By Zachary Amos, Features Editor at ReHack
Active defense in cybersecurity takes an aggressive stance to deliberately thwart attackers. It’s akin to setting mouse traps rather than just putting out deterrents in hopes the pests stay away. In active cyber defense, cybersecurity teams purposely mislead, annoy or even attack hackers, beating them at their own game. Here are a few techniques they use.
1. Catching Hackers With Honeytokens
This active cyber defense method makes hackers think they’ve stumbled upon a great catch, like a credit card number or patient database. With more than 20% of merchants and billing organizations reporting payment data theft in 2019, many hackers do get away with this scheme. But this time, they’re unwittingly entering a honeypot — a trap designed to lure people in and catch them.
A honeytoken is a type of digital honeypot that tracks the person picking it up. It’s a discreet, hidden tracking software embedded somewhere in a file. When a hacker falls for the bait and steals a file, they take the honeytoken back to their own network — their lair, so to speak — and allow cybersecurity teams to follow them. Learn more about common types of honeytoken traps.
There are several animal metaphors in this cybersecurity technique. If a mole is a traitor, a canary is a snitch. Based on the idea that a canary sings out, a canary trap involves placing a honeytoken inside a file that someone within an organization might steal. This identifier is unique to each person who receives it.
For example, if a company suspects one of its employees is downloading accounting data and selling it on the dark web, the active cyber defense team will hide a honeytoken inside a quarterly report. When the mole downloads the information, the security team will immediately be able to see who they are. The software that identifies the double-crossing employee is the canary.
In 2016, a California hospital experienced a ransomware attack that held its computer systems hostage. Although the hackers didn’t steal any patient data, they forced the hospital to pay $17,000 to regain access to its network after spending over a week relying on paper charts and fax machines.
For threat actors, databases of financial records, street addresses and health data are a gold
mine. Even if they don’t want the data for themselves, hackers can use it to secure a ransom from someone desperate to get it back. That’s why fake databases — and even real ones — are a great place to hide honeytokens.
When an attacker steals a list of contact information or patient records, they unwittingly take the honeytoken with them. This technique allows security teams to track them and pinpoint how they breached the security network. For example, it can reveal that an administrator sent the data in an unsecured email or accidentally left their computer open while grabbing a coffee.
Fake Email Addresses
Another way to set a honeytoken trap is by creating a fake email address. This method preys on hackers’ love of phishing, one of the most common types of cyberattacks.
The fake email address sits untouched on a company’s list of email contacts, and nobody gives it out. However, the security team ensures the address is easy to find on the mail server or some other place with lax security.
There’s only one way the address could receive spam or phishing emails — someone would have to hack the internal email or web server and find the list of all company email addresses. This honeytoken trap reveals that a hacker has stolen the company’s mailing list. It can also let cybersecurity teams work backward to find the person who did it.
2. Using Root Cause Analysis on Deep Alerts
This type of active defense in cybersecurity involves threat hunters performing detection systems log analysis on deep alerts. It analyzes how malware got to the endpoint in a system.
In other words, most businesses have a cybersecurity system with multiple layers. A deep alert means an alarm sounded from deep within a cybersecurity network. When malicious software makes it to the last line of defense — getting past the castle’s moat, locked doors and archers, only to be stopped by the king’s personal guard — threat hunters must try to determine how it got that far. Where are the gaps in the cybersecurity system?
A root cause analysis seeks to answer that question. It’s critical in determining which defenses failed and how, because otherwise, attacks could keep happening.
For example, someone could have compromised login credentials and established a VPN connection to the network. Security specialists can take steps to ensure that type of attack cannot happen again. They can make it difficult and annoying for anyone to breach the company’s defense mechanisms.
3. Hacking Back: A New Type of Active Cyber Defense
This method is the most controversial type of active defense in cybersecurity. In the same way a store clerk might tackle a shoplifter, some cybersecurity teams deliberately damage a hacker’s networks in the process of catching them.
Techniques often involve placing a virus — rather than just a honeytoken — inside important files or decoys, which means anyone downloading the files will get malware on their computer. It’s similar to high-end retailers putting exploding ink capsules on clothes.
In 2016, UK Chancellor Philip Hammond promised to boost active cyber defenses in the government, including adopting hack-back approaches against anyone threatening national security. This eye-for-an-eye approach is often reserved for high-profile attacks and is a legal gray area, so businesses should tread lightly when using it as part of their cybersecurity strategy.
Active Defense in Cybersecurity
Hackers prey on vulnerable people, so it’s little wonder that companies have started taking a more robust approach to security. Active defense in cybersecurity means fending off, misleading or even harming threat actors, showing them that a company isn’t worth targeting. Hackers mean business — but now, businesses do, too.
As the Features Editor at ReHack, Zac Amos writes about cybersecurity, artificial intelligence, and other tech topics. He is a frequent contributor to Brilliance Security Magazine.