What is Active Defense?
Passive Security vs. Active Defense
Determined attackers will go to almost any level of expense, time, and effort to penetrate a victim's network. The traditional passive defense security model that focuses on castle-building and development of better detection systems is failing. The only option this strategy offers organizations is continuously escalating spending on additional passive defensive measures that do nothing more than slightly delay the inevitable compromise by a targeted attacker. Meanwhile, adversaries are able to overcome these passive countermeasures at a fraction of the cost. The reality is that existing security solutions focus merely on improving detection rates and attempting to swat away adversary intrusions and do not fundamentally raise the cost and risk to the attackers.
The time has come for us to adopt an Active Defense strategy that instead focuses on raising costs and risks to the adversary and attempts to deter their activities.
Active Defense Strategy
Identify and prevent damage from targeted attacks with the Active Defense strategy. Active Defense is employed to support four primary uses cases; attack detection, attribution, flexibility of response, and intelligence dissemination. When deploying technology and leveraging security-driven intelligence across all four components, organizations can protect their networks from the most persistent and determined adversaries.
- Real-time detection of adversary intrusion attempts into our systems and networks that focuses on identifying their unique tradecraft and essential mission objectives, as opposed to easily changeable indicators of compromise
- Attribution of threat actors in order to understand their identities, intent, and mission objectives - both of the intruders themselves, as well as of those who may be tasking them to steal or receive stolen intellectual property
- Flexibility of response actions that include traditional passive defense options such as prevention and alerting, but also deception, containment, tying up adversary resources, and creating doubt and confusion while denying them the benefits of their operations. This furthers the goal of increasing attacker's costs and empowers defenders to collect additional intelligence on the adversaries and their tradecraft, while simultaneously preventing damage to their networks
- Intelligence dissemination to facilitate corrective and deterrent action. This can include real-time information sharing designed to deny the adversary the use of their tradecraft, not just specific tools, against a wide range of victims. This also enables joint action with other industry partners and government agencies to employ civil litigation, trade sanctions, and criminal prosecution tools against the threat actors