degrees in Computer Science and Physics from Ben-Gurion University of the Negev.

Ofer can be reached on Twitter @ofer_israeli and at https://www.illusivenetworks.com.